doc: improve code snippet alternative of url.parse() using WHATWG URL

styfle · web-flow · commit 4560bc57f97b · 2025-10-10T21:34:53.000-04:00
The previous code snippet was not safe since a url may start with double slashes which would cause the hostname to be replaced.
diff --git a/doc/api/url.md b/doc/api/url.md
@@ -1853,7 +1853,7 @@ input. CVEs are not issued for `url.parse()` vulnerabilities. Use the
 function getURL(req) {
   const proto = req.headers['x-forwarded-proto'] || 'https';
   const host = req.headers['x-forwarded-host'] || req.headers.host || 'example.com';
-  return new URL(req.url || '/', `${proto}://${host}`);
+  return new URL(`${proto}://${host}${req.url || '/'}`);
 }
 ```
 
@@ -1863,7 +1863,7 @@ use the example below:
 
 ```js
 function getURL(req) {
-  return new URL(req.url || '/', 'https://example.com');
+  return new URL(`https://example.com${req.url || '/'}`);
 }
 ```
 

Original file line number	Diff line number	Diff line change
@@ -1853,7 +1853,7 @@ input. CVEs are not issued for `url.parse()` vulnerabilities. Use the
`1853`	`1853`	`function getURL(req) {`
`1854`	`1854`	`const proto = req.headers['x-forwarded-proto'] \|\| 'https';`
`1855`	`1855`	`const host = req.headers['x-forwarded-host'] \|\| req.headers.host \|\| 'example.com';`
`1856`		- return new URL(req.url \|\| '/', `${proto}://${host}`);
	`1856`	+ return new URL(`${proto}://${host}${req.url \|\| '/'}`);
`1857`	`1857`	`}`
`1858`	`1858`	```
`1859`	`1859`
`@@ -1863,7 +1863,7 @@ use the example below:`
`1863`	`1863`
`1864`	`1864`	```js
`1865`	`1865`	`function getURL(req) {`
`1866`		`- return new URL(req.url \|\| '/', 'https://example.com');`
	`1866`	+ return new URL(`https://example.com${req.url \|\| '/'}`);
`1867`	`1867`	`}`
`1868`	`1868`	```
`1869`	`1869`