diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/CleartextStorageQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/CleartextStorageQuery.qll
index 3e4642411f0..bf79523f50f 100644
--- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/CleartextStorageQuery.qll
+++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/CleartextStorageQuery.qll
@@ -4,6 +4,7 @@
 
 import csharp
 private import semmle.code.csharp.security.dataflow.flowsources.Remote
+private import semmle.code.csharp.dataflow.internal.ExternalFlow
 private import semmle.code.csharp.frameworks.system.Web
 private import semmle.code.csharp.security.SensitiveActions
 private import semmle.code.csharp.security.dataflow.flowsinks.ExternalLocationSink
@@ -62,3 +63,5 @@ class ProtectSanitizer extends Sanitizer {
  * An external location sink.
  */
 class ExternalSink extends Sink instanceof ExternalLocationSink { }
+
+private class ExternalSanitizer extends Sanitizer instanceof ExternalLocationSanitizer { }
diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/ExposureOfPrivateInformationQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/ExposureOfPrivateInformationQuery.qll
index 85782fe4936..b5b95902d8a 100644
--- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/ExposureOfPrivateInformationQuery.qll
+++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/ExposureOfPrivateInformationQuery.qll
@@ -46,3 +46,5 @@ private class PrivateDataSource extends Source {
 }
 
 private class ExternalLocation extends Sink instanceof ExternalLocationSink { }
+
+private class ExternalSanitizer extends Sanitizer instanceof ExternalLocationSanitizer { }
diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsinks/ExternalLocationSink.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsinks/ExternalLocationSink.qll
index 3bcfdde669a..4ee02416961 100644
--- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsinks/ExternalLocationSink.qll
+++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsinks/ExternalLocationSink.qll
@@ -126,3 +126,11 @@ class LocalFileOutputSink extends ExternalLocationSink {
     )
   }
 }
+
+/**
+ * A sanitizer for writing data to locations that are external to the
+ * application, defined through Models as Data.
+ */
+class ExternalLocationSanitizer extends DataFlow::Node {
+  ExternalLocationSanitizer() { barrierNode(this, "file-content-store") }
+}