[XSS] Fixed anti-HPP coalescing wrongly applied to POST requests causing JSON reduction optimization to choke on big payloads.

author: hackademix 2018-07-12 18:58:57 +0200
committer: hackademix 2018-07-12 18:58:57 +0200
commit: 7e3decc8f41cbe76284f4b4d1494ebab42325217 (patch)
tree: 4e2fda71e9450d6b00550cb181d1a86351595a0a /src/xss
parent: 8f6574661d06fa2e047e950645d3e0c90ec5be0d (diff)
download: noscript-7e3decc8f41cbe76284f4b4d1494ebab42325217.tar.gz
noscript-7e3decc8f41cbe76284f4b4d1494ebab42325217.tar.xz
noscript-7e3decc8f41cbe76284f4b4d1494ebab42325217.zip
1 files changed, 2 insertions, 2 deletions
diff --git a/src/xss/InjectionChecker.js b/src/xss/InjectionChecker.js
index f7605e5..e908d21 100644
--- a/src/xss/InjectionChecker.js
+++ b/src/xss/InjectionChecker.js
@@ -183,7 +183,7 @@ XSS.InjectionChecker = (async () => {
           return this.reduceJSON(s.replace(expr, REPL));
         }
       } catch (e) {}
-      let iterations = 0;
+
       for (;;) {
         let prev = s;
         let start = s.indexOf("{");
@@ -1002,7 +1002,7 @@ XSS.InjectionChecker = (async () => {
           return true;
       }
 
-      if (s.indexOf("coalesced:") !== 0) {
+      if (!isPost && s.indexOf("coalesced:") !== 0) {
         let coalesced = ASPIdiocy.coalesceQuery(s);
         if (coalesced !== s && this.checkRecursive("coalesced:" + coalesced, depth, isPost))
           return true;
author	hackademix	2018-07-12 18:58:57 +0200
committer	hackademix	2018-07-12 18:58:57 +0200
commit	7e3decc8f41cbe76284f4b4d1494ebab42325217 (patch)
tree	4e2fda71e9450d6b00550cb181d1a86351595a0a /src/xss
parent	8f6574661d06fa2e047e950645d3e0c90ec5be0d (diff)
download	noscript-7e3decc8f41cbe76284f4b4d1494ebab42325217.tar.gz noscript-7e3decc8f41cbe76284f4b4d1494ebab42325217.tar.xz noscript-7e3decc8f41cbe76284f4b4d1494ebab42325217.zip