Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix to prevent XSS, throw an error when the URL contains a JS script #2464

Merged
merged 6 commits into from
Oct 16, 2019
Merged

Fix to prevent XSS, throw an error when the URL contains a JS script #2464

merged 6 commits into from
Oct 16, 2019

Conversation

yasuf
Copy link
Collaborator

@yasuf yasuf commented Oct 14, 2019
edited
Loading

@yasuf yasuf changed the title XSS fix to throw errror when the URL contains a JS script Fix to prevent XSS, throw an error when the URL contains a JS script Oct 14, 2019
@snoopysecurity
Copy link

snoopysecurity commented Oct 15, 2019
edited
Loading

Hey 👋 So the PR itself does amend the logic of isValidXss to throw an error and that makes sense. However, by looking at the logic of

axios/lib/helpers/isValidXss.js

Line 4 in 19969b4

var regex = RegExp('<script+.*>+.*<\/script>');
, It is very easy to bypass this validation by having a payload such as https://github.com/axios/axios?<svg/onload=alert(1)> or anything other than a script tag.

This isn't a huge problem since #2447 seems be not exploitable anyway. So this PR might be enough to stop Fortify reporting this as a vulnerability.

Hope this helps

@felipewmartins felipewmartins merged commit 29da6b2 into axios:master Oct 16, 2019
@etanxing
Copy link

Thanks guys, any plan for this release?

@felipewmartins
Copy link
Collaborator

@yasuf This merge cause a error in the main build. Please are you can see? I need this to fix the #2479

@yasuf
Copy link
Collaborator Author

yasuf commented Oct 21, 2019
edited
Loading

what's the error? where can I see it?

edit: nevermind, found your PR

@felipewmartins
Copy link
Collaborator

Hi @yasuf
This build
https://travis-ci.org/axios/axios/builds/598593005

@Alanscut Alanscut mentioned this pull request Oct 25, 2019
Merged
This was referenced Jan 7, 2020
Open
Open
Open
Closed
Merged
Closed
Open
Merged
Open
Merged
Merged
Merged
Merged
Closed
Merged
This was referenced Apr 3, 2020
Open
Closed
Open
Closed
Merged
Closed
Open
Closed
Closed
Merged
Merged
Merged
Open
Open
Open
This was referenced Apr 13, 2020
Open
Open
Open
Open
Closed
This was referenced Apr 21, 2020
Open
Open
Open
Open
Open
Open
This was referenced Apr 30, 2020
Open
Open
Merged
@axios axios locked and limited conversation to collaborators May 3, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@AleksueiR AleksueiR AleksueiR left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@yasuf @snoopysecurity @etanxing @felipewmartins @JyothiYamajala @AleksueiR
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy