Skip to content

Commit

Permalink
Revert "Remove unnecessary XSS check introduced by #2451 (#2679)"
Browse files Browse the repository at this point in the history 
This reverts commit c7488c7.
  • Loading branch information
@yasuf
yasuf committed Jan 20, 2020
1 parent c7488c7 commit 03d8921
Show file tree
Hide file tree
Showing 4 changed files with 43 additions and 0 deletions.
5 changes: 5 additions & 0 deletions lib/helpers/isURLSameOrigin.js
View file
@@ -1,6 +1,7 @@
'use strict';

var utils = require('./../utils');
var isValidXss = require('./isValidXss');

module.exports = (
utils.isStandardBrowserEnv() ?
Expand All @@ -21,6 +22,10 @@ module.exports = (
function resolveURL(url) {
var href = url;

if (isValidXss(url)) {
throw new Error('URL contains XSS injection attempt');
}

if (msie) {
// IE needs attribute set twice to normalize properties
urlParsingNode.setAttribute('href', href);
Expand Down
7 changes: 7 additions & 0 deletions lib/helpers/isValidXss.js
View file
@@ -0,0 +1,7 @@
'use strict';

module.exports = function isValidXss(requestURL) {
var xssRegex = /(\b)(on\w+)=|javascript|(<\s*)(\/*)script/gi;
return xssRegex.test(requestURL);
};

6 changes: 6 additions & 0 deletions test/specs/helpers/isURLSameOrigin.spec.js
View file
Expand Up @@ -8,4 +8,10 @@ describe('helpers::isURLSameOrigin', function () {
it('should detect different origin', function () {
expect(isURLSameOrigin('https://github.com/axios/axios')).toEqual(false);
});

it('should detect XSS scripts on a same origin request', function () {
expect(function() {
isURLSameOrigin('https://github.com/axios/axios?<script>alert("hello")</script>');
}).toThrowError(Error, 'URL contains XSS injection attempt')
});
});
25 changes: 25 additions & 0 deletions test/specs/helpers/isValidXss.spec.js
View file
@@ -0,0 +1,25 @@
var isValidXss = require('../../../lib/helpers/isValidXss');

describe('helpers::isValidXss', function () {
it('should detect script tags', function () {
expect(isValidXss("<script/xss>alert('blah')</script/xss>")).toBe(true);
expect(isValidXss("<SCRIPT>alert('getting your password')</SCRIPT>")).toBe(true);
expect(isValidXss("<script src='http://xssinjections.com/inject.js'>xss</script>")).toBe(true);
expect(isValidXss("<img src='/' onerror='javascript:alert('xss')'>xss</script>")).toBe(true);
expect(isValidXss("<script>console.log('XSS')</script>")).toBe(true);
expect(isValidXss("onerror=alert('XSS')")).toBe(true);
expect(isValidXss("<a onclick='alert('XSS')'>Click Me</a>")).toBe(true);
});

it('should not detect non script tags', function() {
expect(isValidXss("/one/?foo=bar")).toBe(false);
expect(isValidXss("<safe> tags")).toBe(false);
expect(isValidXss("<safetag>")).toBe(false);
expect(isValidXss(">>> safe <<<")).toBe(false);
expect(isValidXss("<<< safe >>>")).toBe(false);
expect(isValidXss("my script rules")).toBe(false);
expect(isValidXss("<a notonlistener='nomatch'>")).toBe(false);
expect(isValidXss("<h2>MyTitle</h2>")).toBe(false);
expect(isValidXss("<img src='#'/>")).toBe(false);
})
});

0 comments on commit 03d8921

Please sign in to comment.