diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/app/blah/route.ts b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/app/blah/route.ts
new file mode 100644
index 00000000000..292accde9d7
--- /dev/null
+++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/app/blah/route.ts
@@ -0,0 +1,4 @@
+export async function GET(req: Request) {
+    const url = req.url; // $ MISSING: Source
+    return new Response(url, { headers: { "Content-Type": "text/html" } }); // $ MISSING: Alert
+}