From 7e3decc8f41cbe76284f4b4d1494ebab42325217 Mon Sep 17 00:00:00 2001 From: hackademix Date: Thu, 12 Jul 2018 18:58:57 +0200 Subject: [XSS] Fixed anti-HPP coalescing wrongly applied to POST requests causing JSON reduction optimization to choke on big payloads. --- src/xss/InjectionChecker.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/xss/InjectionChecker.js b/src/xss/InjectionChecker.js index f7605e5..e908d21 100644 --- a/src/xss/InjectionChecker.js +++ b/src/xss/InjectionChecker.js @@ -183,7 +183,7 @@ XSS.InjectionChecker = (async () => { return this.reduceJSON(s.replace(expr, REPL)); } } catch (e) {} - let iterations = 0; + for (;;) { let prev = s; let start = s.indexOf("{"); @@ -1002,7 +1002,7 @@ XSS.InjectionChecker = (async () => { return true; } - if (s.indexOf("coalesced:") !== 0) { + if (!isPost && s.indexOf("coalesced:") !== 0) { let coalesced = ASPIdiocy.coalesceQuery(s); if (coalesced !== s && this.checkRecursive("coalesced:" + coalesced, depth, isPost)) return true; -- cgit v1.2.3