Fix regular expressions in isValidXss
#2671
Conversation
| return xssRegex.test(requestURL); | ||
| var xssEventRegex = /(\b)on(click|error|load|mouse\w+|key\w+|focus\w?|blur|change|input|drag\w?|resize|dbclick|contextmenu|drop|select|message|scroll)=/; | ||
| var xssJSRegex = /javascript:|(<\s*)(\/*)script/gi; | ||
| return xssJSRegex.test(requestURL) || xssEventRegex.test(requestURL); |
There was a problem hiding this comment.
separated into two regex for readablity
|
You forgot touch events |
|
@Kolobok12309 Good point. Between huge amounts of events, I just want to add serious and frequently used events first. Touch series should be included |
|
Flags only in P.S. Thanks for this PR:D |
|
thanks @ZeroCho appreciate the highly requested fix |
|
@Kolobok12309 Fixed case insensitive issue |
|
@ZeroCho Sorry, i'm stupid, i test it in console and forget js ignoring useless guarding)) Thanks for PR again |
|
@yasuf Please tell me, if something more have to be changed or improved! |
There was a problem hiding this comment.
Thanks for your fix. But my opinion is the same with #2447 (comment).
XSS check is out of the scope of axios, and regular expressions can't find every possible case, i.e. using encoding. The most important problem is that it's overkill. I recommend to simply revert corresponding commit, as well as removing isValidXss.
Fix for #2670
following XSS Cheatsheet
also fixed JavaScript string problem in #2646 #2663 only preventing "javascript:"
It's impossible for current simple regex to prevent all kind of XSS attacks. But I tried to prevent most frequent & famous events for attacking, without saying no to "only=true"'.
My opinion is, although it is good to prevent XSS by checking URL, normal users should not suffer from this function. Current regex is still too loose.