You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hello,
it seems like the latest master branch has a too loose XSS regex in lib/helpers/isValidXss.js /(\b)(on\S+)(\s*)=|javascript|(<\s*)(\/*)script/gi Matches URLs like /one/?foo=bar or /online?foo=bar https://www.regexpal.com/?fam=112339
This results in a JavaScript error that can break the entire page.
Also, I don't quite understand why this check is performed without performing a request, but on require('axios') with the current pages URL.
Why does axios care about the pages URL and not just the URL used for an actual axios request?
The text was updated successfully, but these errors were encountered:
Hi, im using contentful, that use axios and when my slug contains 'javascript' entire page not loading because of 'Uncaught Error: URL contains XSS injection attempt' :)
So, is 'isValidXss' function really helping to prevent XSS and why check URL pages?
Hello,
it seems like the latest master branch has a too loose XSS regex in
lib/helpers/isValidXss.js
/(\b)(on\S+)(\s*)=|javascript|(<\s*)(\/*)script/gi
Matches URLs like/one/?foo=bar
or/online?foo=bar
https://www.regexpal.com/?fam=112339
This results in a JavaScript error that can break the entire page.
Also, I don't quite understand why this check is performed without performing a request, but on
require('axios')
with the current pages URL.Why does axios care about the pages URL and not just the URL used for an actual axios request?
The text was updated successfully, but these errors were encountered: