XSS Detection regex too loose

[R4c00n]

Hello,
it seems like the latest master branch has a too loose XSS regex in lib/helpers/isValidXss.js
/(\b)(on\S+)(\s*)=|javascript|(<\s*)(\/*)script/gi Matches URLs like /one/?foo=bar or /online?foo=bar
https://www.regexpal.com/?fam=112339

This results in a JavaScript error that can break the entire page.

Also, I don't quite understand why this check is performed without performing a request, but on require('axios') with the current pages URL.
Why does axios care about the pages URL and not just the URL used for an actual axios request?

[Ghost-J]

Noticed the same error. example.com/onyx/registration?foo=bar

[ghost]

Hi, im using contentful, that use axios and when my slug contains 'javascript' entire page not loading because of 'Uncaught Error: URL contains XSS injection attempt' :)
So, is 'isValidXss' function really helping to prevent XSS and why check URL pages?

[yasuf]

@abzalzhumabaev plenty of people are having this same issue, I haven't had the time to push a fix but there are a few issues about it #2646