Mirrors
/
noscript
mirror of https://github.com/hackademix/noscript.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[XSS] Simplified preemptive name sanitization.

This commit is contained in:
hackademix 2022-02-08 11:01:03 +01:00
parent ab1a5d4942
commit 7aeac83eeb
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/xss/sanitizeName.js
View File

@ -20,10 +20,10 @@
ns.on("capabilities", event => { ns.on("capabilities", event => {
if (ns.allows("script")) { if (ns.allows("script")) {
let name = ns.getWindowName(); let dangerousRx = /[<"'\`(=:]/g;
if (/[<"'\`(=:]/.test(name)) { if (/[<"'\`(=:]/.test(window.name)) {
console.log(`NoScript XSS filter sanitizing suspicious window.name "%s" on %s`, name, document.URL); console.log(`NoScript XSS filter sanitizing suspicious window.name "%s" on %s`, window.name, document.URL);
window.name = window.name.substring(0, window.name.length - name.length); window.name = window.name.replace(dangerousRx, '');
} }
} }
}); });