From f52f5b63e67fce53c64fd9e3b25a588d197fbcb5 Mon Sep 17 00:00:00 2001
From: Asger F <asgerf@github.com>
Date: Wed, 26 Nov 2025 10:30:58 +0100
Subject: [PATCH] JS: Add test with route.ts outside 'api'

---
 .../Security/CWE-079/ReflectedXss/app/blah/route.ts           | 4 ++++
 1 file changed, 4 insertions(+)
 create mode 100644 javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/app/blah/route.ts

diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/app/blah/route.ts b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/app/blah/route.ts
new file mode 100644
index 00000000000..292accde9d7
--- /dev/null
+++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/app/blah/route.ts
@@ -0,0 +1,4 @@
+export async function GET(req: Request) {
+    const url = req.url; // $ MISSING: Source
+    return new Response(url, { headers: { "Content-Type": "text/html" } }); // $ MISSING: Alert
+}