diff options
author | hackademix | 2019-03-24 23:35:05 +0100 |
---|---|---|
committer | hackademix | 2019-03-24 23:35:05 +0100 |
commit | d299436a08a90d29cbff252e13fd387044003a9e (patch) | |
tree | d9a41331169cc04eaa1f36eb7a8544d5d2c0306a /src/xss | |
parent | b825935788524bbfc6f0b9c6f74f76c16af3eadd (diff) | |
download | noscript-d299436a08a90d29cbff252e13fd387044003a9e.tar.gz noscript-d299436a08a90d29cbff252e13fd387044003a9e.tar.xz noscript-d299436a08a90d29cbff252e13fd387044003a9e.zip |
Better detection of privileged URLs in the XSS filter.
Diffstat (limited to 'src/xss')
-rw-r--r-- | src/xss/XSS.js | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/src/xss/XSS.js b/src/xss/XSS.js index 3d9068f..18630fa 100644 --- a/src/xss/XSS.js +++ b/src/xss/XSS.js @@ -179,6 +179,9 @@ var XSS = (() => { let unescapedDest = unescape(destUrl); let srcOrigin = srcObj ? srcObj.origin : ""; + if (srcOrigin === "null") { + srcOrigin = srcObj.href.replace(/[\?#].*/, ''); + } let destOrigin = destObj.origin; let isGet = method === "GET"; |