Better detection of privileged URLs in the XSS filter.

author: hackademix 2019-03-24 23:35:05 +0100
committer: hackademix 2019-03-24 23:35:05 +0100
commit: d299436a08a90d29cbff252e13fd387044003a9e (patch)
tree: d9a41331169cc04eaa1f36eb7a8544d5d2c0306a /src/xss/XSS.js
parent: b825935788524bbfc6f0b9c6f74f76c16af3eadd (diff)
download: noscript-d299436a08a90d29cbff252e13fd387044003a9e.tar.gz
noscript-d299436a08a90d29cbff252e13fd387044003a9e.tar.xz
noscript-d299436a08a90d29cbff252e13fd387044003a9e.zip
1 files changed, 3 insertions, 0 deletions
diff --git a/src/xss/XSS.js b/src/xss/XSS.js
index 3d9068f..18630fa 100644
--- a/src/xss/XSS.js
+++ b/src/xss/XSS.js
@@ -179,6 +179,9 @@ var XSS = (() => {
 
       let unescapedDest = unescape(destUrl);
       let srcOrigin = srcObj ? srcObj.origin : "";
+      if (srcOrigin === "null") {
+        srcOrigin = srcObj.href.replace(/[\?#].*/, '');
+      }
       let destOrigin = destObj.origin;
 
       let isGet = method === "GET";
author	hackademix	2019-03-24 23:35:05 +0100
committer	hackademix	2019-03-24 23:35:05 +0100
commit	d299436a08a90d29cbff252e13fd387044003a9e (patch)
tree	d9a41331169cc04eaa1f36eb7a8544d5d2c0306a /src/xss/XSS.js
parent	b825935788524bbfc6f0b9c6f74f76c16af3eadd (diff)
download	noscript-d299436a08a90d29cbff252e13fd387044003a9e.tar.gz noscript-d299436a08a90d29cbff252e13fd387044003a9e.tar.xz noscript-d299436a08a90d29cbff252e13fd387044003a9e.zip