Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove unnecessary XSS check introduced by #2451 #2679

Merged
merged 2 commits into from Jan 20, 2020

Conversation

chinesedfan
Copy link
Collaborator

Fixed #2646 and lots of similar issues.

I shared the same opnion with @snoopysecurity. See #2464 (comment). We did overreaction for it and did an overkill.

@emilyemorehouse emilyemorehouse merged commit c7488c7 into axios:master Jan 20, 2020
yasuf added a commit that referenced this pull request Jan 20, 2020
@codingedgar
Copy link

@chinesedfan How can I have this fix ? I have a #2646 issue

Copy link

@ghost ghost left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And the script:src version?

@chinesedfan
Copy link
Collaborator Author

@edgarjrg I don't know. But I will try to ask members who have publish permissions to release soon.

@DanielYeshua Can you elaborate your question?

@ghost
Copy link

ghost commented Jan 22, 2020

There is still no solution for those who use AXIOS in this way: <script src = "main.js"> </script>

There may be and I have not yet left.

@chinesedfan
Copy link
Collaborator Author

chinesedfan commented Jan 22, 2020

@DanielYeshua Never mind. When the next version is released, those dist files will be updated correspondingly.

@timaxxer
Copy link

timaxxer commented Apr 22, 2020

I am wondering if there is anything else that will help covering the issue of XSS in helpers/isURLSameOrigin.js

In my organization, I run a scan on my app with Synopsys Coverity and this is higlighting a Critical XSS issue in helpers/isURLSameOrigin.js
https://github.com/axios/axios/blob/master/lib/helpers/isURLSameOrigin.js#L30

CVSS Severity: Critical
CWE 79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
This CWE entry is at position 7 in the OWASP Top 10.
This CWE entry is at position 4 in the CWE/SANS Top 25.

@emilyemorehouse Let me know if this can be addressed or not.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Requests to urls containing 'javascript' are failing
4 participants