From 841466416b6851666955113a60ae46830a27003f Mon Sep 17 00:00:00 2001
From: Yasu Flores <carlosyasu91@gmail.com>
Date: Thu, 7 Nov 2019 18:39:24 -0800
Subject: [PATCH] Fix XSS logic that matched some valid urls (#2529)

* Fix XSS logic that matched some valid urls, e.g. "/one/?foo=bar", when it shouldn't match those
---
 lib/helpers/isValidXss.js             | 3 ++-
 test/specs/helpers/isValidXss.spec.js | 1 +
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/lib/helpers/isValidXss.js b/lib/helpers/isValidXss.js
index 3545fb5c29..3c834a7cfa 100644
--- a/lib/helpers/isValidXss.js
+++ b/lib/helpers/isValidXss.js
@@ -1,6 +1,7 @@
 'use strict';
 
 module.exports = function isValidXss(requestURL) {
-  var xssRegex = /(\b)(on\S+)(\s*)=|javascript|(<\s*)(\/*)script/gi;
+  var xssRegex = /(\b)(on\w+)=|javascript|(<\s*)(\/*)script/gi;
   return xssRegex.test(requestURL);
 };
+
diff --git a/test/specs/helpers/isValidXss.spec.js b/test/specs/helpers/isValidXss.spec.js
index b17b686062..dcfcf9d772 100644
--- a/test/specs/helpers/isValidXss.spec.js
+++ b/test/specs/helpers/isValidXss.spec.js
@@ -12,6 +12,7 @@ describe('helpers::isValidXss', function () {
   });
 
   it('should not detect non script tags', function() {
+    expect(isValidXss("/one/?foo=bar")).toBe(false);
     expect(isValidXss("<safe> tags")).toBe(false);
     expect(isValidXss("<safetag>")).toBe(false);
     expect(isValidXss(">>> safe <<<")).toBe(false);