From 28de8bbca533ba1a87a1daafe096e4165ec35039 Mon Sep 17 00:00:00 2001 From: hackademix Date: Sun, 28 Mar 2021 21:58:56 +0200 Subject: [PATCH] [XSS] Increased sensitivity and specificity of risky operator pre-checks. --- src/xss/InjectionChecker.js | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/xss/InjectionChecker.js b/src/xss/InjectionChecker.js index f8ba0b2..3d6f78c 100644 --- a/src/xss/InjectionChecker.js +++ b/src/xss/InjectionChecker.js @@ -324,7 +324,10 @@ XSS.InjectionChecker = (async () => { _removeDotsRx: /^openid\.[\w.-]+(?==)|(?:[?&#\/]|^)[\w.-]+(?=[\/\?&#]|$)|[\w\.]*\.(?:\b[A-Z]+|\w*\d|[a-z][$_])[\w.-]*|=[a-z.-]+\.(?:com|net|org|biz|info|xxx|[a-z]{2})(?:[;&/]|$)/g, _removeDots(p) { return p.replace(this._dotRx, '|'); }, _arrayAccessRx: /\s*\[\d+\]/g, - _riskyOperatorsRx: /[+-]{2}\s*(?:\/[*/][\s\S]+)?(?:\w+(?:\/[*/][\s\S]+)?[[.]|location)|(?:\]|\.\s*(?:\/[*/][\s\S]+)?\w+|location)\s*(?:\/[*/][\s\S]+)?([+-]{2}|[+*\/<>~-]+\s*(?:\/[*/][\s\S]+)?=)/, // inc/dec/self-modifying assignments on DOM props + + // inc/dec/self-modifying assignments on DOM props or special properties in object literals via Symbol + _riskyOperatorsRx: /(?:\+\+|--)\s*(?:\/[*/][\s\S]+)?(?:[$\w]+(?:\/[*/][\s\S]+)?(?:\[|.\D)|location)|(?:\]|\.\D*(?:\/[*/][\s\S]+)?[$\w]+|location)\s*(?:\/[*/][\s\S]+)?(\+\+|--|[+*\/<>~-]+\s*(?:\/[*/][\s\S]+)?=)|\{[^]*\[[^]*Symbol[^]*(?:\.\D|\[)[^]*:/, + _assignmentRx: /^(?:[^()="'\s]+=(?:[^(='"\[+]+|[?a-zA-Z_0-9;,&=/]+|[\d.|]+))$/, _badRightHandRx: /=[\s\S]*(?:_QS_\b|[|.][\s\S]*source\b|<[\s\S]*\/[^>]*>)/, _wikiParensRx: /^(?:[\w.|-]+\/)*\(*[\w\s-]+\([\w\s-]+\)[\w\s-]*\)*$/,