Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

isValidXss helper works incorrectly #2670

Closed
mspiderv opened this issue Jan 16, 2020 · 3 comments
Closed

isValidXss helper works incorrectly #2670

mspiderv opened this issue Jan 16, 2020 · 3 comments

Comments

@mspiderv
Copy link

Describe the bug
Function isValidXss works incorrectly.

To Reproduce

// I just copy & paste the function declaration
function isValidXss(requestURL) {
  var xssRegex = /(\b)(on\w+)=|javascript|(<\s*)(\/*)script/gi;
  return xssRegex.test(requestURL);
};

// Calling this will result in `true`
isValidXss('https://www.somedomain.com?only=true')

Expected behavior
I expect the previous function call to result in false. I see no XSS attack in there.

Environment:

  • Axios Version 0.19.1
ZeroCho added a commit to ZeroCho/axios that referenced this issue Jan 16, 2020
@ZeroCho
Test for Fix: axios#2670
3a0d3c3
@ZeroCho ZeroCho mentioned this issue Jan 16, 2020
Closed
@Larsrdev
Copy link

Yea sir you are right! I also saw this yesterday. We now have problems with some URL params like this:

files=&names=&onlyMarkedOnes=false&batchSize=20&offset=0

Im not deep into XSS. Why is there the "(on\S+)" in the regex?

@Larsrdev
Copy link

#2663

#2646

#2645

@chinesedfan
Copy link
Collaborator

Duplicate of #2646.

@axios axios locked and limited conversation to collaborators May 22, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@chinesedfan @mspiderv @Larsrdev