Make suggestion to replace example.com more explicit.

2026-04-25 16:55:19 +02:00 · 2023-09-12 16:53:36 +01:00
parent 7ddb7da65e
commit a9e81672f0
3 changed files with 3 additions and 1 deletions
--- a/javascript/ql/src/Security/CWE-601/ServerSideUrlRedirect.qhelp
+++ b/javascript/ql/src/Security/CWE-601/ServerSideUrlRedirect.qhelp
@@ -47,7 +47,7 @@ stays the same:

 <p>
 Note that as written, the above code will allow redirects to URLs on <code>example.com</code>,
-which is harmless but perhaps not intended. Substitute your own domain name for
+which is harmless but perhaps not intended. You can substitute your own domain (if known) for
 <code>example.com</code> to prevent this.
 </p>

--- a/javascript/ql/src/Security/CWE-601/examples/ServerSideUrlRedirectGood2.js
+++ b/javascript/ql/src/Security/CWE-601/examples/ServerSideUrlRedirectGood2.js
@@ -3,6 +3,7 @@ const app = require("express")();
 function isLocalUrl(path) {
  try {
    return (
+      // TODO: consider substituting your own domain for example.com
      new URL(path, "https://example.com").origin === "https://example.com"
    );
  } catch (e) {
--- a/javascript/ql/test/query-tests/Security/CWE-601/ServerSideUrlRedirect/ServerSideUrlRedirectGood2.js
+++ b/javascript/ql/test/query-tests/Security/CWE-601/ServerSideUrlRedirect/ServerSideUrlRedirectGood2.js
@@ -3,6 +3,7 @@ const app = require("express")();
 function isLocalUrl(path) {
  try {
    return (
+      // TODO: consider substituting your own domain for example.com
      new URL(path, "https://example.com").origin === "https://example.com"
    );
  } catch (e) {