From a9e81672f039aead086bce412220d98727fb1adc Mon Sep 17 00:00:00 2001
From: Max Schaefer <max-schaefer@github.com>
Date: Tue, 12 Sep 2023 16:53:36 +0100
Subject: [PATCH] Make suggestion to replace example.com more explicit.

---
 javascript/ql/src/Security/CWE-601/ServerSideUrlRedirect.qhelp  | 2 +-
 .../src/Security/CWE-601/examples/ServerSideUrlRedirectGood2.js | 1 +
 .../CWE-601/ServerSideUrlRedirect/ServerSideUrlRedirectGood2.js | 1 +
 3 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/javascript/ql/src/Security/CWE-601/ServerSideUrlRedirect.qhelp b/javascript/ql/src/Security/CWE-601/ServerSideUrlRedirect.qhelp
index 6c74b7b1a5da..9a4d7d1c0b7c 100644
--- a/javascript/ql/src/Security/CWE-601/ServerSideUrlRedirect.qhelp
+++ b/javascript/ql/src/Security/CWE-601/ServerSideUrlRedirect.qhelp
@@ -47,7 +47,7 @@ stays the same:
 
 <p>
 Note that as written, the above code will allow redirects to URLs on <code>example.com</code>,
-which is harmless but perhaps not intended. Substitute your own domain name for
+which is harmless but perhaps not intended. You can substitute your own domain (if known) for
 <code>example.com</code> to prevent this.
 </p>
 
diff --git a/javascript/ql/src/Security/CWE-601/examples/ServerSideUrlRedirectGood2.js b/javascript/ql/src/Security/CWE-601/examples/ServerSideUrlRedirectGood2.js
index a36721a3717c..54ac26811b31 100644
--- a/javascript/ql/src/Security/CWE-601/examples/ServerSideUrlRedirectGood2.js
+++ b/javascript/ql/src/Security/CWE-601/examples/ServerSideUrlRedirectGood2.js
@@ -3,6 +3,7 @@ const app = require("express")();
 function isLocalUrl(path) {
   try {
     return (
+      // TODO: consider substituting your own domain for example.com
       new URL(path, "https://example.com").origin === "https://example.com"
     );
   } catch (e) {
diff --git a/javascript/ql/test/query-tests/Security/CWE-601/ServerSideUrlRedirect/ServerSideUrlRedirectGood2.js b/javascript/ql/test/query-tests/Security/CWE-601/ServerSideUrlRedirect/ServerSideUrlRedirectGood2.js
index a36721a3717c..54ac26811b31 100644
--- a/javascript/ql/test/query-tests/Security/CWE-601/ServerSideUrlRedirect/ServerSideUrlRedirectGood2.js
+++ b/javascript/ql/test/query-tests/Security/CWE-601/ServerSideUrlRedirect/ServerSideUrlRedirectGood2.js
@@ -3,6 +3,7 @@ const app = require("express")();
 function isLocalUrl(path) {
   try {
     return (
+      // TODO: consider substituting your own domain for example.com
       new URL(path, "https://example.com").origin === "https://example.com"
     );
   } catch (e) {