From 2a30b265f1b586aed0de9d703e90cfebaccac1fd Mon Sep 17 00:00:00 2001
From: hackademix <giorgio@maone.net>
Date: Sat, 6 Aug 2022 17:15:31 +0200
Subject: [PATCH] [XSS] Fixed regression in invalid characters optimization
 causing false negatives (thanks Tsubasa for reporting).

---
 src/test/XSS_test.js        |  2 ++
 src/xss/InjectionChecker.js | 13 +++++++------
 2 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/src/test/XSS_test.js b/src/test/XSS_test.js
index e909ff4..fbefe1e 100644
--- a/src/test/XSS_test.js
+++ b/src/test/XSS_test.js
@@ -31,6 +31,8 @@ if (UA.isMozilla) {
       () => y("https://vulnerabledoma.in/char_test?body=%3Ca%20href=javascript%26colo%u0000n%3balert%281%u0029%3ECLICK"),
       () => y("https://vulnerabledoma.in/xss_link?url=javascript%26colo%00n%3Balert%u00281%29"),
       () => y("https://vulnerabledoma.in/xss_link?url=javascript:\\u{%0A6e}ame"),
+      () => y("https://sandbox.hack.vet/issue/noscript/bypass/multibyte/?q=alert(document.cookie)//＜"),
+      () => y("https://sandbox.hack.vet/issue/noscript/bypass/multibyte/?q=/**🚫*/alert(document.cookie)"),
       ].map(t => Test.run(t))
     );
 
diff --git a/src/xss/InjectionChecker.js b/src/xss/InjectionChecker.js
index db364de..1524ff1 100644
--- a/src/xss/InjectionChecker.js
+++ b/src/xss/InjectionChecker.js
@@ -530,7 +530,7 @@ XSS.InjectionChecker = (async () => {
       let value;
       try {
         // see https://mathiasbynens.be/notes/javascript-identifiers-es6#acceptable-unicode-symbols
-        value = new RegExp(preamble + "[^$_\\p{ID_Start}\\p{ID_Continue}\\u200c\\u200d\\u2028\\u2029]", "u");
+        value = new RegExp(preamble + "[^\\x00-\\x7E\\p{ID_Start}\\p{ID_Continue}\\u200c\\u200d\\u2028\\u2029]", "u");
       } catch (e) {
         // Unicode entities are not supported in Gecko <= 77
         value = new RegExp(preamble + `[${this._createInvalidRanges()}]`, "u");
@@ -665,13 +665,14 @@ XSS.InjectionChecker = (async () => {
 
           lastExpr = expr;
 
-          if (invalidCharsRx && invalidCharsRx.test(expr)) {
-            this.log("Quick skipping invalid chars");
-            break;
+          if (invalidCharsRx) {
+            let m = invalidCharsRx.test(expr);
+            if (m) {
+              this.log(`Quick skipping invalid chars on ${expr}, (${JSON.stringify(m)}).`);
+              break;
+            }
           }
 
-
-
           if (quote) {
             if (this.checkNonTrivialJSSyntax(expr)) {
               this.log("Non-trivial JS inside quoted string detected", iterations);