From 3d1adba67ad2e8ce2de655f85dd968221cc67316 Mon Sep 17 00:00:00 2001
From: hackademix <giorgio@maone.net>
Date: Sat, 25 Dec 2021 22:54:04 +0100
Subject: [PATCH] [XSS] Better logging for JS fragment detection.

---
 src/xss/InjectionChecker.js | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/xss/InjectionChecker.js b/src/xss/InjectionChecker.js
index 4226ded..e1023e1 100644
--- a/src/xss/InjectionChecker.js
+++ b/src/xss/InjectionChecker.js
@@ -484,8 +484,12 @@ XSS.InjectionChecker = (async () => {
       var m = fn.toString().match(/\{([\s\S]*)\}/);
       if (!m) return false;
       var expr = this.stripLiteralsAndComments(m[1]);
-      return /=[\s\S]*cookie|\b(?:setter|document|location|(?:inn|out)erHTML|\.\W*src)[\s\S]*=|[\w$\u0080-\uffff\)\]]\s*[\[\(]/.test(expr) ||
+      let ret =  /=[\s\S]*cookie|\b(?:setter|document|location|(?:inn|out)erHTML|\.\W*src)[\s\S]*=|[\w$\u0080-\uffff\)\]]\s*[\[\(]/.test(expr) ||
         this.maybeJS(expr);
+      if (ret) {
+        this.escalate(`${expr} has been flagged as dangerous JS (${RegExp.lastMatch})`);
+      }
+      return ret;
     },
 
     _createInvalidRanges: function() {