New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix regular expressions in isValidXss
#2671
Conversation
return xssRegex.test(requestURL); | ||
var xssEventRegex = /(\b)on(click|error|load|mouse\w+|key\w+|focus\w?|blur|change|input|drag\w?|resize|dbclick|contextmenu|drop|select|message|scroll)=/; | ||
var xssJSRegex = /javascript:|(<\s*)(\/*)script/gi; | ||
return xssJSRegex.test(requestURL) || xssEventRegex.test(requestURL); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
separated into two regex for readablity
You forgot touch events |
@Kolobok12309 Good point. Between huge amounts of events, I just want to add serious and frequently used events first. Touch series should be included |
Flags only in P.S. Thanks for this PR:D |
thanks @ZeroCho appreciate the highly requested fix |
@Kolobok12309 Fixed case insensitive issue |
@ZeroCho Sorry, i'm stupid, i test it in console and forget js ignoring useless guarding)) Thanks for PR again |
@yasuf Please tell me, if something more have to be changed or improved! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for your fix. But my opinion is the same with #2447 (comment).
XSS check is out of the scope of axios, and regular expressions can't find every possible case, i.e. using encoding. The most important problem is that it's overkill. I recommend to simply revert corresponding commit, as well as removing isValidXss
.
Fix for #2670
following XSS Cheatsheet
also fixed JavaScript string problem in #2646 #2663 only preventing "javascript:"
It's impossible for current simple regex to prevent all kind of XSS attacks. But I tried to prevent most frequent & famous events for attacking, without saying no to "only=true"'.
My opinion is, although it is good to prevent XSS by checking URL, normal users should not suffer from this function. Current regex is still too loose.