diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll b/javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll
index 12b0291fcbe..736496d73aa 100644
--- a/javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll
@@ -80,6 +80,7 @@ module DomBasedXss {
         not exists(DataFlow::Node prefix, string strval |
           isPrefixOfJQueryHtmlString(this, prefix) and
           strval = prefix.getStringValue() and
+          not strval = "" and
           not strval.regexpMatch("\\s*<.*")
         ) and
         not DOM::locationRef().flowsTo(this)
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom.expected b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom.expected
index c68210d126c..ca66c2abc38 100644
--- a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom.expected
@@ -41,6 +41,11 @@ nodes
 | xss-through-dom.js:71:11:71:32 | $("inpu ... 0).name |
 | xss-through-dom.js:71:11:71:32 | $("inpu ... 0).name |
 | xss-through-dom.js:71:11:71:32 | $("inpu ... 0).name |
+| xss-through-dom.js:73:9:73:41 | selector |
+| xss-through-dom.js:73:20:73:41 | $("inpu ... 0).name |
+| xss-through-dom.js:73:20:73:41 | $("inpu ... 0).name |
+| xss-through-dom.js:77:7:77:14 | selector |
+| xss-through-dom.js:77:7:77:14 | selector |
 edges
 | xss-through-dom.js:2:16:2:34 | $("textarea").val() | xss-through-dom.js:2:16:2:34 | $("textarea").val() |
 | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | xss-through-dom.js:4:16:4:40 | $(".som ... .text() |
@@ -56,6 +61,10 @@ edges
 | xss-through-dom.js:61:30:61:69 | $(docum ... value") | xss-through-dom.js:61:30:61:69 | $(docum ... value") |
 | xss-through-dom.js:64:30:64:40 | valMethod() | xss-through-dom.js:64:30:64:40 | valMethod() |
 | xss-through-dom.js:71:11:71:32 | $("inpu ... 0).name | xss-through-dom.js:71:11:71:32 | $("inpu ... 0).name |
+| xss-through-dom.js:73:9:73:41 | selector | xss-through-dom.js:77:7:77:14 | selector |
+| xss-through-dom.js:73:9:73:41 | selector | xss-through-dom.js:77:7:77:14 | selector |
+| xss-through-dom.js:73:20:73:41 | $("inpu ... 0).name | xss-through-dom.js:73:9:73:41 | selector |
+| xss-through-dom.js:73:20:73:41 | $("inpu ... 0).name | xss-through-dom.js:73:9:73:41 | selector |
 #select
 | xss-through-dom.js:2:16:2:34 | $("textarea").val() | xss-through-dom.js:2:16:2:34 | $("textarea").val() | xss-through-dom.js:2:16:2:34 | $("textarea").val() | Cross-site scripting vulnerability due to $@. | xss-through-dom.js:2:16:2:34 | $("textarea").val() | DOM text |
 | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | Cross-site scripting vulnerability due to $@. | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | DOM text |
@@ -71,3 +80,4 @@ edges
 | xss-through-dom.js:61:30:61:69 | $(docum ... value") | xss-through-dom.js:61:30:61:69 | $(docum ... value") | xss-through-dom.js:61:30:61:69 | $(docum ... value") | Cross-site scripting vulnerability due to $@. | xss-through-dom.js:61:30:61:69 | $(docum ... value") | DOM text |
 | xss-through-dom.js:64:30:64:40 | valMethod() | xss-through-dom.js:64:30:64:40 | valMethod() | xss-through-dom.js:64:30:64:40 | valMethod() | Cross-site scripting vulnerability due to $@. | xss-through-dom.js:64:30:64:40 | valMethod() | DOM text |
 | xss-through-dom.js:71:11:71:32 | $("inpu ... 0).name | xss-through-dom.js:71:11:71:32 | $("inpu ... 0).name | xss-through-dom.js:71:11:71:32 | $("inpu ... 0).name | Cross-site scripting vulnerability due to $@. | xss-through-dom.js:71:11:71:32 | $("inpu ... 0).name | DOM text |
+| xss-through-dom.js:77:7:77:14 | selector | xss-through-dom.js:73:20:73:41 | $("inpu ... 0).name | xss-through-dom.js:77:7:77:14 | selector | Cross-site scripting vulnerability due to $@. | xss-through-dom.js:73:20:73:41 | $("inpu ... 0).name | DOM text |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/xss-through-dom.js b/javascript/ql/test/query-tests/Security/CWE-079/xss-through-dom.js
index f1964f49f55..c86c1788b12 100644
--- a/javascript/ql/test/query-tests/Security/CWE-079/xss-through-dom.js
+++ b/javascript/ql/test/query-tests/Security/CWE-079/xss-through-dom.js
@@ -69,4 +69,10 @@
 	}
 	
 	$.jGrowl($("input").get(0).name); // NOT OK.
+	
+    let selector = $("input").get(0).name;
+    if (something()) {
+        selector = $("textarea").val || ''
+    }
+    $(selector); // NOT OK
 })();
\ No newline at end of file