From 2efd5b10a70f0c36b5693d37ade0b6267f415354 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E6=97=A9=E6=B4=A5=E6=B8=89?= <top.men09@gmail.com>
Date: Tue, 8 Oct 2019 02:22:47 +0900
Subject: [PATCH 1/2] Fixing Vulnerability A Fortify Scan finds a critical
 Cross-Site Scripting

---
 lib/helpers/isURLSameOrigin.js             | 3 +++
 lib/helpers/isValidXss.js                  | 6 ++++++
 test/specs/helpers/isURLSameOrigin.spec.js | 4 ++++
 3 files changed, 13 insertions(+)
 create mode 100644 lib/helpers/isValidXss.js

diff --git a/lib/helpers/isURLSameOrigin.js b/lib/helpers/isURLSameOrigin.js
index f1d89ad19d..ecf9212365 100644
--- a/lib/helpers/isURLSameOrigin.js
+++ b/lib/helpers/isURLSameOrigin.js
@@ -1,6 +1,7 @@
 'use strict';
 
 var utils = require('./../utils');
+var isValidXss = require('./isValidXss');
 
 module.exports = (
   utils.isStandardBrowserEnv() ?
@@ -27,6 +28,8 @@ module.exports = (
           href = urlParsingNode.href;
         }
 
+        isValidXss(url);
+
         urlParsingNode.setAttribute('href', href);
 
         // urlParsingNode provides the UrlUtils interface - http://url.spec.whatwg.org/#urlutils
diff --git a/lib/helpers/isValidXss.js b/lib/helpers/isValidXss.js
new file mode 100644
index 0000000000..508074dc58
--- /dev/null
+++ b/lib/helpers/isValidXss.js
@@ -0,0 +1,6 @@
+'use strict';
+
+module.exports = function isValidXss(requestURL) {
+  const regex = RegExp('<script+.*>+.*<\/script>');
+  return regex.test(requestURL);
+};
diff --git a/test/specs/helpers/isURLSameOrigin.spec.js b/test/specs/helpers/isURLSameOrigin.spec.js
index c26c770351..a9d13f5f49 100644
--- a/test/specs/helpers/isURLSameOrigin.spec.js
+++ b/test/specs/helpers/isURLSameOrigin.spec.js
@@ -8,4 +8,8 @@ describe('helpers::isURLSameOrigin', function () {
   it('should detect different origin', function () {
     expect(isURLSameOrigin('https://github.com/axios/axios')).toEqual(false);
   });
+
+  it('should detect xss', function () {
+    expect(isURLSameOrigin('https://github.com/axios/axios?<script>alert("hello")</script>')).toEqual(false)
+  })
 });

From 2a05872bf47493d9ecebf72bcc291f01f961a90a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E6=97=A9=E6=B4=A5=E6=B8=89?= <top.men09@gmail.com>
Date: Tue, 8 Oct 2019 20:16:27 +0900
Subject: [PATCH 2/2] use var insted of const

---
 lib/helpers/isValidXss.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/helpers/isValidXss.js b/lib/helpers/isValidXss.js
index 508074dc58..5783a72015 100644
--- a/lib/helpers/isValidXss.js
+++ b/lib/helpers/isValidXss.js
@@ -1,6 +1,6 @@
 'use strict';
 
 module.exports = function isValidXss(requestURL) {
-  const regex = RegExp('<script+.*>+.*<\/script>');
+  var regex = RegExp('<script+.*>+.*<\/script>');
   return regex.test(requestURL);
 };