Mirrors
/
noscript
mirror of https://github.com/hackademix/noscript.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[XSS] Fix for old pre-screening optimization exploitable to bypass the filter in recent browsers (thanks Tsubasa FUJII for reporting).

This commit is contained in:
hackademix 2021-01-07 00:58:09 +01:00
parent 404869418c
commit 5499f5fe01
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/xss/InjectionChecker.js
View File

@ -345,7 +345,7 @@ XSS.InjectionChecker = (async () => {
.replace(this._arrayAccessRx, '_ARRAY_ACCESS_')
.replace(/<([\w:]+)>[^</(="'`]+<\/\1>/g, '<$1/>') // reduce XML text nodes
.replace(/<!--/g, '') // remove HTML comments preamble (see next line)
.replace(/(^(?:[^/]*[=;.+-])?)\s*[\[(]+/g, '$1') // remove leading parens and braces
.replace(/(^(?:[^/?]*[=;.+-])?)\s*[\[(]+/g, '$1') // remove leading parens and braces
.replace(this._openIdRx, '_OPENID_SCOPE_=XYZ')
.replace(/^[^=]*OPENid\.(\w+)=/gi, "OPENid_\1")
.replace(this._gmxRx, '_GMX_-_GMX_');