Mirrors
/
noscript
mirror of https://github.com/hackademix/noscript.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[XSS] Tweaked risky operator check prevents false positive on outbound Twitter navigation (thanks @muchtypo for reporting).

This commit is contained in:
hackademix 2021-12-25 22:55:53 +01:00
parent 3d1adba67a
commit 3a0c71cf7b
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/xss/InjectionChecker.js
View File

@ -346,7 +346,7 @@ XSS.InjectionChecker = (async () => {
_arrayAccessRx: /\s*\[\d+\]/g,
// inc/dec/self-modifying assignments on DOM props or special properties in object literals via Symbol
_riskyOperatorsRx: /(?:\+\+|--)\s*(?:\/[*/][\s\S]+)?(?:[$\w]+(?:\/[*/][\s\S]+)?(?:\[|.\D)|location)|(?:\]|\.\D*(?:\/[*/][\s\S]+)?[$\w]+|location)\s*(?:\/[*/][\s\S]+)?(\+\+|--|[+*\/<>~-]+\s*(?:\/[*/][\s\S]+)?=)|\{[^]*\[[^]*Symbol[^]*(?:\.\D|\[)[^]*:/,
_riskyOperatorsRx: /(?:\+\+|--)\s*(?:\/[*/][\s\S]+)?(?:(?:\$|\w{3,})+(?:\/[*/][\s\S]+)?(?:\[|\.\D)|location)|(?:\]|(?:\$|\w{3,})+(?:\/[*/][\s\S]+)?\.[^]+|location)\s*(?:\/[*/][\s\S]+)?(\+\+|--|[+*\/<>~-]+\s*(?:\/[*/][\s\S]+)?=)|\{[^]*\[[^]*Symbol[^]*(?:\.\D|\[)[^]*:/,
_assignmentRx: /^(?:[^()="'\s]+=(?:[^(='"\[+]+|[?a-zA-Z_0-9;,&=/]+|[\d.|]+))$/,
_badRightHandRx: /=[\s\S]*(?:_QS_\b|[|.][\s\S]*source\b|<[\s\S]*\/[^>]*>)/,