Hello,
it seems like the latest master branch has a too loose XSS regex in lib/helpers/isValidXss.js
/(\b)(on\S+)(\s*)=|javascript|(<\s*)(\/*)script/gi Matches URLs like /one/?foo=bar or /online?foo=bar
https://www.regexpal.com/?fam=112339

This results in a JavaScript error that can break the entire page.

Also, I don't quite understand why this check is performed without performing a request, but on require('axios') with the current pages URL.
Why does axios care about the pages URL and not just the URL used for an actual axios request?