New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Incorrectly caught XSS injection attempt #2660
Comments
Isn't 0.19.1 ? I also had the same issue after updating from 0.19.0 to 0.19.1. It seems that URL containing |
@fsubal you're right it's 0.19.1 |
Same issue here. Seems to be introduced by #2464, that no longer ignores the return value of /(\b)(on\S+)(\s*)=|javascript|(<\s*)(\/*)script/ that also matches valid urls: isValidXss("/projects?onlyActive=true"); // true Change: https://github.com/axios/axios/pull/2464/files#diff-34eed4dcf375a40e781836061fae2889 |
Duplicate of #2646. And sorry for this stupid bug. Hope maintainers who have publish permission like @emilyemorehouse can fix it soon. |
Describe the bug
applying a query string parameter ("onlyApproved=true" in this instance), is throwing
URL contains XSS injection attempt
.To Reproduce
perform an
axios.get
request (not tried any other methods) with any query string parameter beginning withon
.https://randomdomain.com/api/endpoint?onlyRandomThings=true
Expected behavior
This should not be caught as valid XSS.
Environment:
The text was updated successfully, but these errors were encountered: