Make suggestion to replace example.com more explicit.

Max Schaefer · Max Schaefer · commit a9e81672f039 · 2023-09-12T16:54:05.000+01:00
diff --git a/javascript/ql/src/Security/CWE-601/ServerSideUrlRedirect.qhelp b/javascript/ql/src/Security/CWE-601/ServerSideUrlRedirect.qhelp
@@ -47,7 +47,7 @@ stays the same:
 
 <p>
 Note that as written, the above code will allow redirects to URLs on <code>example.com</code>,
-which is harmless but perhaps not intended. Substitute your own domain name for
+which is harmless but perhaps not intended. You can substitute your own domain (if known) for
 <code>example.com</code> to prevent this.
 </p>
 
diff --git a/javascript/ql/src/Security/CWE-601/examples/ServerSideUrlRedirectGood2.js b/javascript/ql/src/Security/CWE-601/examples/ServerSideUrlRedirectGood2.js
@@ -3,6 +3,7 @@ const app = require("express")();
 function isLocalUrl(path) {
   try {
     return (
+      // TODO: consider substituting your own domain for example.com
       new URL(path, "https://example.com").origin === "https://example.com"
     );
   } catch (e) {
diff --git a/javascript/ql/test/query-tests/Security/CWE-601/ServerSideUrlRedirect/ServerSideUrlRedirectGood2.js b/javascript/ql/test/query-tests/Security/CWE-601/ServerSideUrlRedirect/ServerSideUrlRedirectGood2.js
@@ -3,6 +3,7 @@ const app = require("express")();
 function isLocalUrl(path) {
   try {
     return (
+      // TODO: consider substituting your own domain for example.com
       new URL(path, "https://example.com").origin === "https://example.com"
     );
   } catch (e) {
