doc: correct unsafe URL example in http docs

The previous documentation example for converting request.url to an URL
object was unsafe, as it could allow a server crash through malformed
URL inputs and potentially enable host header attacks. This commit
revises the example to use string concatenation, mitigating both the
crash and security risks by ensuring the host part of the URL remains
controlled and predictable.

Fixes: nodejs#52494

doc/api/http.md

@@ -488,7 +488,7 @@ const proxy = createServer((req, res) => {
 });
 proxy.on('connect', (req, clientSocket, head) => {
   // Connect to an origin server
-  const { port, hostname } = new URL(`http://${req.url}`);
+  const { port, hostname } = new URL(`http://${req.headers.host}${req.url}`);
   const serverSocket = connect(port || 80, hostname, () => {
     clientSocket.write('HTTP/1.1 200 Connection Established\r\n' +
                     'Proxy-agent: Node.js-Proxy\r\n' +
@@ -543,7 +543,7 @@ const proxy = http.createServer((req, res) => {
 });
 proxy.on('connect', (req, clientSocket, head) => {
   // Connect to an origin server
-  const { port, hostname } = new URL(`http://${req.url}`);
+  const { port, hostname } = new URL(`http://${req.headers.host}${req.url}`);
   const serverSocket = net.connect(port || 80, hostname, () => {
     clientSocket.write('HTTP/1.1 200 Connection Established\r\n' +
                     'Proxy-agent: Node.js-Proxy\r\n' +
@@ -2886,15 +2886,15 @@ Accept: text/plain
 To parse the URL into its parts:
 
 ```js
-new URL(request.url, `http://${request.headers.host}`);
+new URL(`http://${req.headers.host}${req.url}`);
 ```
 
 When `request.url` is `'/status?name=ryan'` and `request.headers.host` is
 `'localhost:3000'`:
 
 ```console
 $ node
-> new URL(request.url, `http://${request.headers.host}`)
+> new URL(`http://${req.headers.host}${req.url}`)
 URL {
   href: 'http://localhost:3000/status?name=ryan',
   origin: 'http://localhost:3000',