Mirrors
/
noscript
mirror of https://github.com/hackademix/noscript.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[XSS] Better specificity of potential fragmented injection through framework syntax detection (thanks Rom623, barbaz et al).

This commit is contained in:
hackademix 2023-09-01 17:10:25 +02:00
parent 93b3d888e3
commit 45f3ebd408
No known key found for this signature in database
GPG Key ID: 231A83AFDA9C2434
1 changed files with 15 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
src/xss/InjectionChecker.js
View File

@ -24,6 +24,7 @@ XSS.InjectionChecker = (async () => {
"/nscl/common/Base64.js",
"/nscl/common/AsyncRegExp.js",
"/nscl/common/DebuggableRegExp.js",
"/nscl/common/RegExpCombo.js",
"/nscl/common/Timing.js",
"/xss/ASPIdiocy.js",
"/lib/he.js"]
@ -886,13 +887,20 @@ XSS.InjectionChecker = (async () => {
return false;
},
AttributesChecker: new RegExp(
"(?:\\W|^)(?:javascript:(?:[^]+[=\\\\\\(`\\[\\.<]|[^]*(?:\\bname\\b|\\\\[ux]\\d))|" +
"data:(?:(?:[a-z]\\w+/\\w[\\w+-]+\\w)?[;,]|[^]*;[^]*\\b(?:base64|charset=)|[^]*,[^]*<[^]*\\w[^]*>))|@" +
("import\\W*(?:\\/\\*[^]*)?(?:[\"']|url[^]*\\()" +
"|-moz-binding[^]*:[^]*url[^]*\\(|\\{\\{[^]+\\}\\}")
.replace(/[a-rt-z\-]/g, "\\W*$&"),
"i"),
AttributesChecker: RegExp.combo(
/(?:\W|^)/i, // beginning or after non-space
'(?:',
// executable URLs
/javascript:(?:[^]+[=\\\(`\[\.<]|[^]*(?:\bname\b|\\[ux]\d))/,
/|data:(?:(?:[a-z]\w+\/\w[\w+-]+\w)?[;,]|[^]*;[^]*\b(?:base64|charset=)|[^]*,[^]*<[^]*\w[^]*>)/,
')|',
// CSS injection
/@import\W*(?:\/\*[^]*)?(?:["']|url[^]*\()|-moz-binding[^]*:[^]*url[^]*\(/
.source.replace(/[@a-rt-z\-]/g, "\\W*$&"), // fuzzify keywords
// potential JS fragmentation in client-side template framework
/|(?:\{\{[^]*\S[^]*}}[^]*){2,}/
),
async checkAttributes(s) {
s = this.reduceDashPlus(s);
if (this._rxCheck("Attributes", s)) return true;