diff --git a/javascript/change-notes/2021-01-08-js-incomplete-multi-character-sanitization.md b/javascript/change-notes/2021-01-08-js-incomplete-multi-character-sanitization.md
new file mode 100644
index 00000000000..653ba2a8994
--- /dev/null
+++ b/javascript/change-notes/2021-01-08-js-incomplete-multi-character-sanitization.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The query "Incomplete multi-character sanitization" (`js/incomplete-multi-character-sanitization`) has been improved to produce additional true positives and fewer false positives.
diff --git a/javascript/ql/src/Security/CWE-116/IncompleteMultiCharacterSanitization.ql b/javascript/ql/src/Security/CWE-116/IncompleteMultiCharacterSanitization.ql
index dbff9d98bc5..cef10d3cbe7 100644
--- a/javascript/ql/src/Security/CWE-116/IncompleteMultiCharacterSanitization.ql
+++ b/javascript/ql/src/Security/CWE-116/IncompleteMultiCharacterSanitization.ql
@@ -12,69 +12,153 @@
  */
 
 import javascript
-import semmle.javascript.security.IncompleteBlacklistSanitizer
 
-predicate isDangerous(RegExpTerm t) {
-  // path traversals
-  t.getAMatchedString() = ["..", "/..", "../"]
-  or
-  exists(RegExpTerm start |
-    start = t.(RegExpSequence).getAChild() and
-    start.getConstantValue() = "." and
-    start.getSuccessor().getConstantValue() = "." and
-    not [start.getPredecessor(), start.getSuccessor().getSuccessor()].getConstantValue() = "."
-  )
-  or
-  // HTML comments
-  t.getAMatchedString() = "<!--"
-  or
-  // HTML scripts
-  t.getAMatchedString().regexpMatch("(?i)<script.*")
-  or
-  exists(RegExpSequence seq | seq = t |
-    t.getChild(0).getConstantValue() = "<" and
-    // the `cript|scrip` case has been observed in the wild, not sure what the goal of that pattern is...
-    t.getChild(0)
-        .getSuccessor+()
-        .getAMatchedString()
-        .regexpMatch("(?i)iframe|script|cript|scrip|style")
-  )
-  or
-  // HTML attributes
-  exists(string dangerousPrefix | dangerousPrefix = ["ng-", "on"] |
-    t.getAMatchedString().regexpMatch("(i?)" + dangerousPrefix + "[a-z]+")
+/**
+ * A regexp term that matches substrings that should be replaced with the empty string.
+ */
+class EmptyReplaceRegExpTerm extends RegExpTerm {
+  EmptyReplaceRegExpTerm() {
+    exists(StringReplaceCall replace |
+      [replace.getRawReplacement(), replace.getCallback(1).getAReturn()].mayHaveStringValue("") and
+      this = replace.getRegExp().getRoot().getAChild*()
+    )
+  }
+}
+
+/**
+ * A prefix that may be dangerous to sanitize explicitly.
+ *
+ * Note that this class exists solely as a (necessary) optimization for this query.
+ */
+class DangerousPrefix extends string {
+  DangerousPrefix() {
+    this = ["/..", "../"] or
+    this = "<!--" or
+    this = "<" + ["iframe", "script", "cript", "scrip", "style"]
+  }
+}
+
+/**
+ * A substring of a prefix that may be dangerous to sanitize explicitly.
+ */
+class DangerousPrefixSubstring extends string {
+  DangerousPrefixSubstring() {
+    exists(DangerousPrefix s | this = s.substring([0 .. s.length()], [0 .. s.length()]))
+  }
+}
+
+/**
+ * Gets a dangerous prefix that is in the prefix language of `t`.
+ */
+DangerousPrefix getADangerousMatchedPrefix(EmptyReplaceRegExpTerm t) {
+  result = getADangerousMatchedPrefixSubstring(t) and
+  not exists(EmptyReplaceRegExpTerm pred | pred = t.getPredecessor+() and not pred.isNullable())
+}
+
+/**
+ * Gets a substring of a dangerous prefix that is in the language starting at `t` (ignoring lookarounds).
+ *
+ * Note that the language of `t` is slightly restricted as not all RegExpTerm types are supported.
+ */
+DangerousPrefixSubstring getADangerousMatchedPrefixSubstring(EmptyReplaceRegExpTerm t) {
+  exists(string left |
+    t.isNullable() and left = ""
     or
-    exists(RegExpTerm start, RegExpTerm event | start = t.getAChild() |
-      start.getConstantValue().regexpMatch("(?i)[^a-z]*" + dangerousPrefix) and
-      event = start.getSuccessor() and
-      exists(RegExpTerm quantified | quantified = event.(RegExpQuantifier).getChild(0) |
-        quantified
-            .(RegExpCharacterClass)
-            .getAChild()
-            .(RegExpCharacterRange)
-            .isRange(["a", "A"], ["z", "Z"]) or
-        [quantified, quantified.(RegExpRange).getAChild()].(RegExpCharacterClassEscape).getValue() =
-          "w"
-      )
+    t.getAMatchedString() = left
+    or
+    (
+      t instanceof RegExpOpt or
+      t instanceof RegExpStar or
+      t instanceof RegExpPlus or
+      t instanceof RegExpGroup or
+      t instanceof RegExpAlt
+    ) and
+    left = getADangerousMatchedPrefixSubstring(t.getAChild())
+  |
+    result = left + getADangerousMatchedPrefixSubstring(t.getSuccessor()) or
+    result = left
+  )
+}
+
+/**
+ * Holds if `t` may match the dangerous `prefix` and some suffix, indicating intent to prevent a vulnerablity of kind `kind`.
+ */
+predicate matchesDangerousPrefix(EmptyReplaceRegExpTerm t, string prefix, string kind) {
+  prefix = getADangerousMatchedPrefix(t) and
+  (
+    kind = "path injection" and
+    // upwards navigation
+    prefix = ["/..", "../"] and
+    not t.getSuccessor*().getAMatchedString().regexpMatch("(?i).*[a-z0-9_-]+.*") // explicit path name mentions make this an unlikely sanitizer
+    or
+    kind = "HTML element injection" and
+    (
+      // comments
+      prefix = "<!--" and
+      not t.getSuccessor*().getAMatchedString().regexpMatch("(?i).*[a-z0-9_]+.*") // explicit comment content mentions make this an unlikely sanitizer
+      or
+      // specific tags
+      prefix = "<" + ["iframe", "script", "cript", "scrip", "style"] // the `cript|scrip` case has been observed in the wild several times
+    )
+  )
+  or
+  kind = "HTML attribute injection" and
+  prefix =
+    [
+      // ordinary event handler prefix
+      "on",
+      // angular prefixes
+      "ng-", "ng:", "data-ng-", "x-ng-"
+    ] and
+  (
+    // explicit matching: `onclick` and `ng-bind`
+    t.getAMatchedString().regexpMatch("(?i)" + prefix + "[a-z]+")
+    or
+    // regexp-based matching: `on[a-z]+`
+    exists(EmptyReplaceRegExpTerm start | start = t.getAChild() |
+      start.getConstantValue().regexpMatch("(?i)[^a-z]*" + prefix) and
+      isCommonWordMatcher(start.getSuccessor())
     )
   )
 }
 
-from StringReplaceCall replace, RegExpTerm regexp, RegExpTerm dangerous
+/**
+ * Holds if `t` is a common pattern for matching words
+ */
+predicate isCommonWordMatcher(RegExpTerm t) {
+  exists(RegExpTerm quantified | quantified = t.(RegExpQuantifier).getChild(0) |
+    // [a-z]+ and similar
+    quantified
+        .(RegExpCharacterClass)
+        .getAChild()
+        .(RegExpCharacterRange)
+        .isRange(["a", "A"], ["z", "Z"])
+    or
+    // \w+ or [\w]+
+    [quantified, quantified.(RegExpCharacterClass).getAChild()]
+        .(RegExpCharacterClassEscape)
+        .getValue() = "w"
+  )
+}
+
+from
+  StringReplaceCall replace, EmptyReplaceRegExpTerm regexp, EmptyReplaceRegExpTerm dangerous,
+  string prefix, string kind
 where
-  [replace.getRawReplacement(), replace.getCallback(1).getAReturn()].mayHaveStringValue("") and
-  replace.isGlobal() and
   regexp = replace.getRegExp().getRoot() and
   dangerous.getRootTerm() = regexp and
-  isDangerous(dangerous) and
-  // avoid anchored terms
-  not exists(RegExpAnchor a | a.getRootTerm() = regexp) and
-  // avoid flagging wrappers
-  not (
-    dangerous instanceof RegExpAlt or
-    dangerous instanceof RegExpGroup
+  // only warn about the longest match (presumably the most descriptive)
+  prefix = max(string m | matchesDangerousPrefix(dangerous, m, kind) | m order by m.length()) and
+  // only warn once per kind
+  not exists(EmptyReplaceRegExpTerm other |
+    other = dangerous.getAChild+() or other = dangerous.getPredecessor+()
+  |
+    matchesDangerousPrefix(other, _, kind)
   ) and
   // don't flag replace operations in a loop
-  not replace.getReceiver().getALocalSource() = replace
-select replace, "The replaced string may still contain a substring that starts matching at $@.",
-  dangerous, dangerous.toString()
+  not replace.getAMethodCall*().flowsTo(replace.getReceiver()) and
+  // avoid anchored terms
+  not exists(RegExpAnchor a | regexp = a.getRootTerm())
+select replace,
+  "This string may still contain a substring that starts matching at $@, which may cause a " + kind +
+    " vulnerability.", dangerous, prefix
diff --git a/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/IncompleteMultiCharacterSanitization.expected b/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/IncompleteMultiCharacterSanitization.expected
index 34e9a5ea94c..048109da744 100644
--- a/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/IncompleteMultiCharacterSanitization.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/IncompleteMultiCharacterSanitization.expected
@@ -1,33 +1,33 @@
-| tst-multi-character-sanitization.js:3:13:3:57 | content ... gi, "") | The replaced string may still contain a substring that starts matching at $@. | tst-multi-character-sanitization.js:3:30:3:49 | <.*cript.*\\/scrip.*> | <.*cript.*\\/scrip.*> |
-| tst-multi-character-sanitization.js:4:13:4:47 | content ... /g, "") | The replaced string may still contain a substring that starts matching at $@. | tst-multi-character-sanitization.js:4:30:4:40 |  on\\w+=".*" |  on\\w+=".*" |
-| tst-multi-character-sanitization.js:5:13:5:49 | content ... /g, "") | The replaced string may still contain a substring that starts matching at $@. | tst-multi-character-sanitization.js:5:30:5:42 |  on\\w+=\\'.*\\' |  on\\w+=\\'.*\\' |
-| tst-multi-character-sanitization.js:9:13:9:47 | content ... gi, "") | The replaced string may still contain a substring that starts matching at $@. | tst-multi-character-sanitization.js:9:30:9:39 | <.*cript.* | <.*cript.* |
-| tst-multi-character-sanitization.js:10:13:10:49 | content ... /g, "") | The replaced string may still contain a substring that starts matching at $@. | tst-multi-character-sanitization.js:10:30:10:42 | .on\\w+=.*".*" | .on\\w+=.*".*" |
-| tst-multi-character-sanitization.js:11:13:11:51 | content ... /g, "") | The replaced string may still contain a substring that starts matching at $@. | tst-multi-character-sanitization.js:11:30:11:44 | .on\\w+=.*\\'.*\\' | .on\\w+=.*\\'.*\\' |
-| tst-multi-character-sanitization.js:19:3:19:35 | respons ... pt, "") | The replaced string may still contain a substring that starts matching at $@. | tst-multi-character-sanitization.js:18:18:18:24 | <script | <script |
-| tst-multi-character-sanitization.js:25:10:25:40 | text.re ... /g, "") | The replaced string may still contain a substring that starts matching at $@. | tst-multi-character-sanitization.js:25:24:25:27 | <!-- | <!-- |
-| tst-multi-character-sanitization.js:38:8:38:30 | id.repl ... /g, "") | The replaced string may still contain a substring that starts matching at $@. | tst-multi-character-sanitization.js:38:20:38:23 | \\.\\. | \\.\\. |
-| tst-multi-character-sanitization.js:49:13:49:43 | req.url ... EL, "") | The replaced string may still contain a substring that starts matching at $@. | tst-multi-character-sanitization.js:48:21:48:31 | (\\/)?\\.\\.\\/ | (\\/)?\\.\\.\\/ |
-| tst-multi-character-sanitization.js:64:7:64:73 | x.repla ... /g, "") | The replaced string may still contain a substring that starts matching at $@. | tst-multi-character-sanitization.js:64:18:64:24 | <script | <script |
-| tst-multi-character-sanitization.js:66:7:66:56 | x.repla ... /g, "") | The replaced string may still contain a substring that starts matching at $@. | tst-multi-character-sanitization.js:66:18:66:49 | (\\/\|\\s)on\\w+=(\\'\|")?[^"]*(\\'\|")? | (\\/\|\\s)on\\w+=(\\'\|")?[^"]*(\\'\|")? |
-| tst-multi-character-sanitization.js:75:7:75:37 | x.repla ... gm, "") | The replaced string may still contain a substring that starts matching at $@. | tst-multi-character-sanitization.js:75:18:75:21 | <!-- | <!-- |
-| tst-multi-character-sanitization.js:77:7:77:36 | x.repla ... /g, "") | The replaced string may still contain a substring that starts matching at $@. | tst-multi-character-sanitization.js:77:18:77:29 | \\sng-[a-z-]+ | \\sng-[a-z-]+ |
-| tst-multi-character-sanitization.js:81:7:81:58 | x.repla ... /g, "") | The replaced string may still contain a substring that starts matching at $@. | tst-multi-character-sanitization.js:81:18:81:24 | <script | <script |
-| tst-multi-character-sanitization.js:81:7:81:58 | x.repla ... /g, "") | The replaced string may still contain a substring that starts matching at $@. | tst-multi-character-sanitization.js:81:36:81:39 | only | only |
-| tst-multi-character-sanitization.js:82:7:82:50 | x.repla ... /g, "") | The replaced string may still contain a substring that starts matching at $@. | tst-multi-character-sanitization.js:82:18:82:30 | <script async | <script async |
-| tst-multi-character-sanitization.js:83:7:83:63 | x.repla ... gi, "") | The replaced string may still contain a substring that starts matching at $@. | tst-multi-character-sanitization.js:83:18:83:21 | <!-- | <!-- |
-| tst-multi-character-sanitization.js:85:7:85:48 | x.repla ... /g, "") | The replaced string may still contain a substring that starts matching at $@. | tst-multi-character-sanitization.js:85:18:85:41 | \\x2E\\x2E\\x2F\\x2E\\x2E\\x2F | \\x2E\\x2E\\x2F\\x2E\\x2E\\x2F |
-| tst-multi-character-sanitization.js:87:7:87:47 | x.repla ... gi, "") | The replaced string may still contain a substring that starts matching at $@. | tst-multi-character-sanitization.js:87:18:87:24 | <script | <script |
-| tst-multi-character-sanitization.js:92:7:96:4 | x.repla ... ";\\n  }) | The replaced string may still contain a substring that starts matching at $@. | tst-multi-character-sanitization.js:92:18:92:24 | <script | <script |
-| tst-multi-character-sanitization.js:100:7:100:28 | x.repla ... /g, "") | The replaced string may still contain a substring that starts matching at $@. | tst-multi-character-sanitization.js:100:18:100:21 | \\.\\. | \\.\\. |
-| tst-multi-character-sanitization.js:101:7:101:30 | x.repla ... /g, "") | The replaced string may still contain a substring that starts matching at $@. | tst-multi-character-sanitization.js:101:18:101:23 | \\.\\.\\/ | \\.\\.\\/ |
-| tst-multi-character-sanitization.js:102:7:102:30 | x.repla ... /g, "") | The replaced string may still contain a substring that starts matching at $@. | tst-multi-character-sanitization.js:102:18:102:23 | \\/\\.\\. | \\/\\.\\. |
-| tst-multi-character-sanitization.js:104:7:104:58 | x.repla ... gi, "") | The replaced string may still contain a substring that starts matching at $@. | tst-multi-character-sanitization.js:104:18:104:24 | <script | <script |
-| tst-multi-character-sanitization.js:106:7:106:64 | x.repla ... gi, "") | The replaced string may still contain a substring that starts matching at $@. | tst-multi-character-sanitization.js:106:18:106:56 | <(script\|del)(?=[\\s>])[\\w\\W]*?<\\/\\1\\s*> | <(script\|del)(?=[\\s>])[\\w\\W]*?<\\/\\1\\s*> |
-| tst-multi-character-sanitization.js:107:7:107:62 | x.repla ... /g, "") | The replaced string may still contain a substring that starts matching at $@. | tst-multi-character-sanitization.js:107:18:107:55 | \\<script[\\s\\S]*?\\>[\\s\\S]*?\\<\\/script\\> | \\<script[\\s\\S]*?\\>[\\s\\S]*?\\<\\/script\\> |
-| tst-multi-character-sanitization.js:108:7:108:75 | x.repla ... gm, "") | The replaced string may still contain a substring that starts matching at $@. | tst-multi-character-sanitization.js:108:18:108:67 | <(script\|style\|title)[^<]+<\\/(script\|style\|title)> | <(script\|style\|title)[^<]+<\\/(script\|style\|title)> |
-| tst-multi-character-sanitization.js:109:7:109:58 | x.repla ... gi, "") | The replaced string may still contain a substring that starts matching at $@. | tst-multi-character-sanitization.js:109:18:109:24 | <script | <script |
-| tst-multi-character-sanitization.js:110:7:110:50 | x.repla ... gi, "") | The replaced string may still contain a substring that starts matching at $@. | tst-multi-character-sanitization.js:110:18:110:24 | <script | <script |
-| tst-multi-character-sanitization.js:111:7:111:32 | x.repla ... /g, "") | The replaced string may still contain a substring that starts matching at $@. | tst-multi-character-sanitization.js:111:20:111:23 | <!-- | <!-- |
-| tst-multi-character-sanitization.js:112:7:112:50 | x.repla ... /g, "") | The replaced string may still contain a substring that starts matching at $@. | tst-multi-character-sanitization.js:112:18:112:43 | require\\('\\.\\.\\/common'\\); | require\\('\\.\\.\\/common'\\); |
-| tst-multi-character-sanitization.js:113:7:113:41 | x.repla ... /g, "") | The replaced string may still contain a substring that starts matching at $@. | tst-multi-character-sanitization.js:113:18:113:34 | \\.\\.\\/\\.\\.\\/lib\\/ | \\.\\.\\/\\.\\.\\/lib\\/ |
+| tst-multi-character-sanitization.js:3:13:3:57 | content ... gi, "") | This string may still contain a substring that starts matching at $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:3:30:3:30 | < | <cript |
+| tst-multi-character-sanitization.js:4:13:4:47 | content ... /g, "") | This string may still contain a substring that starts matching at $@, which may cause a HTML attribute injection vulnerability. | tst-multi-character-sanitization.js:4:30:4:40 |  on\\w+=".*" | on |
+| tst-multi-character-sanitization.js:5:13:5:49 | content ... /g, "") | This string may still contain a substring that starts matching at $@, which may cause a HTML attribute injection vulnerability. | tst-multi-character-sanitization.js:5:30:5:42 |  on\\w+=\\'.*\\' | on |
+| tst-multi-character-sanitization.js:9:13:9:47 | content ... gi, "") | This string may still contain a substring that starts matching at $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:9:30:9:30 | < | <cript |
+| tst-multi-character-sanitization.js:10:13:10:49 | content ... /g, "") | This string may still contain a substring that starts matching at $@, which may cause a HTML attribute injection vulnerability. | tst-multi-character-sanitization.js:10:30:10:42 | .on\\w+=.*".*" | on |
+| tst-multi-character-sanitization.js:11:13:11:51 | content ... /g, "") | This string may still contain a substring that starts matching at $@, which may cause a HTML attribute injection vulnerability. | tst-multi-character-sanitization.js:11:30:11:44 | .on\\w+=.*\\'.*\\' | on |
+| tst-multi-character-sanitization.js:19:3:19:35 | respons ... pt, "") | This string may still contain a substring that starts matching at $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:18:18:18:24 | <script | <script |
+| tst-multi-character-sanitization.js:25:10:25:40 | text.re ... /g, "") | This string may still contain a substring that starts matching at $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:25:24:25:27 | <!-- | <!-- |
+| tst-multi-character-sanitization.js:49:13:49:43 | req.url ... EL, "") | This string may still contain a substring that starts matching at $@, which may cause a path injection vulnerability. | tst-multi-character-sanitization.js:48:22:48:23 | \\/ | /.. |
+| tst-multi-character-sanitization.js:64:7:64:73 | x.repla ... /g, "") | This string may still contain a substring that starts matching at $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:64:18:64:24 | <script | <script |
+| tst-multi-character-sanitization.js:66:7:66:56 | x.repla ... /g, "") | This string may still contain a substring that starts matching at $@, which may cause a HTML attribute injection vulnerability. | tst-multi-character-sanitization.js:66:18:66:49 | (\\/\|\\s)on\\w+=(\\'\|")?[^"]*(\\'\|")? | on |
+| tst-multi-character-sanitization.js:75:7:75:37 | x.repla ... gm, "") | This string may still contain a substring that starts matching at $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:75:18:75:21 | <!-- | <!-- |
+| tst-multi-character-sanitization.js:76:7:76:35 | x.repla ... +/, "") | This string may still contain a substring that starts matching at $@, which may cause a HTML attribute injection vulnerability. | tst-multi-character-sanitization.js:76:18:76:29 | \\sng-[a-z-]+ | ng- |
+| tst-multi-character-sanitization.js:77:7:77:36 | x.repla ... /g, "") | This string may still contain a substring that starts matching at $@, which may cause a HTML attribute injection vulnerability. | tst-multi-character-sanitization.js:77:18:77:29 | \\sng-[a-z-]+ | ng- |
+| tst-multi-character-sanitization.js:81:7:81:58 | x.repla ... /g, "") | This string may still contain a substring that starts matching at $@, which may cause a HTML attribute injection vulnerability. | tst-multi-character-sanitization.js:81:36:81:39 | only | on |
+| tst-multi-character-sanitization.js:81:7:81:58 | x.repla ... /g, "") | This string may still contain a substring that starts matching at $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:81:18:81:24 | <script | <script |
+| tst-multi-character-sanitization.js:83:7:83:63 | x.repla ... gi, "") | This string may still contain a substring that starts matching at $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:83:18:83:21 | <!-- | <!-- |
+| tst-multi-character-sanitization.js:85:7:85:48 | x.repla ... /g, "") | This string may still contain a substring that starts matching at $@, which may cause a path injection vulnerability. | tst-multi-character-sanitization.js:85:18:85:21 | \\x2E | ../ |
+| tst-multi-character-sanitization.js:87:7:87:47 | x.repla ... gi, "") | This string may still contain a substring that starts matching at $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:87:18:87:24 | <script | <script |
+| tst-multi-character-sanitization.js:92:7:96:4 | x.repla ... ";\\n  }) | This string may still contain a substring that starts matching at $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:92:18:92:24 | <script | <script |
+| tst-multi-character-sanitization.js:101:7:101:30 | x.repla ... /g, "") | This string may still contain a substring that starts matching at $@, which may cause a path injection vulnerability. | tst-multi-character-sanitization.js:101:18:101:19 | \\. | ../ |
+| tst-multi-character-sanitization.js:102:7:102:30 | x.repla ... /g, "") | This string may still contain a substring that starts matching at $@, which may cause a path injection vulnerability. | tst-multi-character-sanitization.js:102:18:102:19 | \\/ | /.. |
+| tst-multi-character-sanitization.js:104:7:104:58 | x.repla ... gi, "") | This string may still contain a substring that starts matching at $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:104:18:104:24 | <script | <script |
+| tst-multi-character-sanitization.js:106:7:106:64 | x.repla ... gi, "") | This string may still contain a substring that starts matching at $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:106:18:106:18 | < | <script |
+| tst-multi-character-sanitization.js:107:7:107:62 | x.repla ... /g, "") | This string may still contain a substring that starts matching at $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:107:18:107:19 | \\< | <script |
+| tst-multi-character-sanitization.js:108:7:108:75 | x.repla ... gm, "") | This string may still contain a substring that starts matching at $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:108:18:108:18 | < | <script |
+| tst-multi-character-sanitization.js:109:7:109:58 | x.repla ... gi, "") | This string may still contain a substring that starts matching at $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:109:18:109:24 | <script | <script |
+| tst-multi-character-sanitization.js:110:7:110:50 | x.repla ... gi, "") | This string may still contain a substring that starts matching at $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:110:18:110:24 | <script | <script |
+| tst-multi-character-sanitization.js:111:7:111:32 | x.repla ... /g, "") | This string may still contain a substring that starts matching at $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:111:18:111:19 |  ? | <!-- |
+| tst-multi-character-sanitization.js:126:7:129:34 | x\\n    . ... //, "") | This string may still contain a substring that starts matching at $@, which may cause a path injection vulnerability. | tst-multi-character-sanitization.js:129:15:129:20 | [^\\/]* | /.. |
+| tst-multi-character-sanitization.js:135:2:135:44 | content ... gi, "") | This string may still contain a substring that starts matching at $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:135:19:135:25 | <script | <script |
+| tst-multi-character-sanitization.js:136:2:136:46 | content ... gi, "") | This string may still contain a substring that starts matching at $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:136:19:136:19 | < | <script |
+| tst-multi-character-sanitization.js:138:2:138:48 | content ... gi, "") | This string may still contain a substring that starts matching at $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:138:19:138:20 | .* | <script |
diff --git a/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/tst-multi-character-sanitization.js b/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/tst-multi-character-sanitization.js
index 0400e392bfb..dfb7c493053 100644
--- a/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/tst-multi-character-sanitization.js
+++ b/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/tst-multi-character-sanitization.js
@@ -35,7 +35,7 @@
 
 // CVE-2019-10767
 (function(id) {
-  id = id.replace(/\.\./g, ""); // NOT OK
+  id = id.replace(/\.\./g, ""); // OK (can not contain '..' afterwards)
   return id;
 });
 (function(id) {
@@ -73,13 +73,13 @@
   x = x.replace(/<li><\/li>/gi, ""); // OK
 
   x = x.replace(/<!--(.*?)-->/gm, ""); // NOT OK
-  x = x.replace(/\sng-[a-z-]+/, ""); // OK (single ng-attribute, should be flagged by some other query!)
+  x = x.replace(/\sng-[a-z-]+/, ""); // NOT OK
   x = x.replace(/\sng-[a-z-]+/g, ""); // NOT OK (ng-attributes)
 
   x = x.replace(/(<!--\[CDATA\[|\]\]-->)/g, "\n"); // OK: not a sanitizer
 
-  x = x.replace(/<script.+desktop\-only.+<\/script>/g, ""); // OK, but still flagged [INCONSISTENCY]
-  x = x.replace(/<script async.+?<\/script>/g, ""); // OK, but still flagged [INCONSISTENCY]
+  x = x.replace(/<script.+desktop\-only.+<\/script>/g, ""); // OK [INCONSISTENCY]
+  x = x.replace(/<script async.+?<\/script>/g, ""); // OK
   x = x.replace(/<!--[\s\S]*?-->|<\?(?:php)?[\s\S]*?\?>/gi, ""); // NOT OK
 
   x = x.replace(/\x2E\x2E\x2F\x2E\x2E\x2F/g, ""); // NOT OK (matches "../../")
@@ -97,7 +97,7 @@
 
   x = x.replace(/<\/?([a-z][a-z0-9]*)\b[^>]*>/gi, ""); // NOT OK [INCONSISTENCY]
 
-  x = x.replace(/\.\./g, ""); // NOT OK
+  x = x.replace(/\.\./g, ""); // OK
   x = x.replace(/\.\.\//g, ""); // NOT OK
   x = x.replace(/\/\.\./g, ""); // NOT OK
 
@@ -109,8 +109,31 @@
   x = x.replace(/<script[^>]*>([\s\S]*?)<\/script>/gi, ""); // NOT OK
   x = x.replace(/<script[\s\S]*?<\/script>/gi, ""); // NOT OK
   x = x.replace(/ ?<!-- ?/g, ""); // NOT OK
-  x = x.replace(/require\('\.\.\/common'\);/g, ""); // OK [INCONSISTENCY] permit alphanum-suffix after the dots?
-  x = x.replace(/\.\.\/\.\.\/lib\//g, ""); // OK [INCONSISTENCY] permit alphanum-suffix after the dots?
+  x = x.replace(/require\('\.\.\/common'\);/g, ""); // OK
+  x = x.replace(/\.\.\/\.\.\/lib\//g, ""); // OK
+
+  while (x.indexOf(".") !== -1) {
+    x = x
+      .replace(/^\.\//, "")
+      .replace(/\/\.\//, "/")
+      .replace(/[^\/]*\/\.\.\//, ""); // OK
+  }
+
+  x = x.replace(/([^.\s]+\.)+/, ""); // OK
+
+  x = x.replace(/<!\-\-DEVEL[\d\D]*?DEVEL\-\->/g, ""); // OK
+
+  x = x
+    .replace(/^\.\//, "")
+    .replace(/\/\.\//, "/")
+    .replace(/[^\/]*\/\.\.\//, ""); // NOT OK
 
   return x;
 });
+
+(function (content) {
+	content.replace(/<script.*\/script>/gi, ""); // NOT OK
+	content.replace(/<(script).*\/script>/gi, ""); // NOT OK
+	content.replace(/.+<(script).*\/script>/gi, ""); // OK
+	content.replace(/.*<(script).*\/script>/gi, ""); // NOT OK
+});