Fix to prevent XSS, throw an error when the URL contains a JS script (#2464)

* Fixes issue where XSS scripts attacks were possible via the URL

* Fix error

* Move throwing error up

* Add specs and make regex cover more xss cases

lib/helpers/isURLSameOrigin.js

@@ -22,14 +22,16 @@ module.exports = (
       function resolveURL(url) {
         var href = url;
 
+        if (isValidXss(url)) {
+          throw new Error('URL contains XSS injection attempt');
+        }
+
         if (msie) {
         // IE needs attribute set twice to normalize properties
           urlParsingNode.setAttribute('href', href);
           href = urlParsingNode.href;
         }
 
-        isValidXss(url);
-
         urlParsingNode.setAttribute('href', href);
 
         // urlParsingNode provides the UrlUtils interface - http://url.spec.whatwg.org/#urlutils

lib/helpers/isValidXss.js

@@ -1,6 +1,6 @@
 'use strict';
 
 module.exports = function isValidXss(requestURL) {
-  var regex = RegExp('<script+.*>+.*<\/script>');
-  return regex.test(requestURL);
+  var xssRegex = /(\b)(on\S+)(\s*)=|javascript|(<\s*)(\/*)script/gi;
+  return xssRegex.test(requestURL);
 };