Skip to content

Remove unnecessary XSS check introduced by #2451 #2679

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
emilyemorehouse merged 2 commits into from
Jan 20, 2020
Merged

Remove unnecessary XSS check introduced by #2451 #2679

emilyemorehouse merged 2 commits into from
Jan 20, 2020

Conversation

@chinesedfan
Copy link
Contributor

@chinesedfan chinesedfan commented Jan 20, 2020

Fixed #2646 and lots of similar issues.

I shared the same opnion with @snoopysecurity. See #2464 (comment). We did overreaction for it and did an overkill.

@emilyemorehouse emilyemorehouse merged commit c7488c7 into axios:master Jan 20, 2020
yasuf added a commit that referenced this pull request Jan 20, 2020
@yasuf
Revert "Remove unnecessary XSS check introduced by #2451 (#2679)"
03d8921 
This reverts commit c7488c7.
@codingedgar
Copy link

codingedgar commented Jan 20, 2020

@chinesedfan How can I have this fix ? I have a #2646 issue

ghost
ghost reviewed Jan 22, 2020
View reviewed changes
Copy link

@ghost ghost left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And the script:src version?

@chinesedfan
Copy link
Contributor Author

chinesedfan commented Jan 22, 2020

@edgarjrg I don't know. But I will try to ask members who have publish permissions to release soon.

@DanielYeshua Can you elaborate your question?

@chinesedfan chinesedfan mentioned this pull request Jan 22, 2020
Closed
@ghost
Copy link

ghost commented Jan 22, 2020

There is still no solution for those who use AXIOS in this way: <script src = "main.js"> </script>

There may be and I have not yet left.

@chinesedfan
Copy link
Contributor Author

chinesedfan commented Jan 22, 2020
edited
Loading

@DanielYeshua Never mind. When the next version is released, those dist files will be updated correspondingly.

@nadios nadios mentioned this pull request Jan 22, 2020
Closed
This was referenced Feb 13, 2020
Open
Open
Merged
Merged
Open
This was referenced Feb 20, 2020
Merged
Merged
Open
Open
Open
Open
Open
Open
Closed
This was referenced Mar 1, 2020
Open
Open
Open
Open
Open
This was referenced Apr 3, 2020
Open
Closed
Open
Closed
Merged
Closed
Open
Closed
Closed
Merged
Merged
Merged
Open
Open
Open
This was referenced Apr 13, 2020
Open
Open
Open
Closed
@snyk-bot snyk-bot mentioned this pull request Apr 21, 2020
Open
@timaxxer
Copy link

timaxxer commented Apr 22, 2020
edited
Loading

I am wondering if there is anything else that will help covering the issue of XSS in helpers/isURLSameOrigin.js

In my organization, I run a scan on my app with Synopsys Coverity and this is higlighting a Critical XSS issue in helpers/isURLSameOrigin.js
https://github.com/axios/axios/blob/master/lib/helpers/isURLSameOrigin.js#L30

CVSS Severity: Critical
CWE 79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
This CWE entry is at position 7 in the OWASP Top 10.
This CWE entry is at position 4 in the CWE/SANS Top 25.

@emilyemorehouse Let me know if this can be addressed or not.

This was referenced Apr 22, 2020
Open
Open
Open
Open
Open
This was referenced Apr 30, 2020
Open
Open
Merged
@axios axios locked and limited conversation to collaborators May 3, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

1 more reviewer
Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Requests to urls containing 'javascript' are failing

4 participants

@chinesedfan @codingedgar @timaxxer @emilyemorehouse