diff --git a/ql/src/semmle/go/security/UrlConcatenation.qll b/ql/src/semmle/go/security/UrlConcatenation.qll
index c0ff4ff960c..9415d4a8acf 100644
--- a/ql/src/semmle/go/security/UrlConcatenation.qll
+++ b/ql/src/semmle/go/security/UrlConcatenation.qll
@@ -55,6 +55,8 @@ private predicate concatenationHasHostnameSanitizingSubstring(StringOps::Concate
   exists(StringOps::ConcatenationLeaf lf | lf = cat.getALeaf() |
     lf.getStringValue().regexpMatch(".*([?#]|[^?#:/\\\\][/\\\\]).*|[/\\\\][^/\\\\].*")
     or
+    // this deals with cases such as `Sprintf("%s/%s", hostname, taint)`, which should be safe as
+    // long as `hostname` is not user-controlled
     lf.getStringValue() = "/" and
     exists(lf.getPreviousLeaf())
     or