Skip to content

Commit

Permalink
[XSS] Fixed escape detection bug causing strage false positives (than…
Browse files Browse the repository at this point in the history
…ks Dave Howorth for report).
  • Loading branch information
hackademix committed Sep 9, 2020
1 parent b79067c commit 888a284
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion src/xss/InjectionChecker.js
Original file line number Diff line number Diff line change
Expand Up @@ -306,7 +306,7 @@ XSS.InjectionChecker = (async () => {
'\\.' + IC_COMMENT_PATTERN + "src" + IC_COMMENT_PATTERN + '=' +
IC_EVENT_DOS_PATTERN +
"|\\b" + fuzzify("onerror") + "\\b[^]*=" +
"|=[s\\\\[ux]?\d{2}" + // escape (unicode/ascii/octal)
"|=\\\\[ux]?\\d{2}" + // escape (unicode/ascii/octal)
"|\\b(?:toString|valueOf)\\b" + IC_COMMENT_PATTERN + "=[^]*(?:" + IC_EVAL_PATTERN + ")" +
"|(?:\\)|(?:[^\\w$]|^)[$a-zA-Z_\\u0ff-\\uffff][$\\w\\u0ff-\\uffff]*)" + IC_COMMENT_PATTERN + '=>' + // concise function definition
"|(?:[^\\w$]|^)" + IC_EVENT_PATTERN + IC_COMMENT_PATTERN + "="
Expand Down

0 comments on commit 888a284

Please sign in to comment.