From 3a0c71cf7bd875e76a99214e8eacdbff6d38ab80 Mon Sep 17 00:00:00 2001
From: hackademix <giorgio@maone.net>
Date: Sat, 25 Dec 2021 22:55:53 +0100
Subject: [PATCH] [XSS] Tweaked risky operator check prevents false positive on
 outbound Twitter navigation (thanks @muchtypo for reporting).

---
 src/xss/InjectionChecker.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/xss/InjectionChecker.js b/src/xss/InjectionChecker.js
index e1023e1..4b796b1 100644
--- a/src/xss/InjectionChecker.js
+++ b/src/xss/InjectionChecker.js
@@ -346,7 +346,7 @@ XSS.InjectionChecker = (async () => {
     _arrayAccessRx: /\s*\[\d+\]/g,
 
     // inc/dec/self-modifying assignments on DOM props or special properties in object literals via Symbol
-    _riskyOperatorsRx: /(?:\+\+|--)\s*(?:\/[*/][\s\S]+)?(?:[$\w]+(?:\/[*/][\s\S]+)?(?:\[|.\D)|location)|(?:\]|\.\D*(?:\/[*/][\s\S]+)?[$\w]+|location)\s*(?:\/[*/][\s\S]+)?(\+\+|--|[+*\/<>~-]+\s*(?:\/[*/][\s\S]+)?=)|\{[^]*\[[^]*Symbol[^]*(?:\.\D|\[)[^]*:/,
+    _riskyOperatorsRx: /(?:\+\+|--)\s*(?:\/[*/][\s\S]+)?(?:(?:\$|\w{3,})+(?:\/[*/][\s\S]+)?(?:\[|\.\D)|location)|(?:\]|(?:\$|\w{3,})+(?:\/[*/][\s\S]+)?\.[^]+|location)\s*(?:\/[*/][\s\S]+)?(\+\+|--|[+*\/<>~-]+\s*(?:\/[*/][\s\S]+)?=)|\{[^]*\[[^]*Symbol[^]*(?:\.\D|\[)[^]*:/,
 
     _assignmentRx: /^(?:[^()="'\s]+=(?:[^(='"\[+]+|[?a-zA-Z_0-9;,&=/]+|[\d.|]+))$/,
     _badRightHandRx: /=[\s\S]*(?:_QS_\b|[|.][\s\S]*source\b|<[\s\S]*\/[^>]*>)/,