Fixing Vulnerability A Fortify Scan finds a critical Cross-Site Scrip… (#2451)

* Fixing Vulnerability A Fortify Scan finds a critical Cross-Site Scripting * use var insted of const

Fixing Vulnerability A Fortify Scan finds a critical Cross-Site Scrip… (#2451)
* Fixing Vulnerability A Fortify Scan finds a critical Cross-Site Scripting * use var insted of const
19969b4f · Wataru · Felipe Martins · 4f189ec8 · 19969b4f · 19969b4f
3 changed file
--- a/lib/helpers/isURLSameOrigin.js
+++ b/lib/helpers/isURLSameOrigin.js
 'use strict';

 var utils = require('./../utils');
+var isValidXss = require('./isValidXss');

 module.exports = (
  utils.isStandardBrowserEnv() ?
@@ -27,6 +28,8 @@ module.exports = (
          href = urlParsingNode.href;
        }

+        isValidXss(url);
+
        urlParsingNode.setAttribute('href', href);

        // urlParsingNode provides the UrlUtils interface - http://url.spec.whatwg.org/#urlutils

--- a/lib/helpers/isValidXss.js
+++ b/lib/helpers/isValidXss.js
+'use strict';
+
+module.exports = function isValidXss(requestURL) {
+  var regex = RegExp('<script+.*>+.*<\/script>');
+  return regex.test(requestURL);
+};
--- a/test/specs/helpers/isURLSameOrigin.spec.js
+++ b/test/specs/helpers/isURLSameOrigin.spec.js
@@ -8,4 +8,8 @@ describe('helpers::isURLSameOrigin', function () {
  it('should detect different origin', function () {
    expect(isURLSameOrigin('https://github.com/axios/axios')).toEqual(false);
  });
+
+  it('should detect xss', function () {
+    expect(isURLSameOrigin('https://github.com/axios/axios?<script>alert("hello")</script>')).toEqual(false)
+  })
 });