From 061d4860f7478f276d470ff1f54bc7da46deacf0 Mon Sep 17 00:00:00 2001
From: James M Snell <jasnell@gmail.com>
Date: Mon, 6 Jul 2020 12:59:12 -0700
Subject: [PATCH 1/3] doc: document security issues with url.parse()

Fixes: https://github.com/nodejs/node/issues/31279
---
 doc/api/url.md | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/doc/api/url.md b/doc/api/url.md
index 7d493026fd46ea..c02b737a2b2c01 100644
--- a/doc/api/url.md
+++ b/doc/api/url.md
@@ -1262,6 +1262,12 @@ A `TypeError` is thrown if `urlString` is not a string.
 
 A `URIError` is thrown if the `auth` property is present but cannot be decoded.
 
+Use of the legacy `url.parse()` method is not recommended. All users should
+migrate to the WHATWG `URL` api. Because the `url.parse()` method uses a
+lenient, non-standards compliant algorithm for parsing URL strings, security
+issues can be introduced. Specifically, issues with [hostname spoofing][] and
+incorrect handling of user info (usernames and passwords) have been identified.
+
 ### `url.resolve(from, to)`
 <!-- YAML
 added: v0.1.25
@@ -1379,6 +1385,7 @@ console.log(myURL.origin);
 [WHATWG URL Standard]: https://url.spec.whatwg.org/
 [WHATWG URL]: #url_the_whatwg_url_api
 [examples of parsed URLs]: https://url.spec.whatwg.org/#example-url-parsing
+[hostname spoofing]: https://hackerone.com/reports/678487
 [legacy `urlObject`]: #url_legacy_urlobject
 [percent-encoded]: #whatwg-percent-encoding
 [stable sorting algorithm]: https://en.wikipedia.org/wiki/Sorting_algorithm#Stability

From b7eaab83f1ddd516da0324e47b165be2b2ed0bbe Mon Sep 17 00:00:00 2001
From: James M Snell <jasnell@gmail.com>
Date: Tue, 7 Jul 2020 07:14:26 -0700
Subject: [PATCH 2/3] [Squash] suggestion

Co-authored-by: Ben Noordhuis <info@bnoordhuis.nl>
---
 doc/api/url.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc/api/url.md b/doc/api/url.md
index c02b737a2b2c01..75ccb05fcf4a19 100644
--- a/doc/api/url.md
+++ b/doc/api/url.md
@@ -1264,7 +1264,7 @@ A `URIError` is thrown if the `auth` property is present but cannot be decoded.
 
 Use of the legacy `url.parse()` method is not recommended. All users should
 migrate to the WHATWG `URL` api. Because the `url.parse()` method uses a
-lenient, non-standards compliant algorithm for parsing URL strings, security
+lenient, non-standard algorithm for parsing URL strings, security
 issues can be introduced. Specifically, issues with [hostname spoofing][] and
 incorrect handling of user info (usernames and passwords) have been identified.
 

From 81a9ae6d093f44da4010734d5976ceadabb57ffe Mon Sep 17 00:00:00 2001
From: James M Snell <jasnell@gmail.com>
Date: Thu, 9 Jul 2020 07:19:15 -0700
Subject: [PATCH 3/3] [squash] nits

Co-authored-by: Rich Trott <rtrott@gmail.com>
---
 doc/api/url.md | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/doc/api/url.md b/doc/api/url.md
index 75ccb05fcf4a19..2bc5ded862a68b 100644
--- a/doc/api/url.md
+++ b/doc/api/url.md
@@ -1262,11 +1262,11 @@ A `TypeError` is thrown if `urlString` is not a string.
 
 A `URIError` is thrown if the `auth` property is present but cannot be decoded.
 
-Use of the legacy `url.parse()` method is not recommended. All users should
-migrate to the WHATWG `URL` api. Because the `url.parse()` method uses a
+Use of the legacy `url.parse()` method is discouraged. Users should
+use the WHATWG `URL` API. Because the `url.parse()` method uses a
 lenient, non-standard algorithm for parsing URL strings, security
-issues can be introduced. Specifically, issues with [hostname spoofing][] and
-incorrect handling of user info (usernames and passwords) have been identified.
+issues can be introduced. Specifically, issues with [host name spoofing][] and
+incorrect handling of usernames and passwords have been identified.
 
 ### `url.resolve(from, to)`
 <!-- YAML
@@ -1385,7 +1385,7 @@ console.log(myURL.origin);
 [WHATWG URL Standard]: https://url.spec.whatwg.org/
 [WHATWG URL]: #url_the_whatwg_url_api
 [examples of parsed URLs]: https://url.spec.whatwg.org/#example-url-parsing
-[hostname spoofing]: https://hackerone.com/reports/678487
+[host name spoofing]: https://hackerone.com/reports/678487
 [legacy `urlObject`]: #url_legacy_urlobject
 [percent-encoded]: #whatwg-percent-encoding
 [stable sorting algorithm]: https://en.wikipedia.org/wiki/Sorting_algorithm#Stability