diff --git a/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/ClientSideUrlRedirect.expected b/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/ClientSideUrlRedirect.expected
index 85eda636b0e..ba2a4236c78 100644
--- a/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/ClientSideUrlRedirect.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/ClientSideUrlRedirect.expected
@@ -55,6 +55,18 @@ nodes
 | tst10.js:14:33:14:49 | document.location |
 | tst10.js:14:33:14:49 | document.location |
 | tst10.js:14:33:14:56 | documen ... .search |
+| tst12.js:3:9:3:50 | urlParts |
+| tst12.js:3:20:3:34 | window.location |
+| tst12.js:3:20:3:34 | window.location |
+| tst12.js:3:20:3:34 | window.location |
+| tst12.js:3:20:3:39 | window.location.hash |
+| tst12.js:3:20:3:50 | window. ... it('?') |
+| tst12.js:4:9:4:45 | loc |
+| tst12.js:4:15:4:22 | urlParts |
+| tst12.js:4:15:4:25 | urlParts[0] |
+| tst12.js:4:15:4:45 | urlPart ... s.value |
+| tst12.js:5:23:5:25 | loc |
+| tst12.js:5:23:5:25 | loc |
 | tst.js:2:19:2:69 | /.*redi ... n.href) |
 | tst.js:2:19:2:72 | /.*redi ... ref)[1] |
 | tst.js:2:19:2:72 | /.*redi ... ref)[1] |
@@ -120,6 +132,18 @@ edges
 | tst10.js:14:33:14:49 | document.location | tst10.js:14:33:14:56 | documen ... .search |
 | tst10.js:14:33:14:56 | documen ... .search | tst10.js:14:17:14:56 | 'https: ... .search |
 | tst10.js:14:33:14:56 | documen ... .search | tst10.js:14:17:14:56 | 'https: ... .search |
+| tst12.js:3:9:3:50 | urlParts | tst12.js:4:15:4:22 | urlParts |
+| tst12.js:3:20:3:34 | window.location | tst12.js:3:20:3:39 | window.location.hash |
+| tst12.js:3:20:3:34 | window.location | tst12.js:3:20:3:39 | window.location.hash |
+| tst12.js:3:20:3:34 | window.location | tst12.js:3:20:3:39 | window.location.hash |
+| tst12.js:3:20:3:39 | window.location.hash | tst12.js:3:20:3:50 | window. ... it('?') |
+| tst12.js:3:20:3:50 | window. ... it('?') | tst12.js:3:9:3:50 | urlParts |
+| tst12.js:4:9:4:45 | loc | tst12.js:5:23:5:25 | loc |
+| tst12.js:4:9:4:45 | loc | tst12.js:5:23:5:25 | loc |
+| tst12.js:4:15:4:22 | urlParts | tst12.js:4:15:4:25 | urlParts[0] |
+| tst12.js:4:15:4:25 | urlParts[0] | tst12.js:4:15:4:45 | urlPart ... s.value |
+| tst12.js:4:15:4:45 | urlPart ... s.value | tst12.js:4:9:4:45 | loc |
+| tst12.js:5:23:5:25 | loc | tst12.js:3:20:3:34 | window.location |
 | tst.js:2:19:2:69 | /.*redi ... n.href) | tst.js:2:19:2:72 | /.*redi ... ref)[1] |
 | tst.js:2:19:2:69 | /.*redi ... n.href) | tst.js:2:19:2:72 | /.*redi ... ref)[1] |
 | tst.js:2:47:2:63 | document.location | tst.js:2:47:2:68 | documen ... on.href |
@@ -142,5 +166,6 @@ edges
 | tst10.js:8:17:8:47 | '//' +  ... .search | tst10.js:8:24:8:40 | document.location | tst10.js:8:17:8:47 | '//' +  ... .search | Untrusted URL redirection due to $@. | tst10.js:8:24:8:40 | document.location | user-provided value |
 | tst10.js:11:17:11:50 | '//foo' ... .search | tst10.js:11:27:11:43 | document.location | tst10.js:11:17:11:50 | '//foo' ... .search | Untrusted URL redirection due to $@. | tst10.js:11:27:11:43 | document.location | user-provided value |
 | tst10.js:14:17:14:56 | 'https: ... .search | tst10.js:14:33:14:49 | document.location | tst10.js:14:17:14:56 | 'https: ... .search | Untrusted URL redirection due to $@. | tst10.js:14:33:14:49 | document.location | user-provided value |
+| tst12.js:5:23:5:25 | loc | tst12.js:3:20:3:34 | window.location | tst12.js:5:23:5:25 | loc | Untrusted URL redirection due to $@. | tst12.js:3:20:3:34 | window.location | user-provided value |
 | tst.js:2:19:2:72 | /.*redi ... ref)[1] | tst.js:2:47:2:63 | document.location | tst.js:2:19:2:72 | /.*redi ... ref)[1] | Untrusted URL redirection due to $@. | tst.js:2:47:2:63 | document.location | user-provided value |
 | tst.js:6:20:6:59 | indirec ... ref)[1] | tst.js:6:34:6:50 | document.location | tst.js:6:20:6:59 | indirec ... ref)[1] | Untrusted URL redirection due to $@. | tst.js:6:34:6:50 | document.location | user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/tst12.js b/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/tst12.js
new file mode 100644
index 00000000000..74b82808b34
--- /dev/null
+++ b/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/tst12.js
@@ -0,0 +1,6 @@
+// NOT OK
+function foo() {
+    var urlParts = window.location.hash.split('?');
+    var loc = urlParts[0] + "?" + boxes.value;
+    window.location = loc
+}