[XSS] Fixed memoization bug resulting in performance degradation on some payloads.

This commit is contained in:
hackademix 2021-01-15 17:32:30 +01:00
parent 10e02b41ed
commit 3753e8184a
1 changed files with 7 additions and 6 deletions

View File

@ -115,8 +115,8 @@ XSS.InjectionChecker = (async () => {
// special treatment for quotes
bs[c] = new RegExp("[" + def + c + "]");
}
delete this.breakStops;
return (this.breakStops = bs);
Object.defineProperty(Object.getPrototypeOf(this), 'breakStops', {value: bs});
return bs;
},
collapseChars: (s) => s.replace(/\;+/g, ';').replace(/\/{4,}/g, '////')
@ -283,7 +283,7 @@ XSS.InjectionChecker = (async () => {
+fuzzify('source|toString') + ")|\\[)|" + IC_EVENT_DOS_PATTERN
),
_riskyAssignmentRx: new RegExp(
"\\b(?:" + fuzzify('location|innerHTML|outerHTML') + ")\\b[^]*="
"(?:^|[^&])\\b(?:" + fuzzify('location|innerHTML|outerHTML') + ")\\b[^]*="
),
_nameRx: new RegExp(
"=[^]*\\b" + fuzzify('name') + "\\b|" +
@ -301,7 +301,7 @@ XSS.InjectionChecker = (async () => {
')|(?:^|\\W)(?:' + IC_EVAL_PATTERN +
')(?:\\W+[^]*|)[(`]|(?:[=(]|\\{[^]+:)[^]*(?:' + // calling eval-like functions directly or...
IC_EVAL_PATTERN + // ... assigning them to another function possibly called by the victim later
')[^]*[\\n,;:|]|\\b(?:' +
')[^]*[\\n,;:|]|(?:^|[^&])\\b(?:' +
fuzzify('setter|location|innerHTML|outerHTML') + // eval-like assignments
')\\b[^]*=|' +
'\\.' + IC_COMMENT_PATTERN + "src" + IC_COMMENT_PATTERN + '=' +
@ -498,8 +498,9 @@ XSS.InjectionChecker = (async () => {
},
get invalidCharsRx() {
delete this.invalidCharsRx;
return this.invalidCharsRx = new RegExp("^[^\"'`/<>]*[" + this._createInvalidRanges() + "]");
let value = new RegExp("^[^\"'`/<>]*[" + this._createInvalidRanges() + "]");
Object.defineProperty(Object.getPrototypeOf(this), 'invalidCharsRx', {value});
return value;
},
async checkJSBreak(s) {