From 7e3decc8f41cbe76284f4b4d1494ebab42325217 Mon Sep 17 00:00:00 2001
From: hackademix
Date: Thu, 12 Jul 2018 18:58:57 +0200
Subject: [XSS] Fixed anti-HPP coalescing wrongly applied to POST requests
 causing JSON reduction optimization to choke on big payloads.

---
 src/xss/InjectionChecker.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/xss/InjectionChecker.js b/src/xss/InjectionChecker.js
index f7605e5..e908d21 100644
--- a/src/xss/InjectionChecker.js
+++ b/src/xss/InjectionChecker.js
@@ -183,7 +183,7 @@ XSS.InjectionChecker = (async () => {
           return this.reduceJSON(s.replace(expr, REPL));
         }
       } catch (e) {}
-      let iterations = 0;
+
       for (;;) {
         let prev = s;
         let start = s.indexOf("{");
@@ -1002,7 +1002,7 @@ XSS.InjectionChecker = (async () => {
           return true;
       }
 
-      if (s.indexOf("coalesced:") !== 0) {
+      if (!isPost && s.indexOf("coalesced:") !== 0) {
         let coalesced = ASPIdiocy.coalesceQuery(s);
         if (coalesced !== s && this.checkRecursive("coalesced:" + coalesced, depth, isPost))
           return true;
-- 
cgit v1.2.3