Remove unnecessary XSS check introduced by #2451 (#2679)

* Remove unnecessary XSS check introduced by #2451 * Remove test file of `isValidXss`
2026-05-15 11:59:42 +03:00 · 2020-01-21 00:20:33 +08:00
parent 351cf290f0
commit c7488c7dd5
4 changed files with 0 additions and 43 deletions
@@ -1,7 +1,6 @@
 'use strict';

 var utils = require('./../utils');
-var isValidXss = require('./isValidXss');

 module.exports = (
  utils.isStandardBrowserEnv() ?
@@ -22,10 +21,6 @@ module.exports = (
      function resolveURL(url) {
        var href = url;

-        if (isValidXss(url)) {
-          throw new Error('URL contains XSS injection attempt');
-        }
-
        if (msie) {
        // IE needs attribute set twice to normalize properties
          urlParsingNode.setAttribute('href', href);
@@ -1,7 +0,0 @@
-'use strict';
-
-module.exports = function isValidXss(requestURL) {
-  var xssRegex = /(\b)(on\w+)=|javascript|(<\s*)(\/*)script/gi;
-  return xssRegex.test(requestURL);
-};
-
@@ -8,10 +8,4 @@ describe('helpers::isURLSameOrigin', function () {
  it('should detect different origin', function () {
    expect(isURLSameOrigin('https://github.com/axios/axios')).toEqual(false);
  });
-
-  it('should detect XSS scripts on a same origin request', function () {
-    expect(function() {
-      isURLSameOrigin('https://github.com/axios/axios?<script>alert("hello")</script>');
-    }).toThrowError(Error, 'URL contains XSS injection attempt')
-  });  
 });
@@ -1,25 +0,0 @@
-var isValidXss = require('../../../lib/helpers/isValidXss');
-
-describe('helpers::isValidXss', function () {
-  it('should detect script tags', function () {
-    expect(isValidXss("<script/xss>alert('blah')</script/xss>")).toBe(true);
-    expect(isValidXss("<SCRIPT>alert('getting your password')</SCRIPT>")).toBe(true);
-    expect(isValidXss("<script src='http://xssinjections.com/inject.js'>xss</script>")).toBe(true);
-    expect(isValidXss("<img src='/' onerror='javascript:alert('xss')'>xss</script>")).toBe(true);
-    expect(isValidXss("<script>console.log('XSS')</script>")).toBe(true);
-    expect(isValidXss("onerror=alert('XSS')")).toBe(true);
-    expect(isValidXss("<a onclick='alert('XSS')'>Click Me</a>")).toBe(true);
-  });
-
-  it('should not detect non script tags', function() {
-    expect(isValidXss("/one/?foo=bar")).toBe(false);
-    expect(isValidXss("<safe> tags")).toBe(false);
-    expect(isValidXss("<safetag>")).toBe(false);
-    expect(isValidXss(">>> safe <<<")).toBe(false);
-    expect(isValidXss("<<< safe >>>")).toBe(false);
-    expect(isValidXss("my script rules")).toBe(false);
-    expect(isValidXss("<a notonlistener='nomatch'>")).toBe(false);
-    expect(isValidXss("<h2>MyTitle</h2>")).toBe(false);
-    expect(isValidXss("<img src='#'/>")).toBe(false);
-  })
-});