From 67974374049980100e72409da21281924989e660 Mon Sep 17 00:00:00 2001 From: hackademix Date: Mon, 24 Jun 2019 22:43:14 +0200 Subject: [XSS] Fixed false positives with parameters named "src". --- src/xss/InjectionChecker.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/xss/InjectionChecker.js b/src/xss/InjectionChecker.js index 32d5726..a536aaf 100644 --- a/src/xss/InjectionChecker.js +++ b/src/xss/InjectionChecker.js @@ -302,7 +302,7 @@ XSS.InjectionChecker = (async () => { ')[^]*[\\n,;:|]|\\b(?:' + fuzzify('setter|location|innerHTML|outerHTML') + // eval-like assignments ')\\b[^]*=|' + - '.' + IC_COMMENT_PATTERN + "src" + IC_COMMENT_PATTERN + '=' + + '\\.' + IC_COMMENT_PATTERN + "src" + IC_COMMENT_PATTERN + '=' + IC_EVENT_DOS_PATTERN + "|\\b" + fuzzify("onerror") + "\\b[^]*=" + "|=[s\\\\[ux]?\d{2}" + // escape (unicode/ascii/octal) -- cgit v1.2.3