diff --git a/javascript/ql/test/query-tests/Security/CWE-643/XpathInjection.qlref b/javascript/ql/test/query-tests/Security/CWE-643/XpathInjection.qlref
index a61523e1767a..928dcc53ee81 100644
--- a/javascript/ql/test/query-tests/Security/CWE-643/XpathInjection.qlref
+++ b/javascript/ql/test/query-tests/Security/CWE-643/XpathInjection.qlref
@@ -1 +1,2 @@
-Security/CWE-643/XpathInjection.ql
+query: Security/CWE-643/XpathInjection.ql
+postprocess: testUtilities/InlineExpectationsTestQuery.ql
diff --git a/javascript/ql/test/query-tests/Security/CWE-643/XpathInjectionBad.js b/javascript/ql/test/query-tests/Security/CWE-643/XpathInjectionBad.js
index 9c577d95146c..2c89e3953db8 100644
--- a/javascript/ql/test/query-tests/Security/CWE-643/XpathInjectionBad.js
+++ b/javascript/ql/test/query-tests/Security/CWE-643/XpathInjectionBad.js
@@ -3,10 +3,10 @@ const xpath = require('xpath');
 const app = express();
 
 app.get('/some/route', function(req, res) {
-  let userName = req.param("userName");
+  let userName = req.param("userName"); // $ Source
 
   // BAD: Use user-provided data directly in an XPath expression
-  let badXPathExpr = xpath.parse("//users/user[login/text()='" + userName + "']/home_dir/text()");
+  let badXPathExpr = xpath.parse("//users/user[login/text()='" + userName + "']/home_dir/text()"); //  $ Alert
   badXPathExpr.select({
     node: root
   });
diff --git a/javascript/ql/test/query-tests/Security/CWE-643/tst.js b/javascript/ql/test/query-tests/Security/CWE-643/tst.js
index 7922f72be288..7eadf08f4196 100644
--- a/javascript/ql/test/query-tests/Security/CWE-643/tst.js
+++ b/javascript/ql/test/query-tests/Security/CWE-643/tst.js
@@ -3,10 +3,10 @@ const xpath = require('xpath');
 const app = express();
 
 app.get('/some/route', function(req, res) {
-  let tainted = req.param("userName");
-  xpath.parse(tainted); // NOT OK
-  xpath.select(tainted); // NOT OK
-  xpath.select1(tainted); // NOT OK
+  let tainted = req.param("userName"); // $ Source
+  xpath.parse(tainted); // $ Alert
+  xpath.select(tainted); // $ Alert
+  xpath.select1(tainted); // $ Alert
   let expr = xpath.useNamespaces(map);
-  expr(tainted); // NOT OK
+  expr(tainted); // $ Alert
 });
diff --git a/javascript/ql/test/query-tests/Security/CWE-643/tst2.js b/javascript/ql/test/query-tests/Security/CWE-643/tst2.js
index 92c6ff996c11..67ffa5e8493f 100644
--- a/javascript/ql/test/query-tests/Security/CWE-643/tst2.js
+++ b/javascript/ql/test/query-tests/Security/CWE-643/tst2.js
@@ -1,3 +1,3 @@
-let query = document.location.hash.substring(1);
-document.createExpression(query); // NOT OK
-document.evaluate(query);         // NOT OK
+let query = document.location.hash.substring(1); // $ Source
+document.createExpression(query); // $ Alert
+document.evaluate(query); // $ Alert