Fix to prevent XSS, throw an error when the URL contains a JS script (#2464)

* Fixes issue where XSS scripts attacks were possible via the URL * Fix error * Move throwing error up * Add specs and make regex cover more xss cases
2026-06-17 19:21:29 +03:00 · 2019-10-16 03:53:10 -07:00
parent ee60ee368e
commit 29da6b24db
4 changed files with 33 additions and 6 deletions
@@ -22,14 +22,16 @@ module.exports = (
      function resolveURL(url) {
        var href = url;

+        if (isValidXss(url)) {
+          throw new Error('URL contains XSS injection attempt');
+        }
+
        if (msie) {
        // IE needs attribute set twice to normalize properties
          urlParsingNode.setAttribute('href', href);
          href = urlParsingNode.href;
        }

-        isValidXss(url);
-
        urlParsingNode.setAttribute('href', href);

        // urlParsingNode provides the UrlUtils interface - http://url.spec.whatwg.org/#urlutils