github
diff --git a/‎change-notes/1.25/analysis-cpp.md
Lines changed: 1 addition & 1 deletion b/‎change-notes/1.25/analysis-cpp.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎change-notes/1.25/analysis-javascript.md
Lines changed: 4 additions & 3 deletions b/‎change-notes/1.25/analysis-javascript.md
Lines changed: 4 additions & 3 deletions
diff --git a/‎cpp/ql/src/semmle/code/cpp/AutogeneratedFile.qll
Lines changed: 5 additions & 0 deletions b/‎cpp/ql/src/semmle/code/cpp/AutogeneratedFile.qll
Lines changed: 5 additions & 0 deletions
diff --git a/‎cpp/ql/src/semmle/code/cpp/Class.qll
Lines changed: 4 additions & 0 deletions b/‎cpp/ql/src/semmle/code/cpp/Class.qll
Lines changed: 4 additions & 0 deletions
diff --git a/‎cpp/ql/src/semmle/code/cpp/Comments.qll
Lines changed: 4 additions & 0 deletions b/‎cpp/ql/src/semmle/code/cpp/Comments.qll
Lines changed: 4 additions & 0 deletions
diff --git a/‎cpp/ql/src/semmle/code/cpp/Compilation.qll
Lines changed: 4 additions & 0 deletions b/‎cpp/ql/src/semmle/code/cpp/Compilation.qll
Lines changed: 4 additions & 0 deletions
diff --git a/‎cpp/ql/src/semmle/code/cpp/Declaration.qll
Lines changed: 4 additions & 0 deletions b/‎cpp/ql/src/semmle/code/cpp/Declaration.qll
Lines changed: 4 additions & 0 deletions
diff --git a/‎cpp/ql/src/semmle/code/cpp/Diagnostics.qll
Lines changed: 4 additions & 0 deletions b/‎cpp/ql/src/semmle/code/cpp/Diagnostics.qll
Lines changed: 4 additions & 0 deletions
diff --git a/‎cpp/ql/src/semmle/code/cpp/Element.qll
Lines changed: 11 additions & 0 deletions b/‎cpp/ql/src/semmle/code/cpp/Element.qll
Lines changed: 11 additions & 0 deletions
diff --git a/‎cpp/ql/src/semmle/code/cpp/Enclosing.qll
Lines changed: 4 additions & 0 deletions b/‎cpp/ql/src/semmle/code/cpp/Enclosing.qll
Lines changed: 4 additions & 0 deletions
@@ -41,4 +41,4 @@ The following changes in version 1.25 affect C/C++ analysis in all applications.
   };
   ```
 * The security pack taint tracking library (`semmle.code.cpp.security.TaintTracking`) now considers that equality checks may block the flow of taint.  This results in fewer false positive results from queries that use this library.
-
+* The length of a tainted string (such as the return value of a call to `strlen` or `strftime` with tainted parameters) is no longer itself considered tainted by the `models` library.  This leads to fewer false positive results in queries that use any of our taint libraries.
@@ -23,6 +23,9 @@
 
 * TypeScript 3.9 is now supported.
 
+* The analysis of sanitizers has improved, leading to more accurate
+  results from the security queries.
+
 ## New queries
 
 | **Query**                                                                       | **Tags**                                                          | **Purpose**                                                                                                                                                                            |
@@ -36,15 +39,13 @@
 
 | **Query**                      | **Expected impact**          | **Change**                                                                |
 |--------------------------------|------------------------------|---------------------------------------------------------------------------|
-| Client-side cross-site scripting (`js/xss`) | Fewer results | This query no longer flags optionally sanitized values. |
-| Client-side URL redirect (`js/client-side-unvalidated-url-redirection`) | Fewer results | This query now recognizes additional safe patterns of doing URL redirects. |
 | Client-side cross-site scripting (`js/xss`) | Fewer results | This query now recognizes additional safe patterns of constructing HTML. |
+| Client-side URL redirect (`js/client-side-unvalidated-url-redirection`) | Fewer results | This query now recognizes additional safe patterns of doing URL redirects. |
 | Code injection (`js/code-injection`) | More results | More potential vulnerabilities involving NoSQL code operators are now recognized. |
 | Expression has no effect (`js/useless-expression`) | Fewer results | This query no longer flags an expression when that expression is the only content of the containing file. |
 | Incomplete URL scheme check (`js/incomplete-url-scheme-check`) | More results | This query now recognizes additional url scheme checks. |
 | Misspelled variable name (`js/misspelled-variable-name`) | Message changed | The message for this query now correctly identifies the misspelled variable in additional cases. |
 | Prototype pollution in utility function (`js/prototype-pollution-utility`) | More results | This query now recognizes additional utility functions as vulnerable to prototype polution. |
-| Prototype pollution in utility function (`js/prototype-pollution-utility`) | More results | This query now recognizes more coding patterns that are vulnerable to prototype pollution. |
 | Uncontrolled command line (`js/command-line-injection`) | More results | This query now recognizes additional command execution calls. |
 | Uncontrolled data used in path expression (`js/path-injection`) | More results | This query now recognizes additional file system calls. |
 | Unknown directive (`js/unknown-directive`) | Fewer results | This query no longer flags directives generated by the Babel compiler. |
 
@@ -1,3 +1,8 @@
+/**
+ * Provides a class and predicate for recognizing files that are likely to have been generated
+ * automatically.
+ */
+
 import semmle.code.cpp.Comments
 import semmle.code.cpp.File
 import semmle.code.cpp.Preprocessor
 
@@ -1,3 +1,7 @@
+/**
+ * Provides classes representing C++ classes, including structs, unions, and template classes.
+ */
+
 import semmle.code.cpp.Type
 import semmle.code.cpp.UserType
 import semmle.code.cpp.metrics.MetricClass
 
@@ -1,3 +1,7 @@
+/**
+ * Provides classes representing C and C++ comments.
+ */
+
 import semmle.code.cpp.Location
 import semmle.code.cpp.Element
 
 
@@ -1,3 +1,7 @@
+/**
+ * Provides a class representing individual compiler invocations that occurred during the build.
+ */
+
 import semmle.code.cpp.File
 
 /*
 
@@ -1,3 +1,7 @@
+/**
+ * Provides classes for working with C and C++ declarations.
+ */
+
 import semmle.code.cpp.Element
 import semmle.code.cpp.Specifier
 import semmle.code.cpp.Namespace
 
@@ -1,3 +1,7 @@
+/**
+ * Provides classes representing warnings generated during compilation.
+ */
+
 import semmle.code.cpp.Location
 
 /** A compiler-generated error, warning or remark. */
 
@@ -1,3 +1,8 @@
+/**
+ * Provides the `Element` class, which is the base class for all classes representing C or C++
+ * program elements.
+ */
+
 import semmle.code.cpp.Location
 private import semmle.code.cpp.Enclosing
 private import semmle.code.cpp.internal.ResolveClass
@@ -261,8 +266,14 @@ private predicate isFromUninstantiatedTemplateRec(Element e, Element template) {
 class StaticAssert extends Locatable, @static_assert {
   override string toString() { result = "static_assert(..., \"" + getMessage() + "\")" }
 
+  /**
+   * Gets the expression which this static assertion ensures is true.
+   */
   Expr getCondition() { static_asserts(underlyingElement(this), unresolveElement(result), _, _) }
 
+  /**
+   * Gets the message which will be reported by the compiler if this static assertion fails.
+   */
   string getMessage() { static_asserts(underlyingElement(this), _, result, _) }
 
   override Location getLocation() { static_asserts(underlyingElement(this), _, _, result) }
 
@@ -1,3 +1,7 @@
+/**
+ * Provides predicates for finding the smallest element that encloses an expression or statement.
+ */
+
 import cpp
 
 /**
-Original file line number
+Diff line change
@@ @@ -1,3 +1,7 @@ @@
 +/**
 + * Provides a class representing individual compiler invocations that occurred during the build.
 + */
++
 import semmle.code.cpp.File
 /*