Incorrectly caught XSS injection attempt

[CammyMurrie]

Describe the bug
applying a query string parameter ("onlyApproved=true" in this instance), is throwing URL contains XSS injection attempt.

To Reproduce
perform an axios.get request (not tried any other methods) with any query string parameter beginning with on.

https://randomdomain.com/api/endpoint?onlyRandomThings=true

Expected behavior
This should not be caught as valid XSS.

Environment:

• Axios Version [0.19.1]
• OS: [Windows 10 Professional]
• Browser [all]
• Browser Version [all]
• Additional Library Versions [React 16.12]

[fsubal]

Axios Version [0.19.0]

Isn't 0.19.1 ? I also had the same issue after updating from 0.19.0 to 0.19.1.

It seems that URL containing on is considered and tested only when it's in paths.

8414664

[CammyMurrie]

@fsubal you're right it's 0.19.1
updated issue 👍

[dson]

Same issue here. Seems to be introduced by #2464, that no longer ignores the return value of isValidXss, and throws an error when a url is considered an XSS attempt. But the actual problem is the updated regex in isValidXss:

/(\b)(on\S+)(\s*)=|javascript|(<\s*)(\/*)script/

that also matches valid urls:

isValidXss("/projects?onlyActive=true"); // true

Change: https://github.com/axios/axios/pull/2464/files#diff-34eed4dcf375a40e781836061fae2889

[chinesedfan]

Duplicate of #2646. And sorry for this stupid bug. Hope maintainers who have publish permission like @emilyemorehouse can fix it soon.