summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorhackademix2019-03-24 23:35:05 +0100
committerhackademix2019-03-24 23:35:05 +0100
commitd299436a08a90d29cbff252e13fd387044003a9e (patch)
treed9a41331169cc04eaa1f36eb7a8544d5d2c0306a
parentb825935788524bbfc6f0b9c6f74f76c16af3eadd (diff)
downloadnoscript-d299436a08a90d29cbff252e13fd387044003a9e.tar.gz
noscript-d299436a08a90d29cbff252e13fd387044003a9e.tar.xz
noscript-d299436a08a90d29cbff252e13fd387044003a9e.zip
Better detection of privileged URLs in the XSS filter.
-rw-r--r--src/xss/XSS.js3
1 files changed, 3 insertions, 0 deletions
diff --git a/src/xss/XSS.js b/src/xss/XSS.js
index 3d9068f..18630fa 100644
--- a/src/xss/XSS.js
+++ b/src/xss/XSS.js
@@ -179,6 +179,9 @@ var XSS = (() => {
let unescapedDest = unescape(destUrl);
let srcOrigin = srcObj ? srcObj.origin : "";
+ if (srcOrigin === "null") {
+ srcOrigin = srcObj.href.replace(/[\?#].*/, '');
+ }
let destOrigin = destObj.origin;
let isGet = method === "GET";