diff --git a/csharp/ql/integration-tests/all-platforms/cshtml_standalone_flowsteps/Controllers/TestController.cs b/csharp/ql/integration-tests/all-platforms/cshtml_standalone_flowsteps/Controllers/TestController.cs
new file mode 100644
index 000000000000..48d4b340fbf8
--- /dev/null
+++ b/csharp/ql/integration-tests/all-platforms/cshtml_standalone_flowsteps/Controllers/TestController.cs
@@ -0,0 +1,16 @@
+namespace test;
+
+using System.Net;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.Mvc.Razor;
+
+public class UserData
+{
+    public string Name { get; set; }
+}
+
+public class TestController : Controller {
+    public IActionResult Test(UserData tainted1) {
+        return View("Test", tainted1);
+    }
+}
\ No newline at end of file
diff --git a/csharp/ql/integration-tests/all-platforms/cshtml_standalone_flowsteps/Views/Test/Test.cshtml b/csharp/ql/integration-tests/all-platforms/cshtml_standalone_flowsteps/Views/Test/Test.cshtml
new file mode 100644
index 000000000000..3489539fe87c
--- /dev/null
+++ b/csharp/ql/integration-tests/all-platforms/cshtml_standalone_flowsteps/Views/Test/Test.cshtml
@@ -0,0 +1,8 @@
+@page
+
+@model UserData
+
+@if (Model != null)
+{
+    <h3>Hello "@Html.Raw(Model.Name)"</h3>
+}
\ No newline at end of file
diff --git a/csharp/ql/integration-tests/all-platforms/cshtml_standalone_flowsteps/Views/_ViewImports.cshtml b/csharp/ql/integration-tests/all-platforms/cshtml_standalone_flowsteps/Views/_ViewImports.cshtml
new file mode 100644
index 000000000000..f4d0ca8def7f
--- /dev/null
+++ b/csharp/ql/integration-tests/all-platforms/cshtml_standalone_flowsteps/Views/_ViewImports.cshtml
@@ -0,0 +1,3 @@
+@using test
+
+@addTagHelper *, Microsoft.AspNetCore.Mvc.TagHelpers
diff --git a/csharp/ql/integration-tests/all-platforms/cshtml_standalone_flowsteps/XSS.expected b/csharp/ql/integration-tests/all-platforms/cshtml_standalone_flowsteps/XSS.expected
new file mode 100644
index 000000000000..c5e1e6db6d6c
--- /dev/null
+++ b/csharp/ql/integration-tests/all-platforms/cshtml_standalone_flowsteps/XSS.expected
@@ -0,0 +1 @@
+| Views/Test/Test.cshtml:7:27:7:36 | access to property Name | Controllers/TestController.cs:13:40:13:47 | tainted1 : UserData | Views/Test/Test.cshtml:7:27:7:36 | access to property Name | $@ flows to here and is written to HTML or JavaScript: Microsoft.AspNetCore.Mvc.ViewFeatures.HtmlHelper.Raw() method. | Controllers/TestController.cs:13:40:13:47 | tainted1 : UserData | User-provided value |
diff --git a/csharp/ql/integration-tests/all-platforms/cshtml_standalone_flowsteps/XSS.ql b/csharp/ql/integration-tests/all-platforms/cshtml_standalone_flowsteps/XSS.ql
new file mode 100644
index 000000000000..762d792b92f7
--- /dev/null
+++ b/csharp/ql/integration-tests/all-platforms/cshtml_standalone_flowsteps/XSS.ql
@@ -0,0 +1,21 @@
+/**
+ * @name Cross-site scripting
+ * @description Writing user input directly to a web page
+ *              allows for a cross-site scripting vulnerability.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 6.1
+ * @precision high
+ * @id cs/web/xss
+ * @tags security
+ *       external/cwe/cwe-079
+ *       external/cwe/cwe-116
+ */
+
+import csharp
+import semmle.code.csharp.security.dataflow.XSSQuery
+
+// import PathGraph // exclude query predicates with output dependant on the absolute filepath the tests are run in
+from XssNode source, XssNode sink, string message
+where xssFlow(source, sink, message)
+select sink, source, sink, "$@ flows to here and " + message, source, "User-provided value"
diff --git a/csharp/ql/integration-tests/all-platforms/cshtml_standalone_flowsteps/cshtml.csproj b/csharp/ql/integration-tests/all-platforms/cshtml_standalone_flowsteps/cshtml.csproj
new file mode 100644
index 000000000000..e580f24c65d6
--- /dev/null
+++ b/csharp/ql/integration-tests/all-platforms/cshtml_standalone_flowsteps/cshtml.csproj
@@ -0,0 +1,9 @@
+<Project Sdk="Microsoft.NET.Sdk.Web">
+
+  <PropertyGroup>
+    <TargetFramework>net7.0</TargetFramework>
+    <Nullable>enable</Nullable>
+    <ImplicitUsings>enable</ImplicitUsings>
+  </PropertyGroup>
+
+</Project>
\ No newline at end of file
diff --git a/csharp/ql/integration-tests/all-platforms/cshtml_standalone_flowsteps/test.py b/csharp/ql/integration-tests/all-platforms/cshtml_standalone_flowsteps/test.py
new file mode 100644
index 000000000000..5fa07537d4ae
--- /dev/null
+++ b/csharp/ql/integration-tests/all-platforms/cshtml_standalone_flowsteps/test.py
@@ -0,0 +1,6 @@
+import os
+from create_database_utils import *
+
+
+os.environ['CODEQL_EXTRACTOR_CSHARP_STANDALONE_EXTRACT_WEB_VIEWS'] = 'true'
+run_codeql_database_create(lang="csharp", extra_args=["--extractor-option=buildless=true", "--extractor-option=cil=false"])
diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll
index fb9a0c6b13cc..37b493e001f6 100644
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll
@@ -15,6 +15,7 @@ private import semmle.code.csharp.controlflow.Guards
 private import semmle.code.csharp.dispatch.Dispatch
 private import semmle.code.csharp.frameworks.EntityFramework
 private import semmle.code.csharp.frameworks.NHibernate
+private import semmle.code.csharp.frameworks.Razor
 private import semmle.code.csharp.frameworks.system.Collections
 private import semmle.code.csharp.frameworks.system.threading.Tasks
 private import semmle.code.cil.Ssa::Ssa as CilSsa
diff --git a/csharp/ql/lib/semmle/code/csharp/frameworks/Razor.qll b/csharp/ql/lib/semmle/code/csharp/frameworks/Razor.qll
new file mode 100644
index 000000000000..6bfa927e7c0e
--- /dev/null
+++ b/csharp/ql/lib/semmle/code/csharp/frameworks/Razor.qll
@@ -0,0 +1,217 @@
+/** Provides definitions and flow steps related to Razor pages. */
+
+private import csharp
+private import codeql.util.Unit
+private import codeql.util.FilePath
+private import semmle.code.csharp.frameworks.microsoft.AspNetCore
+
+/** A call to the `View` method */
+private class ViewCall extends MethodCall {
+  ViewCall() {
+    this.getTarget().hasFullyQualifiedName("Microsoft.AspNetCore.Mvc", "Controller", "View")
+  }
+
+  /** Gets the `name` argument to this call, if any. */
+  string getNameArgument() {
+    exists(StringLiteral lit |
+      this.getTarget().getParameter(0).getType() instanceof StringType and
+      DataFlow::localExprFlow(lit, this.getArgument(0)) and
+      result = lit.getValue()
+    )
+  }
+
+  /** Gets the `model` argument to this call, if any. */
+  Expr getModelArgument() {
+    exists(int i | i in [0 .. 1] |
+      this.getTarget().getParameter(i).getType() instanceof ObjectType and
+      result = this.getArgument(i)
+    )
+  }
+
+  /** Gets the MVC action method that this call is made from, if any. */
+  Method getActionMethod() {
+    result = this.getEnclosingCallable() and
+    result = this.getController().getAnActionMethod()
+  }
+
+  /**
+   * Gets the action name that this call refers to, if any.
+   * This is either the name argument, or the name of the action method calling this if there is no name argument.
+   */
+  string getActionName() {
+    result = this.getNameArgument()
+    or
+    not exists(this.getNameArgument()) and
+    result = this.getActionMethod().getName()
+  }
+
+  /** Gets the MVC controller that this call is made from, if any. */
+  MicrosoftAspNetCoreMvcController getController() {
+    result = this.getEnclosingCallable().getDeclaringType()
+  }
+
+  /** Gets the name of the MVC controller that this call is made from, if any. */
+  string getControllerName() { result + "Controller" = this.getController().getName() }
+
+  /** Gets the name of the Area that the controller of this call belongs to, if any. */
+  string getAreaName() {
+    exists(Attribute attr |
+      attr = this.getController().getAnAttribute() and
+      attr.getType().hasFullyQualifiedName("Microsoft.AspNetCore.Mvc", "AreaAttribute") and
+      result = attr.getArgument(0).(StringLiteral).getValue()
+    )
+  }
+
+  /** `result` is `true` if this call is from a controller that is an Area, and `false` otherwise. */
+  boolean hasArea() { if exists(this.getAreaName()) then result = true else result = false }
+}
+
+/** A compiler-generated Razor page from a `.cshtml` file. */
+class RazorViewClass extends Class {
+  AssemblyAttribute attr;
+
+  RazorViewClass() {
+    exists(Class baseClass | baseClass = this.getBaseClass().getUnboundDeclaration() |
+      baseClass.hasFullyQualifiedName("Microsoft.AspNetCore.Mvc.Razor", "RazorPage`1")
+      or
+      baseClass.hasFullyQualifiedName("Microsoft.AspNetCore.Mvc.RazorPages", "Page")
+    ) and
+    attr.getFile() = this.getFile() and
+    attr.getType()
+        .hasFullyQualifiedName("Microsoft.AspNetCore.Razor.Hosting", "RazorCompiledItemAttribute")
+  }
+
+  /**
+   * Gets the filepath of the source file that this class was generated from.
+   *
+   * This is an absolute path if the database was extracted in standalone mode,
+   * and is relative to to application root (the directory containing the .csproj file) otherwise.
+   */
+  string getSourceFilepath() { result = attr.getArgument(2).(StringLiteral).getValue() }
+}
+
+/**
+ * Gets a possible prefix to be applied to view search paths to locate a Razor page.
+ * This may be empty (for the case that the generated Razor page files contain paths relative to the application root),
+ * or the absolute path of the directory containing the .csproj file (for the case that standalone extraction is used and the generated files contain absolute paths).
+ */
+private string getARazorPathPrefix() {
+  result = ""
+  or
+  exists(File csproj |
+    csproj.getExtension() = "csproj" and
+    // possibly prepend '/' to match Windows absolute paths starting with `C:/` with paths appearing in the Razor file in standalone mode starting with `/C:/`
+    result = ["/", ""] + csproj.getParentContainer().getAbsolutePath()
+  )
+}
+
+private class ViewCallJumpNode extends DataFlow::NonLocalJumpNode {
+  RazorViewClass rp;
+
+  ViewCallJumpNode() {
+    exists(ViewCall vc |
+      viewCallRefersToPage(vc, rp) and
+      this.asExpr() = vc.getModelArgument()
+    )
+  }
+
+  override DataFlow::Node getAJumpSuccessor(boolean preservesValue) {
+    preservesValue = true and
+    exists(PropertyAccess modelProp |
+      result.asExpr() = modelProp and
+      modelProp.getTarget().hasName("Model") and
+      modelProp.getEnclosingCallable().getDeclaringType() = rp
+    )
+  }
+}
+
+private predicate viewCallRefersToPage(ViewCall vc, RazorViewClass rp) {
+  viewCallRefersToPageAbsolute(vc, rp) or
+  viewCallRefersToPageRelative(vc, rp)
+}
+
+bindingset[path]
+private string stripTilde(string path) { result = path.regexpReplaceAll("^~/", "/") }
+
+private predicate viewCallRefersToPageAbsolute(ViewCall vc, RazorViewClass rp) {
+  getARazorPathPrefix() + ["/", ""] + stripTilde(vc.getNameArgument()) = rp.getSourceFilepath()
+}
+
+private predicate viewCallRefersToPageRelative(ViewCall vc, RazorViewClass rp) {
+  rp = min(int i, RazorViewClass rp2 | matchesViewCallWithIndex(vc, rp2, i) | rp2 order by i)
+}
+
+private predicate matchesViewCallWithIndex(ViewCall vc, RazorViewClass rp, int i) {
+  exists(RelativeViewCallFilepath fp |
+    fp.hasViewCallWithIndex(vc, i) and
+    getARazorPathPrefix() + fp.getNormalizedPath() = rp.getSourceFilepath()
+  )
+}
+
+/** Gets the `i`th template for view discovery. */
+private string getViewSearchTemplate(int i, boolean isArea) {
+  i = 0 and result = "/Areas/{2}/Views/{1}/{0}.cshtml" and isArea = true
+  or
+  i = 1 and result = "/Areas/{2}/Views/Shared/{0}.cshtml" and isArea = true
+  or
+  i = 2 and result = "/Views/{1}/{0}.cshtml" and isArea = false
+  or
+  i = 3 and result = "/Views/Shared/{0}.cshtml" and isArea = [true, false]
+  or
+  i = 4 and result = "/Pages/Shared/{0}.cshtml" and isArea = true
+  or
+  i = 5 and result = getAViewSearchTemplateInCode(isArea)
+}
+
+/** Gets an additional template used for view discovery defined in code. */
+private string getAViewSearchTemplateInCode(boolean isArea) {
+  exists(StringLiteral str, MethodCall addCall |
+    addCall.getTarget().hasName("Add") and
+    DataFlow::localExprFlow(str, addCall.getArgument(0)) and
+    addCall.getQualifier() = getAViewLocationList(isArea) and
+    result = str.getValue()
+  )
+}
+
+/** Gets a list expression containing view search locations */
+private Expr getAViewLocationList(boolean isArea) {
+  exists(string name |
+    result
+        .(PropertyRead)
+        .getProperty()
+        .hasFullyQualifiedName("Microsoft.AspNetCore.Mvc.Razor", "RazorViewEngineOptions", name)
+  |
+    name = "ViewLocationFormats" and isArea = false
+    or
+    name = "AreaViewLocationFormats" and isArea = true
+    // PageViewLocationFormats and AreaPageViewLocationFormats are used for calls within a page rather than a controller
+  )
+}
+
+/** A filepath that should be searched for a View call. */
+private class RelativeViewCallFilepath extends NormalizableFilepath {
+  ViewCall vc_;
+  int idx_;
+
+  RelativeViewCallFilepath() {
+    exists(string template, string sub2, string sub1, string sub0 |
+      template = getViewSearchTemplate(idx_, vc_.hasArea())
+    |
+      (
+        if template.matches("%{2}%")
+        then sub2 = template.replaceAll("{2}", vc_.getAreaName())
+        else sub2 = template
+      ) and
+      (
+        if template.matches("%{1}%")
+        then sub1 = sub2.replaceAll("{1}", vc_.getControllerName())
+        else sub1 = sub2
+      ) and
+      sub0 = sub1.replaceAll("{0}", vc_.getActionName()) and
+      this = stripTilde(sub0)
+    )
+  }
+
+  /** Holds if this string is the `idx`th path that will be searched for the `vc` call. */
+  predicate hasViewCallWithIndex(ViewCall vc, int idx) { vc = vc_ and idx = idx_ }
+}
diff --git a/csharp/ql/src/change-notes/2023-10-24-xss-flow-steps.md b/csharp/ql/src/change-notes/2023-10-24-xss-flow-steps.md
new file mode 100644
index 000000000000..19001e0df003
--- /dev/null
+++ b/csharp/ql/src/change-notes/2023-10-24-xss-flow-steps.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Modelled additional flow steps to track flow from a `View` call in an MVC controller to the corresponding Razor View (`.cshtml`) file, which may result in additional results for queries such as `cs/web/xss`.
\ No newline at end of file
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Areas/TestArea/Views/Shared/Test18.cshtml b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Areas/TestArea/Views/Shared/Test18.cshtml
new file mode 100644
index 000000000000..74a8eab1c715
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Areas/TestArea/Views/Shared/Test18.cshtml	
@@ -0,0 +1,9 @@
+@namespace test
+@model UserData
+@{
+}
+
+@if (Model != null)
+{
+    <h3>Hello "@Html.Raw(Model.Name)"</h3>
+}
\ No newline at end of file
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Areas/TestArea/Views/Test4/Test17.cshtml b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Areas/TestArea/Views/Test4/Test17.cshtml
new file mode 100644
index 000000000000..74a8eab1c715
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Areas/TestArea/Views/Test4/Test17.cshtml	
@@ -0,0 +1,9 @@
+@namespace test
+@model UserData
+@{
+}
+
+@if (Model != null)
+{
+    <h3>Hello "@Html.Raw(Model.Name)"</h3>
+}
\ No newline at end of file
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Controllers/TestController.cs b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Controllers/TestController.cs
new file mode 100644
index 000000000000..001c83b9f345
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Controllers/TestController.cs	
@@ -0,0 +1,155 @@
+namespace test;
+
+using System.Net;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.Mvc.Razor;
+
+public class UserData
+{
+    public string Name { get; set; }
+}
+
+public class TestController : Controller {
+    public IActionResult test1(UserData tainted1) {
+        // Expected to find file /Views/Test/Test1.cshtml
+        return View("Test1", tainted1);
+    }
+
+    public IActionResult test2(UserData tainted2) {
+        // Expected to find file /Views/Shared/Test2.cshtml
+        return View("Test2", tainted2);
+    }
+
+    public IActionResult test3(UserData tainted3) {
+        // Expected to find file /Views/Test/Test3.cshtml and NOT /Views/Shared/Test3.cshtml
+        return View("Test3", tainted3);
+    }
+
+    public IActionResult test4(UserData tainted4) {
+        // Expected to find file /Views/Test/Test4.cshtml
+        return View("./Test4", tainted4);
+    }
+
+    public IActionResult test5(UserData tainted5) {
+        // Expected to find file /Views/Other/Test5.cshtml
+        return View("../Other/Test5", tainted5);
+    }
+
+    public IActionResult test6(UserData tainted6) {
+        // Expected to find file /Views/Other/Test6.cshtml
+        return View("../../Views/.////Shared/../Other//Test6", tainted6);
+    }
+
+    public IActionResult Test7(UserData tainted7) {
+        // Expected to find file /Views/Test/Test7.cshtml
+        return View(tainted7);
+    }
+
+    public IActionResult test8(UserData tainted8) {
+        // Expected to find file /Views/Other/Test8.cshtml
+        return View("/Views/Other/Test8.cshtml", tainted8);
+    }
+
+    public IActionResult test9(UserData tainted9) {
+        // Expected to find file /Views/Test/Test9.cshtml
+        return View("~/Views/Other/Test9.cshtml", tainted9);
+    }
+}
+
+public class Test2Controller : Controller { 
+    public IActionResult test10(UserData tainted10) {
+        // Expected to find file /Views/Test2/Test10.cshtml
+        return View("Test10", tainted10);
+    }
+
+    public IActionResult test11(UserData tainted11) {
+        // Expected to find file /Views/Test2/Test10.cshtml
+        return helper(tainted11);
+    }
+
+    private IActionResult helper(UserData x) { return View("Test11", x); }
+
+    public IActionResult Test12(UserData tainted12) {
+        // Expected to find nothing.
+        return helper2(tainted12);
+    }
+
+    private IActionResult helper2(UserData x) {
+        return View(x);
+    }    
+
+    public IActionResult test13(UserData tainted13) {
+        // Expected to find file /Views/Other/Test13.cshtml. 
+        return Helper.helper3(this, tainted13);
+    }
+
+    public IActionResult test14(UserData tainted14) {
+        // Expected to find file /Views/Shared/Test14.cshtml and NOT /Views/Test2/Test14.cshtml
+        return Helper.helper4(this, tainted14);
+    }
+
+}
+
+class Helper {
+    public static IActionResult helper3(Controller c, UserData x) { return c.View("/Views/Other/Test13.cshtml", x); }
+
+    public static IActionResult helper4(Controller c, UserData x) { return c.View("Test14", x); }
+}
+
+public class Test3Controller : Controller {
+    public void Setup(RazorViewEngineOptions o) {
+        o.ViewLocationFormats.Add("/Views/Custom/{1}/{0}.cshtml");
+        o.ViewLocationFormats.Add("~/Views/Custom2/{0}.cshtml");
+        o.AreaViewLocationFormats.Add("/MyAreas/{2}/{1}/{0}.cshtml");
+    }
+
+    public IActionResult Test15(UserData tainted15) {
+        // Expected to find file /Views/Custom/Test3/Test15.cshtml
+        return View(tainted15);
+    }
+
+    public IActionResult test16(UserData tainted16) {
+        // Expected to find file /Views/Custom2/Test16.cshtml
+        return View("Test16", tainted16);
+    }
+}
+
+[Area("TestArea")]
+public class Test4Controller : Controller {
+    public IActionResult test17(UserData tainted17) {
+        // Expected to find file /Areas/TestArea/Views/Test4/Test17.cshtml
+        return View("Test17", tainted17);
+    }
+
+    public IActionResult test18(UserData tainted18) {
+        // Expected to find file /Areas/TestArea/Views/Shared/Test17.cshtml
+        return View("Test18", tainted18);
+    }
+
+    public IActionResult test19(UserData tainted19) {
+        // Expected to find file /Views/Shared/Test19.cshtml
+        return View("Test19", tainted19);
+    }
+
+    public IActionResult test20(UserData tainted20) {
+        // Expected to find nothing (and NOT /Views/Test4/Test20.cshtml).
+        return View("Test20", tainted20);
+    }
+
+    public IActionResult test21(UserData tainted21) {
+        // Expected to find file /Pages/Shared/Test21.cshtml
+        return View("Test21", tainted21);
+    }
+
+    public IActionResult test22(UserData tainted22) {
+        // Expected to find file /MyAreas/TestArea/Test4/Test22.cshtml
+        return View("Test22", tainted22);
+    }
+
+    public IActionResult test23(string tainted23) {
+        // Expected to find file /Views/Shared/Test23.cshtml
+        UserData x = new UserData();
+        x.Name = tainted23;
+        return View("Test23", x);
+    }
+}
\ No newline at end of file
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Areas_TestArea_Views_Shared_Test18.cshtml.g.cs b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Areas_TestArea_Views_Shared_Test18.cshtml.g.cs
new file mode 100644
index 000000000000..eecb00361d68
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Areas_TestArea_Views_Shared_Test18.cshtml.g.cs	
@@ -0,0 +1,74 @@
+// A test file that mimics the output of compiling a `.cshtml` file
+// <auto-generated/>
+#pragma warning disable 1591
+[assembly: global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemAttribute(typeof(test.Views.Areas_TestArea_Views_Shared_Test18), @"mvc.1.0.view", @"/Areas/TestArea/Views/Shared/Test18.cshtml")]
+namespace test.Views
+{
+    #line hidden
+    using System;
+    using System.Collections.Generic;
+    using System.Linq;
+    using System.Threading.Tasks;
+    using Microsoft.AspNetCore.Mvc;
+    using Microsoft.AspNetCore.Mvc.Rendering;
+    using Microsoft.AspNetCore.Mvc.ViewFeatures;
+#nullable restore
+using test;
+
+#line default
+#line hidden
+#nullable disable
+    [global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemMetadataAttribute("Identifier", "/Areas/TestArea/Views/Shared/Test18.cshtml")]
+    public class Areas_TestArea_Views_Shared_Test18 : global::Microsoft.AspNetCore.Mvc.Razor.RazorPage<UserData>
+    {
+        #pragma warning disable 1998
+        public async override global::System.Threading.Tasks.Task ExecuteAsync()
+        {
+#line 6 "Areas/TestArea/Views/Shared/Test18.cshtml"
+ if (Model != null)
+{
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("    <h3>Hello \"");
+#nullable restore
+#line 8 "Areas/TestArea/Views/Shared/Test18.cshtml"
+Write(Html.Raw(Model.Name));
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("\"</h3>\n");
+#nullable restore
+#line 9 "Areas/TestArea/Views/Shared/Test18.cshtml"
+}
+
+#line default
+#line hidden
+#nullable disable
+        }
+        #pragma warning restore 1998
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.ViewFeatures.IModelExpressionProvider ModelExpressionProvider { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IUrlHelper Url { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IViewComponentHelper Component { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IJsonHelper Json { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IHtmlHelper<UserData> Html { get; private set; } = default!;
+        #nullable disable
+    }
+}
+#pragma warning restore 1591
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Areas_TestArea_Views_Test4_Test17.cshtml.g.cs b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Areas_TestArea_Views_Test4_Test17.cshtml.g.cs
new file mode 100644
index 000000000000..ee7ee811920f
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Areas_TestArea_Views_Test4_Test17.cshtml.g.cs	
@@ -0,0 +1,74 @@
+// A test file that mimics the output of compiling a `.cshtml` file
+// <auto-generated/>
+#pragma warning disable 1591
+[assembly: global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemAttribute(typeof(test.Views.Areas_TestArea_Views_Test4_Test17), @"mvc.1.0.view", @"/Areas/TestArea/Views/Test4/Test17.cshtml")]
+namespace test.Views
+{
+    #line hidden
+    using System;
+    using System.Collections.Generic;
+    using System.Linq;
+    using System.Threading.Tasks;
+    using Microsoft.AspNetCore.Mvc;
+    using Microsoft.AspNetCore.Mvc.Rendering;
+    using Microsoft.AspNetCore.Mvc.ViewFeatures;
+#nullable restore
+using test;
+
+#line default
+#line hidden
+#nullable disable
+    [global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemMetadataAttribute("Identifier", "/Areas/TestArea/Views/Test4/Test17.cshtml")]
+    public class Areas_TestArea_Views_Test4_Test17 : global::Microsoft.AspNetCore.Mvc.Razor.RazorPage<UserData>
+    {
+        #pragma warning disable 1998
+        public async override global::System.Threading.Tasks.Task ExecuteAsync()
+        {
+#line 6 "Areas/TestArea/Views/Test4/Test17.cshtml"
+ if (Model != null)
+{
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("    <h3>Hello \"");
+#nullable restore
+#line 8 "Areas/TestArea/Views/Test4/Test17.cshtml"
+Write(Html.Raw(Model.Name));
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("\"</h3>\n");
+#nullable restore
+#line 9 "Areas/TestArea/Views/Test4/Test17.cshtml"
+}
+
+#line default
+#line hidden
+#nullable disable
+        }
+        #pragma warning restore 1998
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.ViewFeatures.IModelExpressionProvider ModelExpressionProvider { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IUrlHelper Url { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IViewComponentHelper Component { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IJsonHelper Json { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IHtmlHelper<UserData> Html { get; private set; } = default!;
+        #nullable disable
+    }
+}
+#pragma warning restore 1591
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/MyAreas_Test4_Test22.cshtml.g.cs b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/MyAreas_Test4_Test22.cshtml.g.cs
new file mode 100644
index 000000000000..f8b2ecde53a4
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/MyAreas_Test4_Test22.cshtml.g.cs	
@@ -0,0 +1,74 @@
+// A test file that mimics the output of compiling a `.cshtml` file
+// <auto-generated/>
+#pragma warning disable 1591
+[assembly: global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemAttribute(typeof(test.Views.MyAreas_Test4_Test22), @"mvc.1.0.view", @"/MyAreas/Test4/Test22.cshtml")]
+namespace test.Views
+{
+    #line hidden
+    using System;
+    using System.Collections.Generic;
+    using System.Linq;
+    using System.Threading.Tasks;
+    using Microsoft.AspNetCore.Mvc;
+    using Microsoft.AspNetCore.Mvc.Rendering;
+    using Microsoft.AspNetCore.Mvc.ViewFeatures;
+#nullable restore
+using test;
+
+#line default
+#line hidden
+#nullable disable
+    [global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemMetadataAttribute("Identifier", "/MyAreas/Test4/Test22.cshtml")]
+    public class MyAreas_Test4_Test22 : global::Microsoft.AspNetCore.Mvc.Razor.RazorPage<UserData>
+    {
+        #pragma warning disable 1998
+        public async override global::System.Threading.Tasks.Task ExecuteAsync()
+        {
+#line 6 "MyAreas/Test4/Test22.cshtml"
+ if (Model != null)
+{
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("    <h3>Hello \"");
+#nullable restore
+#line 8 "MyAreas/Test4/Test22.cshtml"
+Write(Html.Raw(Model.Name));
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("\"</h3>\n");
+#nullable restore
+#line 9 "MyAreas/Test4/Test22.cshtml"
+}
+
+#line default
+#line hidden
+#nullable disable
+        }
+        #pragma warning restore 1998
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.ViewFeatures.IModelExpressionProvider ModelExpressionProvider { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IUrlHelper Url { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IViewComponentHelper Component { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IJsonHelper Json { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IHtmlHelper<UserData> Html { get; private set; } = default!;
+        #nullable disable
+    }
+}
+#pragma warning restore 1591
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Pages_Shared_Test21.cshtml.g.cs b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Pages_Shared_Test21.cshtml.g.cs
new file mode 100644
index 000000000000..483df5af705f
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Pages_Shared_Test21.cshtml.g.cs	
@@ -0,0 +1,74 @@
+// A test file that mimics the output of compiling a `.cshtml` file
+// <auto-generated/>
+#pragma warning disable 1591
+[assembly: global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemAttribute(typeof(test.Views.Pages_Shared_Test21), @"mvc.1.0.view", @"/Pages/Shared/Test21.cshtml")]
+namespace test.Views
+{
+    #line hidden
+    using System;
+    using System.Collections.Generic;
+    using System.Linq;
+    using System.Threading.Tasks;
+    using Microsoft.AspNetCore.Mvc;
+    using Microsoft.AspNetCore.Mvc.Rendering;
+    using Microsoft.AspNetCore.Mvc.ViewFeatures;
+#nullable restore
+using test;
+
+#line default
+#line hidden
+#nullable disable
+    [global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemMetadataAttribute("Identifier", "/Pages/Shared/Test21.cshtml")]
+    public class Pages_Shared_Test21 : global::Microsoft.AspNetCore.Mvc.Razor.RazorPage<UserData>
+    {
+        #pragma warning disable 1998
+        public async override global::System.Threading.Tasks.Task ExecuteAsync()
+        {
+#line 6 "Pages/Shared/Test21.cshtml"
+ if (Model != null)
+{
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("    <h3>Hello \"");
+#nullable restore
+#line 8 "Pages/Shared/Test21.cshtml"
+Write(Html.Raw(Model.Name));
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("\"</h3>\n");
+#nullable restore
+#line 9 "Pages/Shared/Test21.cshtml"
+}
+
+#line default
+#line hidden
+#nullable disable
+        }
+        #pragma warning restore 1998
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.ViewFeatures.IModelExpressionProvider ModelExpressionProvider { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IUrlHelper Url { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IViewComponentHelper Component { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IJsonHelper Json { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IHtmlHelper<UserData> Html { get; private set; } = default!;
+        #nullable disable
+    }
+}
+#pragma warning restore 1591
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Template.g b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Template.g
new file mode 100644
index 000000000000..1f283c9e3a01
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Template.g	
@@ -0,0 +1,74 @@
+// A test file that mimics the output of compiling a `.cshtml` file
+// <auto-generated/>
+#pragma warning disable 1591
+[assembly: global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemAttribute(typeof(test.Views.$PATHUNDER), @"mvc.1.0.view", @"/$PATHSLASH")]
+namespace test.Views
+{
+    #line hidden
+    using System;
+    using System.Collections.Generic;
+    using System.Linq;
+    using System.Threading.Tasks;
+    using Microsoft.AspNetCore.Mvc;
+    using Microsoft.AspNetCore.Mvc.Rendering;
+    using Microsoft.AspNetCore.Mvc.ViewFeatures;
+#nullable restore
+using test;
+
+#line default
+#line hidden
+#nullable disable
+    [global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemMetadataAttribute("Identifier", "/$PATHSLASH")]
+    public class $PATHUNDER : global::Microsoft.AspNetCore.Mvc.Razor.RazorPage<UserData>
+    {
+        #pragma warning disable 1998
+        public async override global::System.Threading.Tasks.Task ExecuteAsync()
+        {
+#line 6 "$PATHSLASH"
+ if (Model != null)
+{
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("    <h3>Hello \"");
+#nullable restore
+#line 8 "$PATHSLASH"
+Write(Html.Raw(Model.Name));
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("\"</h3>\n");
+#nullable restore
+#line 9 "$PATHSLASH"
+}
+
+#line default
+#line hidden
+#nullable disable
+        }
+        #pragma warning restore 1998
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.ViewFeatures.IModelExpressionProvider ModelExpressionProvider { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IUrlHelper Url { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IViewComponentHelper Component { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IJsonHelper Json { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IHtmlHelper<UserData> Html { get; private set; } = default!;
+        #nullable disable
+    }
+}
+#pragma warning restore 1591
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Custom2_Test16.cshtml.g.cs b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Custom2_Test16.cshtml.g.cs
new file mode 100644
index 000000000000..c6048503384b
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Custom2_Test16.cshtml.g.cs	
@@ -0,0 +1,74 @@
+// A test file that mimics the output of compiling a `.cshtml` file
+// <auto-generated/>
+#pragma warning disable 1591
+[assembly: global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemAttribute(typeof(test.Views.Views_Custom2_Test16), @"mvc.1.0.view", @"/Views/Custom2/Test16.cshtml")]
+namespace test.Views
+{
+    #line hidden
+    using System;
+    using System.Collections.Generic;
+    using System.Linq;
+    using System.Threading.Tasks;
+    using Microsoft.AspNetCore.Mvc;
+    using Microsoft.AspNetCore.Mvc.Rendering;
+    using Microsoft.AspNetCore.Mvc.ViewFeatures;
+#nullable restore
+using test;
+
+#line default
+#line hidden
+#nullable disable
+    [global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemMetadataAttribute("Identifier", "/Views/Custom2/Test16.cshtml")]
+    public class Views_Custom2_Test16 : global::Microsoft.AspNetCore.Mvc.Razor.RazorPage<UserData>
+    {
+        #pragma warning disable 1998
+        public async override global::System.Threading.Tasks.Task ExecuteAsync()
+        {
+#line 6 "Views/Custom2/Test16.cshtml"
+ if (Model != null)
+{
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("    <h3>Hello \"");
+#nullable restore
+#line 8 "Views/Custom2/Test16.cshtml"
+Write(Html.Raw(Model.Name));
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("\"</h3>\n");
+#nullable restore
+#line 9 "Views/Custom2/Test16.cshtml"
+}
+
+#line default
+#line hidden
+#nullable disable
+        }
+        #pragma warning restore 1998
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.ViewFeatures.IModelExpressionProvider ModelExpressionProvider { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IUrlHelper Url { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IViewComponentHelper Component { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IJsonHelper Json { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IHtmlHelper<UserData> Html { get; private set; } = default!;
+        #nullable disable
+    }
+}
+#pragma warning restore 1591
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Custom_Test3_Test15.cshtml.g.cs b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Custom_Test3_Test15.cshtml.g.cs
new file mode 100644
index 000000000000..00edb1f4b8c9
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Custom_Test3_Test15.cshtml.g.cs	
@@ -0,0 +1,74 @@
+// A test file that mimics the output of compiling a `.cshtml` file
+// <auto-generated/>
+#pragma warning disable 1591
+[assembly: global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemAttribute(typeof(test.Views.Views_Custom_Test3_Test15), @"mvc.1.0.view", @"/Views/Custom/Test3/Test15.cshtml")]
+namespace test.Views
+{
+    #line hidden
+    using System;
+    using System.Collections.Generic;
+    using System.Linq;
+    using System.Threading.Tasks;
+    using Microsoft.AspNetCore.Mvc;
+    using Microsoft.AspNetCore.Mvc.Rendering;
+    using Microsoft.AspNetCore.Mvc.ViewFeatures;
+#nullable restore
+using test;
+
+#line default
+#line hidden
+#nullable disable
+    [global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemMetadataAttribute("Identifier", "/Views/Custom/Test3/Test15.cshtml")]
+    public class Views_Custom_Test3_Test15 : global::Microsoft.AspNetCore.Mvc.Razor.RazorPage<UserData>
+    {
+        #pragma warning disable 1998
+        public async override global::System.Threading.Tasks.Task ExecuteAsync()
+        {
+#line 6 "Views/Custom/Test3/Test15.cshtml"
+ if (Model != null)
+{
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("    <h3>Hello \"");
+#nullable restore
+#line 8 "Views/Custom/Test3/Test15.cshtml"
+Write(Html.Raw(Model.Name));
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("\"</h3>\n");
+#nullable restore
+#line 9 "Views/Custom/Test3/Test15.cshtml"
+}
+
+#line default
+#line hidden
+#nullable disable
+        }
+        #pragma warning restore 1998
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.ViewFeatures.IModelExpressionProvider ModelExpressionProvider { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IUrlHelper Url { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IViewComponentHelper Component { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IJsonHelper Json { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IHtmlHelper<UserData> Html { get; private set; } = default!;
+        #nullable disable
+    }
+}
+#pragma warning restore 1591
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Other_Test13.cshtml.g.cs b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Other_Test13.cshtml.g.cs
new file mode 100644
index 000000000000..ad153243a9dc
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Other_Test13.cshtml.g.cs	
@@ -0,0 +1,74 @@
+// A test file that mimics the output of compiling a `.cshtml` file
+// <auto-generated/>
+#pragma warning disable 1591
+[assembly: global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemAttribute(typeof(test.Views.Views_Other_Test13), @"mvc.1.0.view", @"/Views/Other/Test13.cshtml")]
+namespace test.Views
+{
+    #line hidden
+    using System;
+    using System.Collections.Generic;
+    using System.Linq;
+    using System.Threading.Tasks;
+    using Microsoft.AspNetCore.Mvc;
+    using Microsoft.AspNetCore.Mvc.Rendering;
+    using Microsoft.AspNetCore.Mvc.ViewFeatures;
+#nullable restore
+using test;
+
+#line default
+#line hidden
+#nullable disable
+    [global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemMetadataAttribute("Identifier", "/Views/Other/Test13.cshtml")]
+    public class Views_Other_Test13 : global::Microsoft.AspNetCore.Mvc.Razor.RazorPage<UserData>
+    {
+        #pragma warning disable 1998
+        public async override global::System.Threading.Tasks.Task ExecuteAsync()
+        {
+#line 6 "Views/Other/Test13.cshtml"
+ if (Model != null)
+{
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("    <h3>Hello \"");
+#nullable restore
+#line 8 "Views/Other/Test13.cshtml"
+Write(Html.Raw(Model.Name));
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("\"</h3>\n");
+#nullable restore
+#line 9 "Views/Other/Test13.cshtml"
+}
+
+#line default
+#line hidden
+#nullable disable
+        }
+        #pragma warning restore 1998
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.ViewFeatures.IModelExpressionProvider ModelExpressionProvider { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IUrlHelper Url { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IViewComponentHelper Component { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IJsonHelper Json { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IHtmlHelper<UserData> Html { get; private set; } = default!;
+        #nullable disable
+    }
+}
+#pragma warning restore 1591
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Other_Test5.cshtml.g.cs b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Other_Test5.cshtml.g.cs
new file mode 100644
index 000000000000..8b6dcfa243bb
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Other_Test5.cshtml.g.cs	
@@ -0,0 +1,74 @@
+// A test file that mimics the output of compiling a `.cshtml` file
+// <auto-generated/>
+#pragma warning disable 1591
+[assembly: global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemAttribute(typeof(test.Views.Views_Other_Test5), @"mvc.1.0.view", @"/Views/Other/Test5.cshtml")]
+namespace test.Views
+{
+    #line hidden
+    using System;
+    using System.Collections.Generic;
+    using System.Linq;
+    using System.Threading.Tasks;
+    using Microsoft.AspNetCore.Mvc;
+    using Microsoft.AspNetCore.Mvc.Rendering;
+    using Microsoft.AspNetCore.Mvc.ViewFeatures;
+#nullable restore
+using test;
+
+#line default
+#line hidden
+#nullable disable
+    [global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemMetadataAttribute("Identifier", "/Views/Other/Test5.cshtml")]
+    public class Views_Other_Test5 : global::Microsoft.AspNetCore.Mvc.Razor.RazorPage<UserData>
+    {
+        #pragma warning disable 1998
+        public async override global::System.Threading.Tasks.Task ExecuteAsync()
+        {
+#line 6 "Views/Other/Test5.cshtml"
+ if (Model != null)
+{
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("    <h3>Hello \"");
+#nullable restore
+#line 8 "Views/Other/Test5.cshtml"
+Write(Html.Raw(Model.Name));
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("\"</h3>\n");
+#nullable restore
+#line 9 "Views/Other/Test5.cshtml"
+}
+
+#line default
+#line hidden
+#nullable disable
+        }
+        #pragma warning restore 1998
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.ViewFeatures.IModelExpressionProvider ModelExpressionProvider { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IUrlHelper Url { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IViewComponentHelper Component { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IJsonHelper Json { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IHtmlHelper<UserData> Html { get; private set; } = default!;
+        #nullable disable
+    }
+}
+#pragma warning restore 1591
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Other_Test6.cshtml.g.cs b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Other_Test6.cshtml.g.cs
new file mode 100644
index 000000000000..58aa308379b8
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Other_Test6.cshtml.g.cs	
@@ -0,0 +1,74 @@
+// A test file that mimics the output of compiling a `.cshtml` file
+// <auto-generated/>
+#pragma warning disable 1591
+[assembly: global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemAttribute(typeof(test.Views.Views_Other_Test6), @"mvc.1.0.view", @"/Views/Other/Test6.cshtml")]
+namespace test.Views
+{
+    #line hidden
+    using System;
+    using System.Collections.Generic;
+    using System.Linq;
+    using System.Threading.Tasks;
+    using Microsoft.AspNetCore.Mvc;
+    using Microsoft.AspNetCore.Mvc.Rendering;
+    using Microsoft.AspNetCore.Mvc.ViewFeatures;
+#nullable restore
+using test;
+
+#line default
+#line hidden
+#nullable disable
+    [global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemMetadataAttribute("Identifier", "/Views/Other/Test6.cshtml")]
+    public class Views_Other_Test6 : global::Microsoft.AspNetCore.Mvc.Razor.RazorPage<UserData>
+    {
+        #pragma warning disable 1998
+        public async override global::System.Threading.Tasks.Task ExecuteAsync()
+        {
+#line 6 "Views/Other/Test6.cshtml"
+ if (Model != null)
+{
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("    <h3>Hello \"");
+#nullable restore
+#line 8 "Views/Other/Test6.cshtml"
+Write(Html.Raw(Model.Name));
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("\"</h3>\n");
+#nullable restore
+#line 9 "Views/Other/Test6.cshtml"
+}
+
+#line default
+#line hidden
+#nullable disable
+        }
+        #pragma warning restore 1998
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.ViewFeatures.IModelExpressionProvider ModelExpressionProvider { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IUrlHelper Url { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IViewComponentHelper Component { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IJsonHelper Json { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IHtmlHelper<UserData> Html { get; private set; } = default!;
+        #nullable disable
+    }
+}
+#pragma warning restore 1591
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Other_Test8.cshtml.g.cs b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Other_Test8.cshtml.g.cs
new file mode 100644
index 000000000000..799e7a84768c
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Other_Test8.cshtml.g.cs	
@@ -0,0 +1,74 @@
+// A test file that mimics the output of compiling a `.cshtml` file
+// <auto-generated/>
+#pragma warning disable 1591
+[assembly: global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemAttribute(typeof(test.Views.Views_Other_Test8), @"mvc.1.0.view", @"/Views/Other/Test8.cshtml")]
+namespace test.Views
+{
+    #line hidden
+    using System;
+    using System.Collections.Generic;
+    using System.Linq;
+    using System.Threading.Tasks;
+    using Microsoft.AspNetCore.Mvc;
+    using Microsoft.AspNetCore.Mvc.Rendering;
+    using Microsoft.AspNetCore.Mvc.ViewFeatures;
+#nullable restore
+using test;
+
+#line default
+#line hidden
+#nullable disable
+    [global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemMetadataAttribute("Identifier", "/Views/Other/Test8.cshtml")]
+    public class Views_Other_Test8 : global::Microsoft.AspNetCore.Mvc.Razor.RazorPage<UserData>
+    {
+        #pragma warning disable 1998
+        public async override global::System.Threading.Tasks.Task ExecuteAsync()
+        {
+#line 6 "Views/Other/Test8.cshtml"
+ if (Model != null)
+{
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("    <h3>Hello \"");
+#nullable restore
+#line 8 "Views/Other/Test8.cshtml"
+Write(Html.Raw(Model.Name));
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("\"</h3>\n");
+#nullable restore
+#line 9 "Views/Other/Test8.cshtml"
+}
+
+#line default
+#line hidden
+#nullable disable
+        }
+        #pragma warning restore 1998
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.ViewFeatures.IModelExpressionProvider ModelExpressionProvider { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IUrlHelper Url { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IViewComponentHelper Component { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IJsonHelper Json { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IHtmlHelper<UserData> Html { get; private set; } = default!;
+        #nullable disable
+    }
+}
+#pragma warning restore 1591
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Other_Test9.cshtml.g.cs b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Other_Test9.cshtml.g.cs
new file mode 100644
index 000000000000..9c1199c2ee30
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Other_Test9.cshtml.g.cs	
@@ -0,0 +1,74 @@
+// A test file that mimics the output of compiling a `.cshtml` file
+// <auto-generated/>
+#pragma warning disable 1591
+[assembly: global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemAttribute(typeof(test.Views.Views_Other_Test9), @"mvc.1.0.view", @"/Views/Other/Test9.cshtml")]
+namespace test.Views
+{
+    #line hidden
+    using System;
+    using System.Collections.Generic;
+    using System.Linq;
+    using System.Threading.Tasks;
+    using Microsoft.AspNetCore.Mvc;
+    using Microsoft.AspNetCore.Mvc.Rendering;
+    using Microsoft.AspNetCore.Mvc.ViewFeatures;
+#nullable restore
+using test;
+
+#line default
+#line hidden
+#nullable disable
+    [global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemMetadataAttribute("Identifier", "/Views/Other/Test9.cshtml")]
+    public class Views_Other_Test9 : global::Microsoft.AspNetCore.Mvc.Razor.RazorPage<UserData>
+    {
+        #pragma warning disable 1998
+        public async override global::System.Threading.Tasks.Task ExecuteAsync()
+        {
+#line 6 "Views/Other/Test9.cshtml"
+ if (Model != null)
+{
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("    <h3>Hello \"");
+#nullable restore
+#line 8 "Views/Other/Test9.cshtml"
+Write(Html.Raw(Model.Name));
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("\"</h3>\n");
+#nullable restore
+#line 9 "Views/Other/Test9.cshtml"
+}
+
+#line default
+#line hidden
+#nullable disable
+        }
+        #pragma warning restore 1998
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.ViewFeatures.IModelExpressionProvider ModelExpressionProvider { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IUrlHelper Url { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IViewComponentHelper Component { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IJsonHelper Json { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IHtmlHelper<UserData> Html { get; private set; } = default!;
+        #nullable disable
+    }
+}
+#pragma warning restore 1591
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Shared_Test12.cshtml.g.cs b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Shared_Test12.cshtml.g.cs
new file mode 100644
index 000000000000..6292047ecec9
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Shared_Test12.cshtml.g.cs	
@@ -0,0 +1,74 @@
+// A test file that mimics the output of compiling a `.cshtml` file
+// <auto-generated/>
+#pragma warning disable 1591
+[assembly: global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemAttribute(typeof(test.Views.Views_Shared_Test12), @"mvc.1.0.view", @"/Views/Shared/Test12.cshtml")]
+namespace test.Views
+{
+    #line hidden
+    using System;
+    using System.Collections.Generic;
+    using System.Linq;
+    using System.Threading.Tasks;
+    using Microsoft.AspNetCore.Mvc;
+    using Microsoft.AspNetCore.Mvc.Rendering;
+    using Microsoft.AspNetCore.Mvc.ViewFeatures;
+#nullable restore
+using test;
+
+#line default
+#line hidden
+#nullable disable
+    [global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemMetadataAttribute("Identifier", "/Views/Shared/Test12.cshtml")]
+    public class Views_Shared_Test12 : global::Microsoft.AspNetCore.Mvc.Razor.RazorPage<UserData>
+    {
+        #pragma warning disable 1998
+        public async override global::System.Threading.Tasks.Task ExecuteAsync()
+        {
+#line 6 "Views/Shared/Test12.cshtml"
+ if (Model != null)
+{
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("    <h3>Hello \"");
+#nullable restore
+#line 8 "Views/Shared/Test12.cshtml"
+Write(Html.Raw(Model.Name));
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("\"</h3>\n");
+#nullable restore
+#line 9 "Views/Shared/Test12.cshtml"
+}
+
+#line default
+#line hidden
+#nullable disable
+        }
+        #pragma warning restore 1998
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.ViewFeatures.IModelExpressionProvider ModelExpressionProvider { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IUrlHelper Url { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IViewComponentHelper Component { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IJsonHelper Json { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IHtmlHelper<UserData> Html { get; private set; } = default!;
+        #nullable disable
+    }
+}
+#pragma warning restore 1591
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Shared_Test14.cshtml.g.cs b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Shared_Test14.cshtml.g.cs
new file mode 100644
index 000000000000..93cb009780fb
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Shared_Test14.cshtml.g.cs	
@@ -0,0 +1,74 @@
+// A test file that mimics the output of compiling a `.cshtml` file
+// <auto-generated/>
+#pragma warning disable 1591
+[assembly: global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemAttribute(typeof(test.Views.Views_Shared_Test14), @"mvc.1.0.view", @"/Views/Shared/Test14.cshtml")]
+namespace test.Views
+{
+    #line hidden
+    using System;
+    using System.Collections.Generic;
+    using System.Linq;
+    using System.Threading.Tasks;
+    using Microsoft.AspNetCore.Mvc;
+    using Microsoft.AspNetCore.Mvc.Rendering;
+    using Microsoft.AspNetCore.Mvc.ViewFeatures;
+#nullable restore
+using test;
+
+#line default
+#line hidden
+#nullable disable
+    [global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemMetadataAttribute("Identifier", "/Views/Shared/Test14.cshtml")]
+    public class Views_Shared_Test14 : global::Microsoft.AspNetCore.Mvc.Razor.RazorPage<UserData>
+    {
+        #pragma warning disable 1998
+        public async override global::System.Threading.Tasks.Task ExecuteAsync()
+        {
+#line 6 "Views/Shared/Test14.cshtml"
+ if (Model != null)
+{
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("    <h3>Hello \"");
+#nullable restore
+#line 8 "Views/Shared/Test14.cshtml"
+Write(Html.Raw(Model.Name));
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("\"</h3>\n");
+#nullable restore
+#line 9 "Views/Shared/Test14.cshtml"
+}
+
+#line default
+#line hidden
+#nullable disable
+        }
+        #pragma warning restore 1998
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.ViewFeatures.IModelExpressionProvider ModelExpressionProvider { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IUrlHelper Url { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IViewComponentHelper Component { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IJsonHelper Json { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IHtmlHelper<UserData> Html { get; private set; } = default!;
+        #nullable disable
+    }
+}
+#pragma warning restore 1591
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Shared_Test19.cshtml.g.cs b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Shared_Test19.cshtml.g.cs
new file mode 100644
index 000000000000..daacf56a1f1e
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Shared_Test19.cshtml.g.cs	
@@ -0,0 +1,74 @@
+// A test file that mimics the output of compiling a `.cshtml` file
+// <auto-generated/>
+#pragma warning disable 1591
+[assembly: global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemAttribute(typeof(test.Views.Views_Shared_Test19), @"mvc.1.0.view", @"/Views/Shared/Test19.cshtml")]
+namespace test.Views
+{
+    #line hidden
+    using System;
+    using System.Collections.Generic;
+    using System.Linq;
+    using System.Threading.Tasks;
+    using Microsoft.AspNetCore.Mvc;
+    using Microsoft.AspNetCore.Mvc.Rendering;
+    using Microsoft.AspNetCore.Mvc.ViewFeatures;
+#nullable restore
+using test;
+
+#line default
+#line hidden
+#nullable disable
+    [global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemMetadataAttribute("Identifier", "/Views/Shared/Test19.cshtml")]
+    public class Views_Shared_Test19 : global::Microsoft.AspNetCore.Mvc.Razor.RazorPage<UserData>
+    {
+        #pragma warning disable 1998
+        public async override global::System.Threading.Tasks.Task ExecuteAsync()
+        {
+#line 6 "Views/Shared/Test19.cshtml"
+ if (Model != null)
+{
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("    <h3>Hello \"");
+#nullable restore
+#line 8 "Views/Shared/Test19.cshtml"
+Write(Html.Raw(Model.Name));
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("\"</h3>\n");
+#nullable restore
+#line 9 "Views/Shared/Test19.cshtml"
+}
+
+#line default
+#line hidden
+#nullable disable
+        }
+        #pragma warning restore 1998
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.ViewFeatures.IModelExpressionProvider ModelExpressionProvider { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IUrlHelper Url { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IViewComponentHelper Component { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IJsonHelper Json { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IHtmlHelper<UserData> Html { get; private set; } = default!;
+        #nullable disable
+    }
+}
+#pragma warning restore 1591
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Shared_Test2.cshtml.g.cs b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Shared_Test2.cshtml.g.cs
new file mode 100644
index 000000000000..c20f1456c067
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Shared_Test2.cshtml.g.cs	
@@ -0,0 +1,74 @@
+// A test file that mimics the output of compiling a `.cshtml` file
+// <auto-generated/>
+#pragma warning disable 1591
+[assembly: global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemAttribute(typeof(test.Views.Views_Shared_Test2), @"mvc.1.0.view", @"/Views/Shared/Test2.cshtml")]
+namespace test.Views
+{
+    #line hidden
+    using System;
+    using System.Collections.Generic;
+    using System.Linq;
+    using System.Threading.Tasks;
+    using Microsoft.AspNetCore.Mvc;
+    using Microsoft.AspNetCore.Mvc.Rendering;
+    using Microsoft.AspNetCore.Mvc.ViewFeatures;
+#nullable restore
+using test;
+
+#line default
+#line hidden
+#nullable disable
+    [global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemMetadataAttribute("Identifier", "/Views/Shared/Test2.cshtml")]
+    public class Views_Shared_Test2 : global::Microsoft.AspNetCore.Mvc.Razor.RazorPage<UserData>
+    {
+        #pragma warning disable 1998
+        public async override global::System.Threading.Tasks.Task ExecuteAsync()
+        {
+#line 6 "Views/Shared/Test2.cshtml"
+ if (Model != null)
+{
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("    <h3>Hello \"");
+#nullable restore
+#line 8 "Views/Shared/Test2.cshtml"
+Write(Html.Raw(Model.Name));
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("\"</h3>\n");
+#nullable restore
+#line 9 "Views/Shared/Test2.cshtml"
+}
+
+#line default
+#line hidden
+#nullable disable
+        }
+        #pragma warning restore 1998
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.ViewFeatures.IModelExpressionProvider ModelExpressionProvider { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IUrlHelper Url { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IViewComponentHelper Component { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IJsonHelper Json { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IHtmlHelper<UserData> Html { get; private set; } = default!;
+        #nullable disable
+    }
+}
+#pragma warning restore 1591
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Shared_Test23.cshtml.g.cs b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Shared_Test23.cshtml.g.cs
new file mode 100644
index 000000000000..919c874680b8
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Shared_Test23.cshtml.g.cs	
@@ -0,0 +1,74 @@
+// A test file that mimics the output of compiling a `.cshtml` file
+// <auto-generated/>
+#pragma warning disable 1591
+[assembly: global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemAttribute(typeof(test.Views.Views_Shared_Test23), @"mvc.1.0.view", @"/Views/Shared/Test23.cshtml")]
+namespace test.Views
+{
+    #line hidden
+    using System;
+    using System.Collections.Generic;
+    using System.Linq;
+    using System.Threading.Tasks;
+    using Microsoft.AspNetCore.Mvc;
+    using Microsoft.AspNetCore.Mvc.Rendering;
+    using Microsoft.AspNetCore.Mvc.ViewFeatures;
+#nullable restore
+using test;
+
+#line default
+#line hidden
+#nullable disable
+    [global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemMetadataAttribute("Identifier", "/Views/Shared/Test23.cshtml")]
+    public class Views_Shared_Test23 : global::Microsoft.AspNetCore.Mvc.Razor.RazorPage<UserData>
+    {
+        #pragma warning disable 1998
+        public async override global::System.Threading.Tasks.Task ExecuteAsync()
+        {
+#line 6 "Views/Shared/Test23.cshtml"
+ if (Model != null)
+{
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("    <h3>Hello \"");
+#nullable restore
+#line 8 "Views/Shared/Test23.cshtml"
+Write(Html.Raw(Model.Name));
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("\"</h3>\n");
+#nullable restore
+#line 9 "Views/Shared/Test23.cshtml"
+}
+
+#line default
+#line hidden
+#nullable disable
+        }
+        #pragma warning restore 1998
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.ViewFeatures.IModelExpressionProvider ModelExpressionProvider { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IUrlHelper Url { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IViewComponentHelper Component { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IJsonHelper Json { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IHtmlHelper<UserData> Html { get; private set; } = default!;
+        #nullable disable
+    }
+}
+#pragma warning restore 1591
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Shared_Test3.cshtml.g.cs b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Shared_Test3.cshtml.g.cs
new file mode 100644
index 000000000000..7bd08d8665b3
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Shared_Test3.cshtml.g.cs	
@@ -0,0 +1,74 @@
+// A test file that mimics the output of compiling a `.cshtml` file
+// <auto-generated/>
+#pragma warning disable 1591
+[assembly: global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemAttribute(typeof(test.Views.Views_Shared_Test3), @"mvc.1.0.view", @"/Views/Shared/Test3.cshtml")]
+namespace test.Views
+{
+    #line hidden
+    using System;
+    using System.Collections.Generic;
+    using System.Linq;
+    using System.Threading.Tasks;
+    using Microsoft.AspNetCore.Mvc;
+    using Microsoft.AspNetCore.Mvc.Rendering;
+    using Microsoft.AspNetCore.Mvc.ViewFeatures;
+#nullable restore
+using test;
+
+#line default
+#line hidden
+#nullable disable
+    [global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemMetadataAttribute("Identifier", "/Views/Shared/Test3.cshtml")]
+    public class Views_Shared_Test3 : global::Microsoft.AspNetCore.Mvc.Razor.RazorPage<UserData>
+    {
+        #pragma warning disable 1998
+        public async override global::System.Threading.Tasks.Task ExecuteAsync()
+        {
+#line 6 "Views/Shared/Test3.cshtml"
+ if (Model != null)
+{
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("    <h3>Hello \"");
+#nullable restore
+#line 8 "Views/Shared/Test3.cshtml"
+Write(Html.Raw(Model.Name));
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("\"</h3>\n");
+#nullable restore
+#line 9 "Views/Shared/Test3.cshtml"
+}
+
+#line default
+#line hidden
+#nullable disable
+        }
+        #pragma warning restore 1998
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.ViewFeatures.IModelExpressionProvider ModelExpressionProvider { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IUrlHelper Url { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IViewComponentHelper Component { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IJsonHelper Json { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IHtmlHelper<UserData> Html { get; private set; } = default!;
+        #nullable disable
+    }
+}
+#pragma warning restore 1591
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Test2_Test1.cshtml.g.cs b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Test2_Test1.cshtml.g.cs
new file mode 100644
index 000000000000..a4dec53b6324
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Test2_Test1.cshtml.g.cs	
@@ -0,0 +1,74 @@
+// A test file that mimics the output of compiling a `.cshtml` file
+// <auto-generated/>
+#pragma warning disable 1591
+[assembly: global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemAttribute(typeof(test.Views.Views_Test2_Test1), @"mvc.1.0.view", @"/Views/Test2/Test1.cshtml")]
+namespace test.Views
+{
+    #line hidden
+    using System;
+    using System.Collections.Generic;
+    using System.Linq;
+    using System.Threading.Tasks;
+    using Microsoft.AspNetCore.Mvc;
+    using Microsoft.AspNetCore.Mvc.Rendering;
+    using Microsoft.AspNetCore.Mvc.ViewFeatures;
+#nullable restore
+using test;
+
+#line default
+#line hidden
+#nullable disable
+    [global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemMetadataAttribute("Identifier", "/Views/Test2/Test1.cshtml")]
+    public class Views_Test2_Test1 : global::Microsoft.AspNetCore.Mvc.Razor.RazorPage<UserData>
+    {
+        #pragma warning disable 1998
+        public async override global::System.Threading.Tasks.Task ExecuteAsync()
+        {
+#line 6 "Views/Test2/Test1.cshtml"
+ if (Model != null)
+{
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("    <h3>Hello \"");
+#nullable restore
+#line 8 "Views/Test2/Test1.cshtml"
+Write(Html.Raw(Model.Name));
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("\"</h3>\n");
+#nullable restore
+#line 9 "Views/Test2/Test1.cshtml"
+}
+
+#line default
+#line hidden
+#nullable disable
+        }
+        #pragma warning restore 1998
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.ViewFeatures.IModelExpressionProvider ModelExpressionProvider { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IUrlHelper Url { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IViewComponentHelper Component { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IJsonHelper Json { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IHtmlHelper<UserData> Html { get; private set; } = default!;
+        #nullable disable
+    }
+}
+#pragma warning restore 1591
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Test2_Test10.cshtml.g.cs b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Test2_Test10.cshtml.g.cs
new file mode 100644
index 000000000000..33a4d27e254a
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Test2_Test10.cshtml.g.cs	
@@ -0,0 +1,74 @@
+// A test file that mimics the output of compiling a `.cshtml` file
+// <auto-generated/>
+#pragma warning disable 1591
+[assembly: global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemAttribute(typeof(test.Views.Views_Test2_Test10), @"mvc.1.0.view", @"/Views/Test2/Test10.cshtml")]
+namespace test.Views
+{
+    #line hidden
+    using System;
+    using System.Collections.Generic;
+    using System.Linq;
+    using System.Threading.Tasks;
+    using Microsoft.AspNetCore.Mvc;
+    using Microsoft.AspNetCore.Mvc.Rendering;
+    using Microsoft.AspNetCore.Mvc.ViewFeatures;
+#nullable restore
+using test;
+
+#line default
+#line hidden
+#nullable disable
+    [global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemMetadataAttribute("Identifier", "/Views/Test2/Test10.cshtml")]
+    public class Views_Test2_Test10 : global::Microsoft.AspNetCore.Mvc.Razor.RazorPage<UserData>
+    {
+        #pragma warning disable 1998
+        public async override global::System.Threading.Tasks.Task ExecuteAsync()
+        {
+#line 6 "Views/Test2/Test10.cshtml"
+ if (Model != null)
+{
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("    <h3>Hello \"");
+#nullable restore
+#line 8 "Views/Test2/Test10.cshtml"
+Write(Html.Raw(Model.Name));
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("\"</h3>\n");
+#nullable restore
+#line 9 "Views/Test2/Test10.cshtml"
+}
+
+#line default
+#line hidden
+#nullable disable
+        }
+        #pragma warning restore 1998
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.ViewFeatures.IModelExpressionProvider ModelExpressionProvider { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IUrlHelper Url { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IViewComponentHelper Component { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IJsonHelper Json { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IHtmlHelper<UserData> Html { get; private set; } = default!;
+        #nullable disable
+    }
+}
+#pragma warning restore 1591
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Test2_Test11.cshtml.g.cs b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Test2_Test11.cshtml.g.cs
new file mode 100644
index 000000000000..da0b0a9c1625
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Test2_Test11.cshtml.g.cs	
@@ -0,0 +1,74 @@
+// A test file that mimics the output of compiling a `.cshtml` file
+// <auto-generated/>
+#pragma warning disable 1591
+[assembly: global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemAttribute(typeof(test.Views.Views_Test2_Test11), @"mvc.1.0.view", @"/Views/Test2/Test11.cshtml")]
+namespace test.Views
+{
+    #line hidden
+    using System;
+    using System.Collections.Generic;
+    using System.Linq;
+    using System.Threading.Tasks;
+    using Microsoft.AspNetCore.Mvc;
+    using Microsoft.AspNetCore.Mvc.Rendering;
+    using Microsoft.AspNetCore.Mvc.ViewFeatures;
+#nullable restore
+using test;
+
+#line default
+#line hidden
+#nullable disable
+    [global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemMetadataAttribute("Identifier", "/Views/Test2/Test11.cshtml")]
+    public class Views_Test2_Test11 : global::Microsoft.AspNetCore.Mvc.Razor.RazorPage<UserData>
+    {
+        #pragma warning disable 1998
+        public async override global::System.Threading.Tasks.Task ExecuteAsync()
+        {
+#line 6 "Views/Test2/Test11.cshtml"
+ if (Model != null)
+{
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("    <h3>Hello \"");
+#nullable restore
+#line 8 "Views/Test2/Test11.cshtml"
+Write(Html.Raw(Model.Name));
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("\"</h3>\n");
+#nullable restore
+#line 9 "Views/Test2/Test11.cshtml"
+}
+
+#line default
+#line hidden
+#nullable disable
+        }
+        #pragma warning restore 1998
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.ViewFeatures.IModelExpressionProvider ModelExpressionProvider { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IUrlHelper Url { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IViewComponentHelper Component { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IJsonHelper Json { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IHtmlHelper<UserData> Html { get; private set; } = default!;
+        #nullable disable
+    }
+}
+#pragma warning restore 1591
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Test2_Test12.cshtml.g.cs b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Test2_Test12.cshtml.g.cs
new file mode 100644
index 000000000000..023daa7b03ea
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Test2_Test12.cshtml.g.cs	
@@ -0,0 +1,74 @@
+// A test file that mimics the output of compiling a `.cshtml` file
+// <auto-generated/>
+#pragma warning disable 1591
+[assembly: global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemAttribute(typeof(test.Views.Views_Test2_Test12), @"mvc.1.0.view", @"/Views/Test2/Test12.cshtml")]
+namespace test.Views
+{
+    #line hidden
+    using System;
+    using System.Collections.Generic;
+    using System.Linq;
+    using System.Threading.Tasks;
+    using Microsoft.AspNetCore.Mvc;
+    using Microsoft.AspNetCore.Mvc.Rendering;
+    using Microsoft.AspNetCore.Mvc.ViewFeatures;
+#nullable restore
+using test;
+
+#line default
+#line hidden
+#nullable disable
+    [global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemMetadataAttribute("Identifier", "/Views/Test2/Test12.cshtml")]
+    public class Views_Test2_Test12 : global::Microsoft.AspNetCore.Mvc.Razor.RazorPage<UserData>
+    {
+        #pragma warning disable 1998
+        public async override global::System.Threading.Tasks.Task ExecuteAsync()
+        {
+#line 6 "Views/Test2/Test12.cshtml"
+ if (Model != null)
+{
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("    <h3>Hello \"");
+#nullable restore
+#line 8 "Views/Test2/Test12.cshtml"
+Write(Html.Raw(Model.Name));
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("\"</h3>\n");
+#nullable restore
+#line 9 "Views/Test2/Test12.cshtml"
+}
+
+#line default
+#line hidden
+#nullable disable
+        }
+        #pragma warning restore 1998
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.ViewFeatures.IModelExpressionProvider ModelExpressionProvider { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IUrlHelper Url { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IViewComponentHelper Component { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IJsonHelper Json { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IHtmlHelper<UserData> Html { get; private set; } = default!;
+        #nullable disable
+    }
+}
+#pragma warning restore 1591
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Test2_Test14.cshtml.g.cs b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Test2_Test14.cshtml.g.cs
new file mode 100644
index 000000000000..28b0ab8ee3fd
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Test2_Test14.cshtml.g.cs	
@@ -0,0 +1,74 @@
+// A test file that mimics the output of compiling a `.cshtml` file
+// <auto-generated/>
+#pragma warning disable 1591
+[assembly: global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemAttribute(typeof(test.Views.Views_Test2_Test14), @"mvc.1.0.view", @"/Views/Test2/Test14.cshtml")]
+namespace test.Views
+{
+    #line hidden
+    using System;
+    using System.Collections.Generic;
+    using System.Linq;
+    using System.Threading.Tasks;
+    using Microsoft.AspNetCore.Mvc;
+    using Microsoft.AspNetCore.Mvc.Rendering;
+    using Microsoft.AspNetCore.Mvc.ViewFeatures;
+#nullable restore
+using test;
+
+#line default
+#line hidden
+#nullable disable
+    [global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemMetadataAttribute("Identifier", "/Views/Test2/Test14.cshtml")]
+    public class Views_Test2_Test14 : global::Microsoft.AspNetCore.Mvc.Razor.RazorPage<UserData>
+    {
+        #pragma warning disable 1998
+        public async override global::System.Threading.Tasks.Task ExecuteAsync()
+        {
+#line 6 "Views/Test2/Test14.cshtml"
+ if (Model != null)
+{
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("    <h3>Hello \"");
+#nullable restore
+#line 8 "Views/Test2/Test14.cshtml"
+Write(Html.Raw(Model.Name));
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("\"</h3>\n");
+#nullable restore
+#line 9 "Views/Test2/Test14.cshtml"
+}
+
+#line default
+#line hidden
+#nullable disable
+        }
+        #pragma warning restore 1998
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.ViewFeatures.IModelExpressionProvider ModelExpressionProvider { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IUrlHelper Url { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IViewComponentHelper Component { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IJsonHelper Json { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IHtmlHelper<UserData> Html { get; private set; } = default!;
+        #nullable disable
+    }
+}
+#pragma warning restore 1591
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Test2_Test2.cshtml.g.cs b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Test2_Test2.cshtml.g.cs
new file mode 100644
index 000000000000..53c7e6eed471
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Test2_Test2.cshtml.g.cs	
@@ -0,0 +1,74 @@
+// A test file that mimics the output of compiling a `.cshtml` file
+// <auto-generated/>
+#pragma warning disable 1591
+[assembly: global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemAttribute(typeof(test.Views.Views_Test2_Test2), @"mvc.1.0.view", @"/Views/Test2/Test2.cshtml")]
+namespace test.Views
+{
+    #line hidden
+    using System;
+    using System.Collections.Generic;
+    using System.Linq;
+    using System.Threading.Tasks;
+    using Microsoft.AspNetCore.Mvc;
+    using Microsoft.AspNetCore.Mvc.Rendering;
+    using Microsoft.AspNetCore.Mvc.ViewFeatures;
+#nullable restore
+using test;
+
+#line default
+#line hidden
+#nullable disable
+    [global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemMetadataAttribute("Identifier", "/Views/Test2/Test2.cshtml")]
+    public class Views_Test2_Test2 : global::Microsoft.AspNetCore.Mvc.Razor.RazorPage<UserData>
+    {
+        #pragma warning disable 1998
+        public async override global::System.Threading.Tasks.Task ExecuteAsync()
+        {
+#line 6 "Views/Test2/Test2.cshtml"
+ if (Model != null)
+{
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("    <h3>Hello \"");
+#nullable restore
+#line 8 "Views/Test2/Test2.cshtml"
+Write(Html.Raw(Model.Name));
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("\"</h3>\n");
+#nullable restore
+#line 9 "Views/Test2/Test2.cshtml"
+}
+
+#line default
+#line hidden
+#nullable disable
+        }
+        #pragma warning restore 1998
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.ViewFeatures.IModelExpressionProvider ModelExpressionProvider { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IUrlHelper Url { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IViewComponentHelper Component { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IJsonHelper Json { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IHtmlHelper<UserData> Html { get; private set; } = default!;
+        #nullable disable
+    }
+}
+#pragma warning restore 1591
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Test2_Test3.cshtml.g.cs b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Test2_Test3.cshtml.g.cs
new file mode 100644
index 000000000000..299f6f89a16d
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Test2_Test3.cshtml.g.cs	
@@ -0,0 +1,74 @@
+// A test file that mimics the output of compiling a `.cshtml` file
+// <auto-generated/>
+#pragma warning disable 1591
+[assembly: global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemAttribute(typeof(test.Views.Views_Test2_Test3), @"mvc.1.0.view", @"/Views/Test2/Test3.cshtml")]
+namespace test.Views
+{
+    #line hidden
+    using System;
+    using System.Collections.Generic;
+    using System.Linq;
+    using System.Threading.Tasks;
+    using Microsoft.AspNetCore.Mvc;
+    using Microsoft.AspNetCore.Mvc.Rendering;
+    using Microsoft.AspNetCore.Mvc.ViewFeatures;
+#nullable restore
+using test;
+
+#line default
+#line hidden
+#nullable disable
+    [global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemMetadataAttribute("Identifier", "/Views/Test2/Test3.cshtml")]
+    public class Views_Test2_Test3 : global::Microsoft.AspNetCore.Mvc.Razor.RazorPage<UserData>
+    {
+        #pragma warning disable 1998
+        public async override global::System.Threading.Tasks.Task ExecuteAsync()
+        {
+#line 6 "Views/Test2/Test3.cshtml"
+ if (Model != null)
+{
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("    <h3>Hello \"");
+#nullable restore
+#line 8 "Views/Test2/Test3.cshtml"
+Write(Html.Raw(Model.Name));
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("\"</h3>\n");
+#nullable restore
+#line 9 "Views/Test2/Test3.cshtml"
+}
+
+#line default
+#line hidden
+#nullable disable
+        }
+        #pragma warning restore 1998
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.ViewFeatures.IModelExpressionProvider ModelExpressionProvider { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IUrlHelper Url { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IViewComponentHelper Component { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IJsonHelper Json { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IHtmlHelper<UserData> Html { get; private set; } = default!;
+        #nullable disable
+    }
+}
+#pragma warning restore 1591
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Test4_Test20.cshtml.g.cs b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Test4_Test20.cshtml.g.cs
new file mode 100644
index 000000000000..814a81a5b5d0
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Test4_Test20.cshtml.g.cs	
@@ -0,0 +1,74 @@
+// A test file that mimics the output of compiling a `.cshtml` file
+// <auto-generated/>
+#pragma warning disable 1591
+[assembly: global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemAttribute(typeof(test.Views.Views_Test4_Test20), @"mvc.1.0.view", @"/Views/Test4/Test20.cshtml")]
+namespace test.Views
+{
+    #line hidden
+    using System;
+    using System.Collections.Generic;
+    using System.Linq;
+    using System.Threading.Tasks;
+    using Microsoft.AspNetCore.Mvc;
+    using Microsoft.AspNetCore.Mvc.Rendering;
+    using Microsoft.AspNetCore.Mvc.ViewFeatures;
+#nullable restore
+using test;
+
+#line default
+#line hidden
+#nullable disable
+    [global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemMetadataAttribute("Identifier", "/Views/Test4/Test20.cshtml")]
+    public class Views_Test4_Test20 : global::Microsoft.AspNetCore.Mvc.Razor.RazorPage<UserData>
+    {
+        #pragma warning disable 1998
+        public async override global::System.Threading.Tasks.Task ExecuteAsync()
+        {
+#line 6 "Views/Test4/Test20.cshtml"
+ if (Model != null)
+{
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("    <h3>Hello \"");
+#nullable restore
+#line 8 "Views/Test4/Test20.cshtml"
+Write(Html.Raw(Model.Name));
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("\"</h3>\n");
+#nullable restore
+#line 9 "Views/Test4/Test20.cshtml"
+}
+
+#line default
+#line hidden
+#nullable disable
+        }
+        #pragma warning restore 1998
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.ViewFeatures.IModelExpressionProvider ModelExpressionProvider { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IUrlHelper Url { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IViewComponentHelper Component { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IJsonHelper Json { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IHtmlHelper<UserData> Html { get; private set; } = default!;
+        #nullable disable
+    }
+}
+#pragma warning restore 1591
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Test_Test1.cshtml.g.cs b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Test_Test1.cshtml.g.cs
new file mode 100644
index 000000000000..2ad66b7a0323
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Test_Test1.cshtml.g.cs	
@@ -0,0 +1,74 @@
+// A test file that mimics the output of compiling a `.cshtml` file
+// <auto-generated/>
+#pragma warning disable 1591
+[assembly: global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemAttribute(typeof(test.Views.Views_Test_Test1), @"mvc.1.0.view", @"/Views/Test/Test1.cshtml")]
+namespace test.Views
+{
+    #line hidden
+    using System;
+    using System.Collections.Generic;
+    using System.Linq;
+    using System.Threading.Tasks;
+    using Microsoft.AspNetCore.Mvc;
+    using Microsoft.AspNetCore.Mvc.Rendering;
+    using Microsoft.AspNetCore.Mvc.ViewFeatures;
+#nullable restore
+using test;
+
+#line default
+#line hidden
+#nullable disable
+    [global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemMetadataAttribute("Identifier", "/Views/Test/Test1.cshtml")]
+    public class Views_Test_Test1 : global::Microsoft.AspNetCore.Mvc.Razor.RazorPage<UserData>
+    {
+        #pragma warning disable 1998
+        public async override global::System.Threading.Tasks.Task ExecuteAsync()
+        {
+#line 6 "Views/Test/Test1.cshtml"
+ if (Model != null)
+{
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("    <h3>Hello \"");
+#nullable restore
+#line 8 "Views/Test/Test1.cshtml"
+Write(Html.Raw(Model.Name));
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("\"</h3>\n");
+#nullable restore
+#line 9 "Views/Test/Test1.cshtml"
+}
+
+#line default
+#line hidden
+#nullable disable
+        }
+        #pragma warning restore 1998
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.ViewFeatures.IModelExpressionProvider ModelExpressionProvider { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IUrlHelper Url { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IViewComponentHelper Component { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IJsonHelper Json { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IHtmlHelper<UserData> Html { get; private set; } = default!;
+        #nullable disable
+    }
+}
+#pragma warning restore 1591
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Test_Test3.cshtml.g.cs b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Test_Test3.cshtml.g.cs
new file mode 100644
index 000000000000..95ef158286b2
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Test_Test3.cshtml.g.cs	
@@ -0,0 +1,74 @@
+// A test file that mimics the output of compiling a `.cshtml` file
+// <auto-generated/>
+#pragma warning disable 1591
+[assembly: global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemAttribute(typeof(test.Views.Views_Test_Test3), @"mvc.1.0.view", @"/Views/Test/Test3.cshtml")]
+namespace test.Views
+{
+    #line hidden
+    using System;
+    using System.Collections.Generic;
+    using System.Linq;
+    using System.Threading.Tasks;
+    using Microsoft.AspNetCore.Mvc;
+    using Microsoft.AspNetCore.Mvc.Rendering;
+    using Microsoft.AspNetCore.Mvc.ViewFeatures;
+#nullable restore
+using test;
+
+#line default
+#line hidden
+#nullable disable
+    [global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemMetadataAttribute("Identifier", "/Views/Test/Test3.cshtml")]
+    public class Views_Test_Test3 : global::Microsoft.AspNetCore.Mvc.Razor.RazorPage<UserData>
+    {
+        #pragma warning disable 1998
+        public async override global::System.Threading.Tasks.Task ExecuteAsync()
+        {
+#line 6 "Views/Test/Test3.cshtml"
+ if (Model != null)
+{
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("    <h3>Hello \"");
+#nullable restore
+#line 8 "Views/Test/Test3.cshtml"
+Write(Html.Raw(Model.Name));
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("\"</h3>\n");
+#nullable restore
+#line 9 "Views/Test/Test3.cshtml"
+}
+
+#line default
+#line hidden
+#nullable disable
+        }
+        #pragma warning restore 1998
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.ViewFeatures.IModelExpressionProvider ModelExpressionProvider { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IUrlHelper Url { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IViewComponentHelper Component { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IJsonHelper Json { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IHtmlHelper<UserData> Html { get; private set; } = default!;
+        #nullable disable
+    }
+}
+#pragma warning restore 1591
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Test_Test4.cshtml.g.cs b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Test_Test4.cshtml.g.cs
new file mode 100644
index 000000000000..7a8cea221f71
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Test_Test4.cshtml.g.cs	
@@ -0,0 +1,74 @@
+// A test file that mimics the output of compiling a `.cshtml` file
+// <auto-generated/>
+#pragma warning disable 1591
+[assembly: global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemAttribute(typeof(test.Views.Views_Test_Test4), @"mvc.1.0.view", @"/Views/Test/Test4.cshtml")]
+namespace test.Views
+{
+    #line hidden
+    using System;
+    using System.Collections.Generic;
+    using System.Linq;
+    using System.Threading.Tasks;
+    using Microsoft.AspNetCore.Mvc;
+    using Microsoft.AspNetCore.Mvc.Rendering;
+    using Microsoft.AspNetCore.Mvc.ViewFeatures;
+#nullable restore
+using test;
+
+#line default
+#line hidden
+#nullable disable
+    [global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemMetadataAttribute("Identifier", "/Views/Test/Test4.cshtml")]
+    public class Views_Test_Test4 : global::Microsoft.AspNetCore.Mvc.Razor.RazorPage<UserData>
+    {
+        #pragma warning disable 1998
+        public async override global::System.Threading.Tasks.Task ExecuteAsync()
+        {
+#line 6 "Views/Test/Test4.cshtml"
+ if (Model != null)
+{
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("    <h3>Hello \"");
+#nullable restore
+#line 8 "Views/Test/Test4.cshtml"
+Write(Html.Raw(Model.Name));
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("\"</h3>\n");
+#nullable restore
+#line 9 "Views/Test/Test4.cshtml"
+}
+
+#line default
+#line hidden
+#nullable disable
+        }
+        #pragma warning restore 1998
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.ViewFeatures.IModelExpressionProvider ModelExpressionProvider { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IUrlHelper Url { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IViewComponentHelper Component { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IJsonHelper Json { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IHtmlHelper<UserData> Html { get; private set; } = default!;
+        #nullable disable
+    }
+}
+#pragma warning restore 1591
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Test_Test7.cshtml.g.cs b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Test_Test7.cshtml.g.cs
new file mode 100644
index 000000000000..1eef0024c7ad
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Test_Test7.cshtml.g.cs	
@@ -0,0 +1,74 @@
+// A test file that mimics the output of compiling a `.cshtml` file
+// <auto-generated/>
+#pragma warning disable 1591
+[assembly: global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemAttribute(typeof(test.Views.Views_Test_Test7), @"mvc.1.0.view", @"/Views/Test/Test7.cshtml")]
+namespace test.Views
+{
+    #line hidden
+    using System;
+    using System.Collections.Generic;
+    using System.Linq;
+    using System.Threading.Tasks;
+    using Microsoft.AspNetCore.Mvc;
+    using Microsoft.AspNetCore.Mvc.Rendering;
+    using Microsoft.AspNetCore.Mvc.ViewFeatures;
+#nullable restore
+using test;
+
+#line default
+#line hidden
+#nullable disable
+    [global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemMetadataAttribute("Identifier", "/Views/Test/Test7.cshtml")]
+    public class Views_Test_Test7 : global::Microsoft.AspNetCore.Mvc.Razor.RazorPage<UserData>
+    {
+        #pragma warning disable 1998
+        public async override global::System.Threading.Tasks.Task ExecuteAsync()
+        {
+#line 6 "Views/Test/Test7.cshtml"
+ if (Model != null)
+{
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("    <h3>Hello \"");
+#nullable restore
+#line 8 "Views/Test/Test7.cshtml"
+Write(Html.Raw(Model.Name));
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("\"</h3>\n");
+#nullable restore
+#line 9 "Views/Test/Test7.cshtml"
+}
+
+#line default
+#line hidden
+#nullable disable
+        }
+        #pragma warning restore 1998
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.ViewFeatures.IModelExpressionProvider ModelExpressionProvider { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IUrlHelper Url { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IViewComponentHelper Component { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IJsonHelper Json { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IHtmlHelper<UserData> Html { get; private set; } = default!;
+        #nullable disable
+    }
+}
+#pragma warning restore 1591
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/MyAreas/Test4/Test22.cshtml b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/MyAreas/Test4/Test22.cshtml
new file mode 100644
index 000000000000..74a8eab1c715
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/MyAreas/Test4/Test22.cshtml	
@@ -0,0 +1,9 @@
+@namespace test
+@model UserData
+@{
+}
+
+@if (Model != null)
+{
+    <h3>Hello "@Html.Raw(Model.Name)"</h3>
+}
\ No newline at end of file
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Pages/Shared/Test21.cshtml b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Pages/Shared/Test21.cshtml
new file mode 100644
index 000000000000..74a8eab1c715
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Pages/Shared/Test21.cshtml	
@@ -0,0 +1,9 @@
+@namespace test
+@model UserData
+@{
+}
+
+@if (Model != null)
+{
+    <h3>Hello "@Html.Raw(Model.Name)"</h3>
+}
\ No newline at end of file
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Custom/Test3/Test15.cshtml b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Custom/Test3/Test15.cshtml
new file mode 100644
index 000000000000..74a8eab1c715
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Custom/Test3/Test15.cshtml	
@@ -0,0 +1,9 @@
+@namespace test
+@model UserData
+@{
+}
+
+@if (Model != null)
+{
+    <h3>Hello "@Html.Raw(Model.Name)"</h3>
+}
\ No newline at end of file
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Custom2/Test16.cshtml b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Custom2/Test16.cshtml
new file mode 100644
index 000000000000..74a8eab1c715
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Custom2/Test16.cshtml	
@@ -0,0 +1,9 @@
+@namespace test
+@model UserData
+@{
+}
+
+@if (Model != null)
+{
+    <h3>Hello "@Html.Raw(Model.Name)"</h3>
+}
\ No newline at end of file
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Other/Test13.cshtml b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Other/Test13.cshtml
new file mode 100644
index 000000000000..74a8eab1c715
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Other/Test13.cshtml	
@@ -0,0 +1,9 @@
+@namespace test
+@model UserData
+@{
+}
+
+@if (Model != null)
+{
+    <h3>Hello "@Html.Raw(Model.Name)"</h3>
+}
\ No newline at end of file
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Other/Test5.cshtml b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Other/Test5.cshtml
new file mode 100644
index 000000000000..74a8eab1c715
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Other/Test5.cshtml	
@@ -0,0 +1,9 @@
+@namespace test
+@model UserData
+@{
+}
+
+@if (Model != null)
+{
+    <h3>Hello "@Html.Raw(Model.Name)"</h3>
+}
\ No newline at end of file
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Other/Test6.cshtml b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Other/Test6.cshtml
new file mode 100644
index 000000000000..74a8eab1c715
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Other/Test6.cshtml	
@@ -0,0 +1,9 @@
+@namespace test
+@model UserData
+@{
+}
+
+@if (Model != null)
+{
+    <h3>Hello "@Html.Raw(Model.Name)"</h3>
+}
\ No newline at end of file
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Other/Test8.cshtml b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Other/Test8.cshtml
new file mode 100644
index 000000000000..74a8eab1c715
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Other/Test8.cshtml	
@@ -0,0 +1,9 @@
+@namespace test
+@model UserData
+@{
+}
+
+@if (Model != null)
+{
+    <h3>Hello "@Html.Raw(Model.Name)"</h3>
+}
\ No newline at end of file
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Other/Test9.cshtml b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Other/Test9.cshtml
new file mode 100644
index 000000000000..74a8eab1c715
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Other/Test9.cshtml	
@@ -0,0 +1,9 @@
+@namespace test
+@model UserData
+@{
+}
+
+@if (Model != null)
+{
+    <h3>Hello "@Html.Raw(Model.Name)"</h3>
+}
\ No newline at end of file
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Shared/Test12.cshtml b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Shared/Test12.cshtml
new file mode 100644
index 000000000000..74a8eab1c715
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Shared/Test12.cshtml	
@@ -0,0 +1,9 @@
+@namespace test
+@model UserData
+@{
+}
+
+@if (Model != null)
+{
+    <h3>Hello "@Html.Raw(Model.Name)"</h3>
+}
\ No newline at end of file
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Shared/Test14.cshtml b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Shared/Test14.cshtml
new file mode 100644
index 000000000000..74a8eab1c715
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Shared/Test14.cshtml	
@@ -0,0 +1,9 @@
+@namespace test
+@model UserData
+@{
+}
+
+@if (Model != null)
+{
+    <h3>Hello "@Html.Raw(Model.Name)"</h3>
+}
\ No newline at end of file
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Shared/Test19.cshtml b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Shared/Test19.cshtml
new file mode 100644
index 000000000000..74a8eab1c715
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Shared/Test19.cshtml	
@@ -0,0 +1,9 @@
+@namespace test
+@model UserData
+@{
+}
+
+@if (Model != null)
+{
+    <h3>Hello "@Html.Raw(Model.Name)"</h3>
+}
\ No newline at end of file
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Shared/Test2.cshtml b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Shared/Test2.cshtml
new file mode 100644
index 000000000000..74a8eab1c715
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Shared/Test2.cshtml	
@@ -0,0 +1,9 @@
+@namespace test
+@model UserData
+@{
+}
+
+@if (Model != null)
+{
+    <h3>Hello "@Html.Raw(Model.Name)"</h3>
+}
\ No newline at end of file
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Shared/Test23.cshtml b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Shared/Test23.cshtml
new file mode 100644
index 000000000000..74a8eab1c715
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Shared/Test23.cshtml	
@@ -0,0 +1,9 @@
+@namespace test
+@model UserData
+@{
+}
+
+@if (Model != null)
+{
+    <h3>Hello "@Html.Raw(Model.Name)"</h3>
+}
\ No newline at end of file
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Shared/Test3.cshtml b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Shared/Test3.cshtml
new file mode 100644
index 000000000000..74a8eab1c715
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Shared/Test3.cshtml	
@@ -0,0 +1,9 @@
+@namespace test
+@model UserData
+@{
+}
+
+@if (Model != null)
+{
+    <h3>Hello "@Html.Raw(Model.Name)"</h3>
+}
\ No newline at end of file
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Test/Test1.cshtml b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Test/Test1.cshtml
new file mode 100644
index 000000000000..74a8eab1c715
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Test/Test1.cshtml	
@@ -0,0 +1,9 @@
+@namespace test
+@model UserData
+@{
+}
+
+@if (Model != null)
+{
+    <h3>Hello "@Html.Raw(Model.Name)"</h3>
+}
\ No newline at end of file
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Test/Test3.cshtml b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Test/Test3.cshtml
new file mode 100644
index 000000000000..74a8eab1c715
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Test/Test3.cshtml	
@@ -0,0 +1,9 @@
+@namespace test
+@model UserData
+@{
+}
+
+@if (Model != null)
+{
+    <h3>Hello "@Html.Raw(Model.Name)"</h3>
+}
\ No newline at end of file
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Test/Test4.cshtml b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Test/Test4.cshtml
new file mode 100644
index 000000000000..74a8eab1c715
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Test/Test4.cshtml	
@@ -0,0 +1,9 @@
+@namespace test
+@model UserData
+@{
+}
+
+@if (Model != null)
+{
+    <h3>Hello "@Html.Raw(Model.Name)"</h3>
+}
\ No newline at end of file
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Test/Test7.cshtml b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Test/Test7.cshtml
new file mode 100644
index 000000000000..74a8eab1c715
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Test/Test7.cshtml	
@@ -0,0 +1,9 @@
+@namespace test
+@model UserData
+@{
+}
+
+@if (Model != null)
+{
+    <h3>Hello "@Html.Raw(Model.Name)"</h3>
+}
\ No newline at end of file
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Test2/Test1.cshtml b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Test2/Test1.cshtml
new file mode 100644
index 000000000000..74a8eab1c715
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Test2/Test1.cshtml	
@@ -0,0 +1,9 @@
+@namespace test
+@model UserData
+@{
+}
+
+@if (Model != null)
+{
+    <h3>Hello "@Html.Raw(Model.Name)"</h3>
+}
\ No newline at end of file
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Test2/Test10.cshtml b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Test2/Test10.cshtml
new file mode 100644
index 000000000000..74a8eab1c715
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Test2/Test10.cshtml	
@@ -0,0 +1,9 @@
+@namespace test
+@model UserData
+@{
+}
+
+@if (Model != null)
+{
+    <h3>Hello "@Html.Raw(Model.Name)"</h3>
+}
\ No newline at end of file
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Test2/Test11.cshtml b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Test2/Test11.cshtml
new file mode 100644
index 000000000000..74a8eab1c715
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Test2/Test11.cshtml	
@@ -0,0 +1,9 @@
+@namespace test
+@model UserData
+@{
+}
+
+@if (Model != null)
+{
+    <h3>Hello "@Html.Raw(Model.Name)"</h3>
+}
\ No newline at end of file
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Test2/Test12.cshtml b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Test2/Test12.cshtml
new file mode 100644
index 000000000000..74a8eab1c715
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Test2/Test12.cshtml	
@@ -0,0 +1,9 @@
+@namespace test
+@model UserData
+@{
+}
+
+@if (Model != null)
+{
+    <h3>Hello "@Html.Raw(Model.Name)"</h3>
+}
\ No newline at end of file
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Test2/Test14.cshtml b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Test2/Test14.cshtml
new file mode 100644
index 000000000000..74a8eab1c715
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Test2/Test14.cshtml	
@@ -0,0 +1,9 @@
+@namespace test
+@model UserData
+@{
+}
+
+@if (Model != null)
+{
+    <h3>Hello "@Html.Raw(Model.Name)"</h3>
+}
\ No newline at end of file
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Test2/Test2.cshtml b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Test2/Test2.cshtml
new file mode 100644
index 000000000000..74a8eab1c715
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Test2/Test2.cshtml	
@@ -0,0 +1,9 @@
+@namespace test
+@model UserData
+@{
+}
+
+@if (Model != null)
+{
+    <h3>Hello "@Html.Raw(Model.Name)"</h3>
+}
\ No newline at end of file
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Test2/Test3.cshtml b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Test2/Test3.cshtml
new file mode 100644
index 000000000000..74a8eab1c715
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Test2/Test3.cshtml	
@@ -0,0 +1,9 @@
+@namespace test
+@model UserData
+@{
+}
+
+@if (Model != null)
+{
+    <h3>Hello "@Html.Raw(Model.Name)"</h3>
+}
\ No newline at end of file
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Test4/Test20.cshtml b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Test4/Test20.cshtml
new file mode 100644
index 000000000000..74a8eab1c715
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Test4/Test20.cshtml	
@@ -0,0 +1,9 @@
+@namespace test
+@model UserData
+@{
+}
+
+@if (Model != null)
+{
+    <h3>Hello "@Html.Raw(Model.Name)"</h3>
+}
\ No newline at end of file
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/XSS.expected b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/XSS.expected
new file mode 100644
index 000000000000..19413509bcb4
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/XSS.expected	
@@ -0,0 +1,180 @@
+edges
+| Areas/TestArea/Views/Shared/Test18.cshtml:8:16:8:20 | access to property Model : UserData | Areas/TestArea/Views/Shared/Test18.cshtml:8:16:8:25 | access to property Name |
+| Areas/TestArea/Views/Test4/Test17.cshtml:8:16:8:20 | access to property Model : UserData | Areas/TestArea/Views/Test4/Test17.cshtml:8:16:8:25 | access to property Name |
+| Controllers/TestController.cs:13:41:13:48 | tainted1 : UserData | Controllers/TestController.cs:15:30:15:37 | access to parameter tainted1 : UserData |
+| Controllers/TestController.cs:15:30:15:37 | access to parameter tainted1 : UserData | Views/Test/Test1.cshtml:8:16:8:20 | access to property Model : UserData |
+| Controllers/TestController.cs:18:41:18:48 | tainted2 : UserData | Controllers/TestController.cs:20:30:20:37 | access to parameter tainted2 : UserData |
+| Controllers/TestController.cs:20:30:20:37 | access to parameter tainted2 : UserData | Views/Shared/Test2.cshtml:8:16:8:20 | access to property Model : UserData |
+| Controllers/TestController.cs:23:41:23:48 | tainted3 : UserData | Controllers/TestController.cs:25:30:25:37 | access to parameter tainted3 : UserData |
+| Controllers/TestController.cs:25:30:25:37 | access to parameter tainted3 : UserData | Views/Test/Test3.cshtml:8:16:8:20 | access to property Model : UserData |
+| Controllers/TestController.cs:28:41:28:48 | tainted4 : UserData | Controllers/TestController.cs:30:32:30:39 | access to parameter tainted4 : UserData |
+| Controllers/TestController.cs:30:32:30:39 | access to parameter tainted4 : UserData | Views/Test/Test4.cshtml:8:16:8:20 | access to property Model : UserData |
+| Controllers/TestController.cs:33:41:33:48 | tainted5 : UserData | Controllers/TestController.cs:35:39:35:46 | access to parameter tainted5 : UserData |
+| Controllers/TestController.cs:35:39:35:46 | access to parameter tainted5 : UserData | Views/Other/Test5.cshtml:8:16:8:20 | access to property Model : UserData |
+| Controllers/TestController.cs:38:41:38:48 | tainted6 : UserData | Controllers/TestController.cs:40:64:40:71 | access to parameter tainted6 : UserData |
+| Controllers/TestController.cs:40:64:40:71 | access to parameter tainted6 : UserData | Views/Other/Test6.cshtml:8:16:8:20 | access to property Model : UserData |
+| Controllers/TestController.cs:43:41:43:48 | tainted7 : UserData | Controllers/TestController.cs:45:21:45:28 | access to parameter tainted7 : UserData |
+| Controllers/TestController.cs:45:21:45:28 | access to parameter tainted7 : UserData | Views/Test/Test7.cshtml:8:16:8:20 | access to property Model : UserData |
+| Controllers/TestController.cs:48:41:48:48 | tainted8 : UserData | Controllers/TestController.cs:50:50:50:57 | access to parameter tainted8 : UserData |
+| Controllers/TestController.cs:50:50:50:57 | access to parameter tainted8 : UserData | Views/Other/Test8.cshtml:8:16:8:20 | access to property Model : UserData |
+| Controllers/TestController.cs:53:41:53:48 | tainted9 : UserData | Controllers/TestController.cs:55:51:55:58 | access to parameter tainted9 : UserData |
+| Controllers/TestController.cs:55:51:55:58 | access to parameter tainted9 : UserData | Views/Other/Test9.cshtml:8:16:8:20 | access to property Model : UserData |
+| Controllers/TestController.cs:60:42:60:50 | tainted10 : UserData | Controllers/TestController.cs:62:31:62:39 | access to parameter tainted10 : UserData |
+| Controllers/TestController.cs:62:31:62:39 | access to parameter tainted10 : UserData | Views/Test2/Test10.cshtml:8:16:8:20 | access to property Model : UserData |
+| Controllers/TestController.cs:65:42:65:50 | tainted11 : UserData | Controllers/TestController.cs:67:23:67:31 | access to parameter tainted11 : UserData |
+| Controllers/TestController.cs:67:23:67:31 | access to parameter tainted11 : UserData | Controllers/TestController.cs:70:43:70:43 | x : UserData |
+| Controllers/TestController.cs:70:43:70:43 | x : UserData | Controllers/TestController.cs:70:70:70:70 | access to parameter x : UserData |
+| Controllers/TestController.cs:70:70:70:70 | access to parameter x : UserData | Views/Test2/Test11.cshtml:8:16:8:20 | access to property Model : UserData |
+| Controllers/TestController.cs:81:42:81:50 | tainted13 : UserData | Controllers/TestController.cs:83:37:83:45 | access to parameter tainted13 : UserData |
+| Controllers/TestController.cs:83:37:83:45 | access to parameter tainted13 : UserData | Controllers/TestController.cs:94:64:94:64 | x : UserData |
+| Controllers/TestController.cs:86:42:86:50 | tainted14 : UserData | Controllers/TestController.cs:88:37:88:45 | access to parameter tainted14 : UserData |
+| Controllers/TestController.cs:88:37:88:45 | access to parameter tainted14 : UserData | Controllers/TestController.cs:96:64:96:64 | x : UserData |
+| Controllers/TestController.cs:94:64:94:64 | x : UserData | Controllers/TestController.cs:94:113:94:113 | access to parameter x : UserData |
+| Controllers/TestController.cs:94:113:94:113 | access to parameter x : UserData | Views/Other/Test13.cshtml:8:16:8:20 | access to property Model : UserData |
+| Controllers/TestController.cs:96:64:96:64 | x : UserData | Controllers/TestController.cs:96:93:96:93 | access to parameter x : UserData |
+| Controllers/TestController.cs:96:93:96:93 | access to parameter x : UserData | Views/Shared/Test14.cshtml:8:16:8:20 | access to property Model : UserData |
+| Controllers/TestController.cs:106:42:106:50 | tainted15 : UserData | Controllers/TestController.cs:108:21:108:29 | access to parameter tainted15 : UserData |
+| Controllers/TestController.cs:108:21:108:29 | access to parameter tainted15 : UserData | Views/Custom/Test3/Test15.cshtml:8:16:8:20 | access to property Model : UserData |
+| Controllers/TestController.cs:111:42:111:50 | tainted16 : UserData | Controllers/TestController.cs:113:31:113:39 | access to parameter tainted16 : UserData |
+| Controllers/TestController.cs:113:31:113:39 | access to parameter tainted16 : UserData | Views/Custom2/Test16.cshtml:8:16:8:20 | access to property Model : UserData |
+| Controllers/TestController.cs:119:42:119:50 | tainted17 : UserData | Controllers/TestController.cs:121:31:121:39 | access to parameter tainted17 : UserData |
+| Controllers/TestController.cs:121:31:121:39 | access to parameter tainted17 : UserData | Areas/TestArea/Views/Test4/Test17.cshtml:8:16:8:20 | access to property Model : UserData |
+| Controllers/TestController.cs:124:42:124:50 | tainted18 : UserData | Controllers/TestController.cs:126:31:126:39 | access to parameter tainted18 : UserData |
+| Controllers/TestController.cs:126:31:126:39 | access to parameter tainted18 : UserData | Areas/TestArea/Views/Shared/Test18.cshtml:8:16:8:20 | access to property Model : UserData |
+| Controllers/TestController.cs:129:42:129:50 | tainted19 : UserData | Controllers/TestController.cs:131:31:131:39 | access to parameter tainted19 : UserData |
+| Controllers/TestController.cs:131:31:131:39 | access to parameter tainted19 : UserData | Views/Shared/Test19.cshtml:8:16:8:20 | access to property Model : UserData |
+| Controllers/TestController.cs:139:42:139:50 | tainted21 : UserData | Controllers/TestController.cs:141:31:141:39 | access to parameter tainted21 : UserData |
+| Controllers/TestController.cs:141:31:141:39 | access to parameter tainted21 : UserData | Pages/Shared/Test21.cshtml:8:16:8:20 | access to property Model : UserData |
+| Controllers/TestController.cs:149:40:149:48 | tainted23 : String | Controllers/TestController.cs:152:18:152:26 | access to parameter tainted23 : String |
+| Controllers/TestController.cs:152:9:152:9 | [post] access to local variable x : UserData [property Name] : String | Controllers/TestController.cs:153:31:153:31 | access to local variable x : UserData [property Name] : String |
+| Controllers/TestController.cs:152:18:152:26 | access to parameter tainted23 : String | Controllers/TestController.cs:152:9:152:9 | [post] access to local variable x : UserData [property Name] : String |
+| Controllers/TestController.cs:153:31:153:31 | access to local variable x : UserData [property Name] : String | Views/Shared/Test23.cshtml:8:16:8:20 | access to property Model : UserData [property Name] : String |
+| Pages/Shared/Test21.cshtml:8:16:8:20 | access to property Model : UserData | Pages/Shared/Test21.cshtml:8:16:8:25 | access to property Name |
+| Views/Custom2/Test16.cshtml:8:16:8:20 | access to property Model : UserData | Views/Custom2/Test16.cshtml:8:16:8:25 | access to property Name |
+| Views/Custom/Test3/Test15.cshtml:8:16:8:20 | access to property Model : UserData | Views/Custom/Test3/Test15.cshtml:8:16:8:25 | access to property Name |
+| Views/Other/Test5.cshtml:8:16:8:20 | access to property Model : UserData | Views/Other/Test5.cshtml:8:16:8:25 | access to property Name |
+| Views/Other/Test6.cshtml:8:16:8:20 | access to property Model : UserData | Views/Other/Test6.cshtml:8:16:8:25 | access to property Name |
+| Views/Other/Test8.cshtml:8:16:8:20 | access to property Model : UserData | Views/Other/Test8.cshtml:8:16:8:25 | access to property Name |
+| Views/Other/Test9.cshtml:8:16:8:20 | access to property Model : UserData | Views/Other/Test9.cshtml:8:16:8:25 | access to property Name |
+| Views/Other/Test13.cshtml:8:16:8:20 | access to property Model : UserData | Views/Other/Test13.cshtml:8:16:8:25 | access to property Name |
+| Views/Shared/Test2.cshtml:8:16:8:20 | access to property Model : UserData | Views/Shared/Test2.cshtml:8:16:8:25 | access to property Name |
+| Views/Shared/Test14.cshtml:8:16:8:20 | access to property Model : UserData | Views/Shared/Test14.cshtml:8:16:8:25 | access to property Name |
+| Views/Shared/Test19.cshtml:8:16:8:20 | access to property Model : UserData | Views/Shared/Test19.cshtml:8:16:8:25 | access to property Name |
+| Views/Shared/Test23.cshtml:8:16:8:20 | access to property Model : UserData [property Name] : String | Views/Shared/Test23.cshtml:8:16:8:25 | access to property Name |
+| Views/Test2/Test10.cshtml:8:16:8:20 | access to property Model : UserData | Views/Test2/Test10.cshtml:8:16:8:25 | access to property Name |
+| Views/Test2/Test11.cshtml:8:16:8:20 | access to property Model : UserData | Views/Test2/Test11.cshtml:8:16:8:25 | access to property Name |
+| Views/Test/Test1.cshtml:8:16:8:20 | access to property Model : UserData | Views/Test/Test1.cshtml:8:16:8:25 | access to property Name |
+| Views/Test/Test3.cshtml:8:16:8:20 | access to property Model : UserData | Views/Test/Test3.cshtml:8:16:8:25 | access to property Name |
+| Views/Test/Test4.cshtml:8:16:8:20 | access to property Model : UserData | Views/Test/Test4.cshtml:8:16:8:25 | access to property Name |
+| Views/Test/Test7.cshtml:8:16:8:20 | access to property Model : UserData | Views/Test/Test7.cshtml:8:16:8:25 | access to property Name |
+nodes
+| Areas/TestArea/Views/Shared/Test18.cshtml:8:16:8:20 | access to property Model : UserData | semmle.label | access to property Model : UserData |
+| Areas/TestArea/Views/Shared/Test18.cshtml:8:16:8:25 | access to property Name | semmle.label | access to property Name |
+| Areas/TestArea/Views/Test4/Test17.cshtml:8:16:8:20 | access to property Model : UserData | semmle.label | access to property Model : UserData |
+| Areas/TestArea/Views/Test4/Test17.cshtml:8:16:8:25 | access to property Name | semmle.label | access to property Name |
+| Controllers/TestController.cs:13:41:13:48 | tainted1 : UserData | semmle.label | tainted1 : UserData |
+| Controllers/TestController.cs:15:30:15:37 | access to parameter tainted1 : UserData | semmle.label | access to parameter tainted1 : UserData |
+| Controllers/TestController.cs:18:41:18:48 | tainted2 : UserData | semmle.label | tainted2 : UserData |
+| Controllers/TestController.cs:20:30:20:37 | access to parameter tainted2 : UserData | semmle.label | access to parameter tainted2 : UserData |
+| Controllers/TestController.cs:23:41:23:48 | tainted3 : UserData | semmle.label | tainted3 : UserData |
+| Controllers/TestController.cs:25:30:25:37 | access to parameter tainted3 : UserData | semmle.label | access to parameter tainted3 : UserData |
+| Controllers/TestController.cs:28:41:28:48 | tainted4 : UserData | semmle.label | tainted4 : UserData |
+| Controllers/TestController.cs:30:32:30:39 | access to parameter tainted4 : UserData | semmle.label | access to parameter tainted4 : UserData |
+| Controllers/TestController.cs:33:41:33:48 | tainted5 : UserData | semmle.label | tainted5 : UserData |
+| Controllers/TestController.cs:35:39:35:46 | access to parameter tainted5 : UserData | semmle.label | access to parameter tainted5 : UserData |
+| Controllers/TestController.cs:38:41:38:48 | tainted6 : UserData | semmle.label | tainted6 : UserData |
+| Controllers/TestController.cs:40:64:40:71 | access to parameter tainted6 : UserData | semmle.label | access to parameter tainted6 : UserData |
+| Controllers/TestController.cs:43:41:43:48 | tainted7 : UserData | semmle.label | tainted7 : UserData |
+| Controllers/TestController.cs:45:21:45:28 | access to parameter tainted7 : UserData | semmle.label | access to parameter tainted7 : UserData |
+| Controllers/TestController.cs:48:41:48:48 | tainted8 : UserData | semmle.label | tainted8 : UserData |
+| Controllers/TestController.cs:50:50:50:57 | access to parameter tainted8 : UserData | semmle.label | access to parameter tainted8 : UserData |
+| Controllers/TestController.cs:53:41:53:48 | tainted9 : UserData | semmle.label | tainted9 : UserData |
+| Controllers/TestController.cs:55:51:55:58 | access to parameter tainted9 : UserData | semmle.label | access to parameter tainted9 : UserData |
+| Controllers/TestController.cs:60:42:60:50 | tainted10 : UserData | semmle.label | tainted10 : UserData |
+| Controllers/TestController.cs:62:31:62:39 | access to parameter tainted10 : UserData | semmle.label | access to parameter tainted10 : UserData |
+| Controllers/TestController.cs:65:42:65:50 | tainted11 : UserData | semmle.label | tainted11 : UserData |
+| Controllers/TestController.cs:67:23:67:31 | access to parameter tainted11 : UserData | semmle.label | access to parameter tainted11 : UserData |
+| Controllers/TestController.cs:70:43:70:43 | x : UserData | semmle.label | x : UserData |
+| Controllers/TestController.cs:70:70:70:70 | access to parameter x : UserData | semmle.label | access to parameter x : UserData |
+| Controllers/TestController.cs:81:42:81:50 | tainted13 : UserData | semmle.label | tainted13 : UserData |
+| Controllers/TestController.cs:83:37:83:45 | access to parameter tainted13 : UserData | semmle.label | access to parameter tainted13 : UserData |
+| Controllers/TestController.cs:86:42:86:50 | tainted14 : UserData | semmle.label | tainted14 : UserData |
+| Controllers/TestController.cs:88:37:88:45 | access to parameter tainted14 : UserData | semmle.label | access to parameter tainted14 : UserData |
+| Controllers/TestController.cs:94:64:94:64 | x : UserData | semmle.label | x : UserData |
+| Controllers/TestController.cs:94:113:94:113 | access to parameter x : UserData | semmle.label | access to parameter x : UserData |
+| Controllers/TestController.cs:96:64:96:64 | x : UserData | semmle.label | x : UserData |
+| Controllers/TestController.cs:96:93:96:93 | access to parameter x : UserData | semmle.label | access to parameter x : UserData |
+| Controllers/TestController.cs:106:42:106:50 | tainted15 : UserData | semmle.label | tainted15 : UserData |
+| Controllers/TestController.cs:108:21:108:29 | access to parameter tainted15 : UserData | semmle.label | access to parameter tainted15 : UserData |
+| Controllers/TestController.cs:111:42:111:50 | tainted16 : UserData | semmle.label | tainted16 : UserData |
+| Controllers/TestController.cs:113:31:113:39 | access to parameter tainted16 : UserData | semmle.label | access to parameter tainted16 : UserData |
+| Controllers/TestController.cs:119:42:119:50 | tainted17 : UserData | semmle.label | tainted17 : UserData |
+| Controllers/TestController.cs:121:31:121:39 | access to parameter tainted17 : UserData | semmle.label | access to parameter tainted17 : UserData |
+| Controllers/TestController.cs:124:42:124:50 | tainted18 : UserData | semmle.label | tainted18 : UserData |
+| Controllers/TestController.cs:126:31:126:39 | access to parameter tainted18 : UserData | semmle.label | access to parameter tainted18 : UserData |
+| Controllers/TestController.cs:129:42:129:50 | tainted19 : UserData | semmle.label | tainted19 : UserData |
+| Controllers/TestController.cs:131:31:131:39 | access to parameter tainted19 : UserData | semmle.label | access to parameter tainted19 : UserData |
+| Controllers/TestController.cs:139:42:139:50 | tainted21 : UserData | semmle.label | tainted21 : UserData |
+| Controllers/TestController.cs:141:31:141:39 | access to parameter tainted21 : UserData | semmle.label | access to parameter tainted21 : UserData |
+| Controllers/TestController.cs:149:40:149:48 | tainted23 : String | semmle.label | tainted23 : String |
+| Controllers/TestController.cs:152:9:152:9 | [post] access to local variable x : UserData [property Name] : String | semmle.label | [post] access to local variable x : UserData [property Name] : String |
+| Controllers/TestController.cs:152:18:152:26 | access to parameter tainted23 : String | semmle.label | access to parameter tainted23 : String |
+| Controllers/TestController.cs:153:31:153:31 | access to local variable x : UserData [property Name] : String | semmle.label | access to local variable x : UserData [property Name] : String |
+| Pages/Shared/Test21.cshtml:8:16:8:20 | access to property Model : UserData | semmle.label | access to property Model : UserData |
+| Pages/Shared/Test21.cshtml:8:16:8:25 | access to property Name | semmle.label | access to property Name |
+| Views/Custom2/Test16.cshtml:8:16:8:20 | access to property Model : UserData | semmle.label | access to property Model : UserData |
+| Views/Custom2/Test16.cshtml:8:16:8:25 | access to property Name | semmle.label | access to property Name |
+| Views/Custom/Test3/Test15.cshtml:8:16:8:20 | access to property Model : UserData | semmle.label | access to property Model : UserData |
+| Views/Custom/Test3/Test15.cshtml:8:16:8:25 | access to property Name | semmle.label | access to property Name |
+| Views/Other/Test5.cshtml:8:16:8:20 | access to property Model : UserData | semmle.label | access to property Model : UserData |
+| Views/Other/Test5.cshtml:8:16:8:25 | access to property Name | semmle.label | access to property Name |
+| Views/Other/Test6.cshtml:8:16:8:20 | access to property Model : UserData | semmle.label | access to property Model : UserData |
+| Views/Other/Test6.cshtml:8:16:8:25 | access to property Name | semmle.label | access to property Name |
+| Views/Other/Test8.cshtml:8:16:8:20 | access to property Model : UserData | semmle.label | access to property Model : UserData |
+| Views/Other/Test8.cshtml:8:16:8:25 | access to property Name | semmle.label | access to property Name |
+| Views/Other/Test9.cshtml:8:16:8:20 | access to property Model : UserData | semmle.label | access to property Model : UserData |
+| Views/Other/Test9.cshtml:8:16:8:25 | access to property Name | semmle.label | access to property Name |
+| Views/Other/Test13.cshtml:8:16:8:20 | access to property Model : UserData | semmle.label | access to property Model : UserData |
+| Views/Other/Test13.cshtml:8:16:8:25 | access to property Name | semmle.label | access to property Name |
+| Views/Shared/Test2.cshtml:8:16:8:20 | access to property Model : UserData | semmle.label | access to property Model : UserData |
+| Views/Shared/Test2.cshtml:8:16:8:25 | access to property Name | semmle.label | access to property Name |
+| Views/Shared/Test14.cshtml:8:16:8:20 | access to property Model : UserData | semmle.label | access to property Model : UserData |
+| Views/Shared/Test14.cshtml:8:16:8:25 | access to property Name | semmle.label | access to property Name |
+| Views/Shared/Test19.cshtml:8:16:8:20 | access to property Model : UserData | semmle.label | access to property Model : UserData |
+| Views/Shared/Test19.cshtml:8:16:8:25 | access to property Name | semmle.label | access to property Name |
+| Views/Shared/Test23.cshtml:8:16:8:20 | access to property Model : UserData [property Name] : String | semmle.label | access to property Model : UserData [property Name] : String |
+| Views/Shared/Test23.cshtml:8:16:8:25 | access to property Name | semmle.label | access to property Name |
+| Views/Test2/Test10.cshtml:8:16:8:20 | access to property Model : UserData | semmle.label | access to property Model : UserData |
+| Views/Test2/Test10.cshtml:8:16:8:25 | access to property Name | semmle.label | access to property Name |
+| Views/Test2/Test11.cshtml:8:16:8:20 | access to property Model : UserData | semmle.label | access to property Model : UserData |
+| Views/Test2/Test11.cshtml:8:16:8:25 | access to property Name | semmle.label | access to property Name |
+| Views/Test/Test1.cshtml:8:16:8:20 | access to property Model : UserData | semmle.label | access to property Model : UserData |
+| Views/Test/Test1.cshtml:8:16:8:25 | access to property Name | semmle.label | access to property Name |
+| Views/Test/Test3.cshtml:8:16:8:20 | access to property Model : UserData | semmle.label | access to property Model : UserData |
+| Views/Test/Test3.cshtml:8:16:8:25 | access to property Name | semmle.label | access to property Name |
+| Views/Test/Test4.cshtml:8:16:8:20 | access to property Model : UserData | semmle.label | access to property Model : UserData |
+| Views/Test/Test4.cshtml:8:16:8:25 | access to property Name | semmle.label | access to property Name |
+| Views/Test/Test7.cshtml:8:16:8:20 | access to property Model : UserData | semmle.label | access to property Model : UserData |
+| Views/Test/Test7.cshtml:8:16:8:25 | access to property Name | semmle.label | access to property Name |
+subpaths
+#select
+| Areas/TestArea/Views/Shared/Test18.cshtml:8:16:8:25 | access to property Name | Controllers/TestController.cs:124:42:124:50 | tainted18 : UserData | Areas/TestArea/Views/Shared/Test18.cshtml:8:16:8:25 | access to property Name | $@ flows to here and is written to HTML or JavaScript: Microsoft.AspNetCore.Mvc.ViewFeatures.HtmlHelper.Raw() method. | Controllers/TestController.cs:124:42:124:50 | tainted18 : UserData | User-provided value |
+| Areas/TestArea/Views/Test4/Test17.cshtml:8:16:8:25 | access to property Name | Controllers/TestController.cs:119:42:119:50 | tainted17 : UserData | Areas/TestArea/Views/Test4/Test17.cshtml:8:16:8:25 | access to property Name | $@ flows to here and is written to HTML or JavaScript: Microsoft.AspNetCore.Mvc.ViewFeatures.HtmlHelper.Raw() method. | Controllers/TestController.cs:119:42:119:50 | tainted17 : UserData | User-provided value |
+| Pages/Shared/Test21.cshtml:8:16:8:25 | access to property Name | Controllers/TestController.cs:139:42:139:50 | tainted21 : UserData | Pages/Shared/Test21.cshtml:8:16:8:25 | access to property Name | $@ flows to here and is written to HTML or JavaScript: Microsoft.AspNetCore.Mvc.ViewFeatures.HtmlHelper.Raw() method. | Controllers/TestController.cs:139:42:139:50 | tainted21 : UserData | User-provided value |
+| Views/Custom2/Test16.cshtml:8:16:8:25 | access to property Name | Controllers/TestController.cs:111:42:111:50 | tainted16 : UserData | Views/Custom2/Test16.cshtml:8:16:8:25 | access to property Name | $@ flows to here and is written to HTML or JavaScript: Microsoft.AspNetCore.Mvc.ViewFeatures.HtmlHelper.Raw() method. | Controllers/TestController.cs:111:42:111:50 | tainted16 : UserData | User-provided value |
+| Views/Custom/Test3/Test15.cshtml:8:16:8:25 | access to property Name | Controllers/TestController.cs:106:42:106:50 | tainted15 : UserData | Views/Custom/Test3/Test15.cshtml:8:16:8:25 | access to property Name | $@ flows to here and is written to HTML or JavaScript: Microsoft.AspNetCore.Mvc.ViewFeatures.HtmlHelper.Raw() method. | Controllers/TestController.cs:106:42:106:50 | tainted15 : UserData | User-provided value |
+| Views/Other/Test5.cshtml:8:16:8:25 | access to property Name | Controllers/TestController.cs:33:41:33:48 | tainted5 : UserData | Views/Other/Test5.cshtml:8:16:8:25 | access to property Name | $@ flows to here and is written to HTML or JavaScript: Microsoft.AspNetCore.Mvc.ViewFeatures.HtmlHelper.Raw() method. | Controllers/TestController.cs:33:41:33:48 | tainted5 : UserData | User-provided value |
+| Views/Other/Test6.cshtml:8:16:8:25 | access to property Name | Controllers/TestController.cs:38:41:38:48 | tainted6 : UserData | Views/Other/Test6.cshtml:8:16:8:25 | access to property Name | $@ flows to here and is written to HTML or JavaScript: Microsoft.AspNetCore.Mvc.ViewFeatures.HtmlHelper.Raw() method. | Controllers/TestController.cs:38:41:38:48 | tainted6 : UserData | User-provided value |
+| Views/Other/Test8.cshtml:8:16:8:25 | access to property Name | Controllers/TestController.cs:48:41:48:48 | tainted8 : UserData | Views/Other/Test8.cshtml:8:16:8:25 | access to property Name | $@ flows to here and is written to HTML or JavaScript: Microsoft.AspNetCore.Mvc.ViewFeatures.HtmlHelper.Raw() method. | Controllers/TestController.cs:48:41:48:48 | tainted8 : UserData | User-provided value |
+| Views/Other/Test9.cshtml:8:16:8:25 | access to property Name | Controllers/TestController.cs:53:41:53:48 | tainted9 : UserData | Views/Other/Test9.cshtml:8:16:8:25 | access to property Name | $@ flows to here and is written to HTML or JavaScript: Microsoft.AspNetCore.Mvc.ViewFeatures.HtmlHelper.Raw() method. | Controllers/TestController.cs:53:41:53:48 | tainted9 : UserData | User-provided value |
+| Views/Other/Test13.cshtml:8:16:8:25 | access to property Name | Controllers/TestController.cs:81:42:81:50 | tainted13 : UserData | Views/Other/Test13.cshtml:8:16:8:25 | access to property Name | $@ flows to here and is written to HTML or JavaScript: Microsoft.AspNetCore.Mvc.ViewFeatures.HtmlHelper.Raw() method. | Controllers/TestController.cs:81:42:81:50 | tainted13 : UserData | User-provided value |
+| Views/Shared/Test2.cshtml:8:16:8:25 | access to property Name | Controllers/TestController.cs:18:41:18:48 | tainted2 : UserData | Views/Shared/Test2.cshtml:8:16:8:25 | access to property Name | $@ flows to here and is written to HTML or JavaScript: Microsoft.AspNetCore.Mvc.ViewFeatures.HtmlHelper.Raw() method. | Controllers/TestController.cs:18:41:18:48 | tainted2 : UserData | User-provided value |
+| Views/Shared/Test14.cshtml:8:16:8:25 | access to property Name | Controllers/TestController.cs:86:42:86:50 | tainted14 : UserData | Views/Shared/Test14.cshtml:8:16:8:25 | access to property Name | $@ flows to here and is written to HTML or JavaScript: Microsoft.AspNetCore.Mvc.ViewFeatures.HtmlHelper.Raw() method. | Controllers/TestController.cs:86:42:86:50 | tainted14 : UserData | User-provided value |
+| Views/Shared/Test19.cshtml:8:16:8:25 | access to property Name | Controllers/TestController.cs:129:42:129:50 | tainted19 : UserData | Views/Shared/Test19.cshtml:8:16:8:25 | access to property Name | $@ flows to here and is written to HTML or JavaScript: Microsoft.AspNetCore.Mvc.ViewFeatures.HtmlHelper.Raw() method. | Controllers/TestController.cs:129:42:129:50 | tainted19 : UserData | User-provided value |
+| Views/Shared/Test23.cshtml:8:16:8:25 | access to property Name | Controllers/TestController.cs:149:40:149:48 | tainted23 : String | Views/Shared/Test23.cshtml:8:16:8:25 | access to property Name | $@ flows to here and is written to HTML or JavaScript: Microsoft.AspNetCore.Mvc.ViewFeatures.HtmlHelper.Raw() method. | Controllers/TestController.cs:149:40:149:48 | tainted23 : String | User-provided value |
+| Views/Test2/Test10.cshtml:8:16:8:25 | access to property Name | Controllers/TestController.cs:60:42:60:50 | tainted10 : UserData | Views/Test2/Test10.cshtml:8:16:8:25 | access to property Name | $@ flows to here and is written to HTML or JavaScript: Microsoft.AspNetCore.Mvc.ViewFeatures.HtmlHelper.Raw() method. | Controllers/TestController.cs:60:42:60:50 | tainted10 : UserData | User-provided value |
+| Views/Test2/Test11.cshtml:8:16:8:25 | access to property Name | Controllers/TestController.cs:65:42:65:50 | tainted11 : UserData | Views/Test2/Test11.cshtml:8:16:8:25 | access to property Name | $@ flows to here and is written to HTML or JavaScript: Microsoft.AspNetCore.Mvc.ViewFeatures.HtmlHelper.Raw() method. | Controllers/TestController.cs:65:42:65:50 | tainted11 : UserData | User-provided value |
+| Views/Test/Test1.cshtml:8:16:8:25 | access to property Name | Controllers/TestController.cs:13:41:13:48 | tainted1 : UserData | Views/Test/Test1.cshtml:8:16:8:25 | access to property Name | $@ flows to here and is written to HTML or JavaScript: Microsoft.AspNetCore.Mvc.ViewFeatures.HtmlHelper.Raw() method. | Controllers/TestController.cs:13:41:13:48 | tainted1 : UserData | User-provided value |
+| Views/Test/Test3.cshtml:8:16:8:25 | access to property Name | Controllers/TestController.cs:23:41:23:48 | tainted3 : UserData | Views/Test/Test3.cshtml:8:16:8:25 | access to property Name | $@ flows to here and is written to HTML or JavaScript: Microsoft.AspNetCore.Mvc.ViewFeatures.HtmlHelper.Raw() method. | Controllers/TestController.cs:23:41:23:48 | tainted3 : UserData | User-provided value |
+| Views/Test/Test4.cshtml:8:16:8:25 | access to property Name | Controllers/TestController.cs:28:41:28:48 | tainted4 : UserData | Views/Test/Test4.cshtml:8:16:8:25 | access to property Name | $@ flows to here and is written to HTML or JavaScript: Microsoft.AspNetCore.Mvc.ViewFeatures.HtmlHelper.Raw() method. | Controllers/TestController.cs:28:41:28:48 | tainted4 : UserData | User-provided value |
+| Views/Test/Test7.cshtml:8:16:8:25 | access to property Name | Controllers/TestController.cs:43:41:43:48 | tainted7 : UserData | Views/Test/Test7.cshtml:8:16:8:25 | access to property Name | $@ flows to here and is written to HTML or JavaScript: Microsoft.AspNetCore.Mvc.ViewFeatures.HtmlHelper.Raw() method. | Controllers/TestController.cs:43:41:43:48 | tainted7 : UserData | User-provided value |
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/XSS.qlref b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/XSS.qlref
new file mode 100644
index 000000000000..faad1d6403c1
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/XSS.qlref	
@@ -0,0 +1 @@
+Security Features/CWE-079/XSS.ql
\ No newline at end of file
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/gen_files.py b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/gen_files.py
new file mode 100644
index 000000000000..a01398e8201b
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/gen_files.py	
@@ -0,0 +1,70 @@
+# A script for generating code from .cshtml files, mimicking the output of the C# compiler with an option that is not available from the codeql test runner.
+
+import sys
+import os
+
+work_dir = os.path.abspath(os.path.dirname(sys.argv[0]))
+gen_dir = f"{work_dir}/Generated"
+with open(f"{gen_dir}/Template.g") as f:
+    template = f.read()
+
+verbose = False
+
+
+def process_file(path: str):
+    """
+    Generates the file from the .cshtml file at `path`.
+    `path` is a relative filepath from `work_dir`.
+    """
+    # The location of the .cshtml file is the only relevant part for these tests; its contents are assumed to be the same.
+    assert path.endswith(".cshtml")
+    path = path.lstrip("/")
+    path_under = path.replace("/", "_")[:-len(".cshtml")]
+
+    gen = template.replace("$PATHSLASH", path).replace("$PATHUNDER", path_under)
+
+    out_path = f"{gen_dir}/{path_under}.cshtml.g.cs"
+    with open(out_path, "w") as f:
+        f.write(gen)
+
+    if verbose:
+        print(out_path)
+
+
+def process_dir(path: str):
+    """
+    Generates all the .cshtml files in the directory `path`.
+    `path` is a relative filepath from `work_dir`.
+    """
+    abs_path = f"{work_dir}/{path}"
+    assert os.path.isdir(abs_path)
+
+    for sub in os.listdir(abs_path):
+        sub_abs = f"{abs_path}/{sub}"
+        sub_rel = f"{path}/{sub}"
+
+        if sub.endswith(".cshtml") and os.path.isfile(sub_abs):
+            process_file(sub_rel)
+        elif os.path.isdir(sub_abs) and ".testproj" not in sub_abs:
+            process_dir(sub_rel)
+
+
+def print_usage():
+    print("""Usage: python3 gen_files.py [-v] [--verbose] [-h] [--help]
+
+Generates files from .cshtml files found in the directory tree of this script's parent folder, mimicking the C# compiler.
+`.testproj` is ignored.
+    
+-h, --help: Displays this message and exits.
+-v, --verbose: Prints the name of each file generated.""")
+
+
+if __name__ == "__main__":
+    if "-h" in sys.argv or "--help" in sys.argv:
+        print_usage()
+        exit()
+
+    if "-v" in sys.argv or "--verbose" in sys.argv:
+        verbose = True
+
+    process_dir("")
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/options b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/options
new file mode 100644
index 000000000000..9864339f5c95
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/options	
@@ -0,0 +1,3 @@
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
+semmle-extractor-options: --load-sources-from-project:../../../../resources/stubs/_frameworks/Microsoft.AspNetCore.App/Microsoft.AspNetCore.App.csproj
\ No newline at end of file