diff --git a/javascript/ql/src/experimental/Security/CWE-94/examples/ServerSideTemplateInjectionSafe.js b/javascript/ql/src/experimental/Security/CWE-94/examples/ServerSideTemplateInjectionSafe.js
new file mode 100644
index 00000000000..8a173090cf1
--- /dev/null
+++ b/javascript/ql/src/experimental/Security/CWE-94/examples/ServerSideTemplateInjectionSafe.js
@@ -0,0 +1,39 @@
+const express = require('express')
+var bodyParser = require('body-parser');
+const app = express()
+app.use(bodyParser.urlencoded({ extended: true }));
+
+//Dependent of Templating engine
+var jade = require('pug');
+const port = 5061
+
+function getHTML(input) {
+    var template = `
+doctype
+html
+head
+    title= 'Hello world'
+body
+    form(action='/' method='post')
+        label(for='name') Name:
+            input#name.form-control(type='text', placeholder='' name='name')
+        button.btn.btn-primary(type='submit') Submit
+    p Hello #{username}`
+    var fn = jade.compile(template);
+    var html = fn({username: input});
+    console.log(html);
+    return html;
+}
+
+app.post('/', (request, response) => {
+    var input = request.param('name', "")
+    var html = getHTML(input)
+    response.send(html);
+})
+
+app.listen(port, (err) => {
+    if (err) {
+        return console.log('something bad happened', err)
+    }
+    console.log(`server is listening on ${port}`)
+})