From 1bd6061414cbf3062e3df188f38ccc189f973cfc Mon Sep 17 00:00:00 2001
From: hackademix <giorgio@maone.net>
Date: Sun, 16 Jul 2023 17:57:07 +0200
Subject: [PATCH] [XSS] Make InjectionChecker's regular expressions easier to
 debug.

---
 src/nscl                        |  2 +-
 src/xss/InjectionCheckWorker.js |  4 ++--
 src/xss/InjectionChecker.js     | 13 +++++++++++++
 3 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/src/nscl b/src/nscl
index d9e7b86..fd083f7 160000
--- a/src/nscl
+++ b/src/nscl
@@ -1 +1 @@
-Subproject commit d9e7b863e0d33d4f3636c17ba5ce263ad08d2bb2
+Subproject commit fd083f7200cf9357fc2e907b9609fe8103982c9a
diff --git a/src/xss/InjectionCheckWorker.js b/src/xss/InjectionCheckWorker.js
index 6e5a369..3b04df0 100644
--- a/src/xss/InjectionCheckWorker.js
+++ b/src/xss/InjectionCheckWorker.js
@@ -47,7 +47,7 @@ include("InjectionChecker.js");
       let ic = new (await XSS.InjectionChecker)();
 
       if (debugging) {
-        ic.logEnabled = true;
+        ic.debugging = true;
         debug("[XSS] InjectionCheckWorker started in %s ms (%s).",
           Date.now() - xssReq.timestamp, destUrl);
       } else {
@@ -91,7 +91,7 @@ include("InjectionChecker.js");
     if (msg.handler in Handlers) try {
       await Handlers[msg.handler](msg);
     } catch (e) {
-      postMessage({error: e.message});
+      postMessage({error: `${e.message}\n${e.stack}`});
     }
   }
 
diff --git a/src/xss/InjectionChecker.js b/src/xss/InjectionChecker.js
index bbca9dc..1bdcb75 100644
--- a/src/xss/InjectionChecker.js
+++ b/src/xss/InjectionChecker.js
@@ -22,6 +22,7 @@ XSS.InjectionChecker = (async () => {
   await include([
     "/nscl/common/SyntaxChecker.js",
     "/nscl/common/Base64.js",
+    "/nscl/common/DebuggableRegExp.js",
     "/nscl/common/Timing.js",
     "/xss/FlashIdiocy.js",
     "/xss/ASPIdiocy.js",
@@ -83,6 +84,18 @@ XSS.InjectionChecker = (async () => {
       this.log = v ? this._log : function() {};
     },
 
+    _debugging: false,
+    get debugging() {
+      return this._debugging;
+    },
+    set debugging(b) {
+      this.logEnabled = b;
+      for (const rx of ["_maybeJSRx", "_riskyOperatorsRx"]) {
+        if (this[rx].originalRx) this[rx] = this[rx].originalRx;
+        if (b) this[rx] = new DebuggableRegExp(this[rx]);
+      }
+    },
+
     escalate: function(msg) {
       this.log(msg);
       log("[InjectionChecker] ", msg);