Improve comments

Author: hansott

library/vulnerabilities/path-traversal/detectPathTraversal.ts

@@ -24,7 +24,7 @@ export function detectPathTraversal(
   // The normal check for relative path traversal will fail in this case, because transformed path does not contain ../.
   // Also /./ is checked by normal absolute path traversal check (if #219 is merged)
   // Use containsUnsafePathPartsUrl, because urls can contain a TAB, carriage return or line feed that is silently removed by the URL constructor.
-  // Use startsWithUnsafePathUrl, because URLs can contain backward slashes that are converted to forward slashes by the URL constructor.
+  // Use startsWithUnsafePathUrl, because URLs can contain backslashes that are converted to forward slashes by the URL constructor.
   if (isUrl) {
     const containsUnsafePath = containsUnsafePathPartsUrl(userInput);
     const startWithUnsafePath =
@@ -73,7 +73,7 @@ function parseAsFileUrl(path: string) {
   let url = path;
   if (!url.startsWith("file:")) {
     if (!url.startsWith("/") && !url.startsWith("\\")) {
-      url = `/${url}`;
+      url = `/${url}`; //                       ^^^^ URL constructor will convert backslashes to forward slashes
     }
     url = `file://${url}`;
   }

library/vulnerabilities/path-traversal/normalizeLikeURLConstructor.ts

@@ -5,7 +5,7 @@
  * - Remove all ASCII tab or newline from input.
  * - An ASCII tab or newline is U+0009 TAB, U+000A LF, or U+000D CR.
  *
- * Also, backward slashes are converted to forward slashes by the URL constructor.
+ * Also, backslashes are converted to forward slashes by the URL constructor.
  *
  * See https://url.spec.whatwg.org/#url-parsing
  */