diff options
author | hackademix | 2019-08-02 18:04:51 +0200 |
---|---|---|
committer | hackademix | 2019-08-02 18:04:51 +0200 |
commit | e45dfdcf2f662b6c0d26c00e3bfe56abd3797e5a (patch) | |
tree | 441e55307f9df9b44a492a6a1ab0c3d18c600a02 /src/xss | |
parent | 845b0ee7dd1e90beea9af3d5660613fa19726c43 (diff) | |
download | noscript-e45dfdcf2f662b6c0d26c00e3bfe56abd3797e5a.tar.gz noscript-e45dfdcf2f662b6c0d26c00e3bfe56abd3797e5a.tar.xz noscript-e45dfdcf2f662b6c0d26c00e3bfe56abd3797e5a.zip |
[XSS] Fix false positives due to overzealous HTML attribute checking.
Diffstat (limited to 'src/xss')
-rw-r--r-- | src/xss/InjectionChecker.js | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/src/xss/InjectionChecker.js b/src/xss/InjectionChecker.js index 4f8a910..6ab6c65 100644 --- a/src/xss/InjectionChecker.js +++ b/src/xss/InjectionChecker.js @@ -847,11 +847,11 @@ XSS.InjectionChecker = (async () => { GlobalsChecker: /https?:\/\/[\S\s]+["'\s\0](?:id|class|data-\w+)[\s\0]*=[\s\0]*("')?\w{3,}(?:[\s\0]|\1|$)|(?:id|class|data-\w+)[\s\0]*=[\s\0]*("')?\w{3,}(?:[\s\0]|\1)[\s\S]*["'\s\0]href[\s\0]*=[\s\0]*(?:"')?https?:\/\//i, HTMLChecker: new RegExp("<[^\\w<>]*(?:[^<>\"'\\s]*:)?[^\\w<>]*(?:" + // take in account quirks and namespaces fuzzify("script|form|style|svg|marquee|(?:link|object|embed|applet|param|i?frame|base|body|meta|ima?ge?|video|audio|bindings|set|isindex|animate|template") + - ")[^>\\w])|['\"\\s\\0/](?:formaction|style|background|src|lowsrc|ping|innerhtml|data-bind|(?:data-)?mv-(?:\\w+[\\w-]*)|" + IC_EVENT_PATTERN + + ")[^>\\w])|['\"\\s\\0/](?:style|innerhtml|data-bind|(?:data-)?mv-(?:\\w+[\\w-]*)|" + IC_EVENT_PATTERN + ")[\\s\\0]*=|<%[^]+[=(][^]+%>", "i"), async checkHTML(s) { - let links = s.match(/\b(?:href|src|base|(?:form)?action|\w+-\w+)\s*=\s*(?:(["'])[\s\S]*?\1|(?:[^'">][^>\s]*)?[:?\/#][^>\s]*)/ig); + let links = s.match(/\b(?:href|(?:low)?src|base|(?:form)?action|background|ping|\w+-\w+)\s*=\s*(?:(["'])[\s\S]*?\1|(?:[^'">][^>\s]*)?[:?\/#][^>\s]*)/ig); if (links) { for (let l of links) { l = l.replace(/[^=]*=\s*/i, '').replace(/[\u0000-\u001f]/g, ''); |