Fix to prevent XSS, throw an error when the URL contains a JS script

[yasuf]

Changes

• Addresses SRCCLR-SID-21679: Veracode scan reporting "Cross-Site Scripting (XSS) Vulnerability in the axios library" #2463
• Also related to Fortify Scan finds a critical vulnerability #2447
• Throw an error when the URL contains an XSS script

[snoopysecurity]

Hey 👋 So the PR itself does amend the logic of isValidXss to throw an error and that makes sense. However, by looking at the logic of

axios/lib/helpers/isValidXss.js

Line 4 in 19969b4

var regex = RegExp('<script+.*>+.*<\/script>');

, It is very easy to bypass this validation by having a payload such as https://github.com/axios/axios?<svg/onload=alert(1)> or anything other than a script tag.

This isn't a huge problem since #2447 seems be not exploitable anyway. So this PR might be enough to stop Fortify reporting this as a vulnerability.

Hope this helps

[etanxing]

Thanks guys, any plan for this release?

[felipewmartins]

@yasuf This merge cause a error in the main build. Please are you can see? I need this to fix the #2479

[yasuf]

what's the error? where can I see it?

edit: nevermind, found your PR

[felipewmartins]

Hi @yasuf
This build
https://travis-ci.org/axios/axios/builds/598593005