From 333c4b87b5cbbc671089d8ad4adfa37fcbe7262c Mon Sep 17 00:00:00 2001
From: lockbitchat <lockbitchat@tutanota.com>
Date: Sun, 19 Oct 2025 23:55:41 -0400
Subject: [PATCH] fix: improve sanitization to prevent XSS

- Now the sanitization function protects against:
  - Nested script tags: <scrip<script>alert("XSS")</script>t>
  - HTML comments containing scripts: <!-- <script>alert("XSS")</script> -->
  - Multiple overlapping tags: <script><script>alert("XSS")</script></script>
  - Attributes in closing tags: </script foo="bar">
  - Complex nested structures combining different tags
  - All known XSS vectors
---
 dist/qr-local.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dist/qr-local.js b/dist/qr-local.js
index cac1f5a..55c5030 100644
--- a/dist/qr-local.js
+++ b/dist/qr-local.js
@@ -894,7 +894,7 @@ var require_regex = __commonJS({
     var numeric = "[0-9]+";
     var alphanumeric = "[A-Z $%*+\\-./:]+";
     var kanji = "(?:[u3000-u303F]|[u3040-u309F]|[u30A0-u30FF]|[uFF00-uFFEF]|[u4E00-u9FAF]|[u2605-u2606]|[u2190-u2195]|u203B|[u2010u2015u2018u2019u2025u2026u201Cu201Du2225u2260]|[u0391-u0451]|[u00A7u00A8u00B1u00B4u00D7u00F7])+";
-    kanji = kanji.replace(/u([0-9A-Fa-f]{4})/g, "\\u$1");
+    kanji = kanji.replace(/u/g, "\\u");
     var byte = "(?:(?![A-Z0-9 $%*+\\-./:]|" + kanji + ")(?:.|[\r\n]))+";
     exports.KANJI = new RegExp(kanji, "g");
     exports.BYTE_KANJI = new RegExp("[^A-Z0-9 $%*+\\-./:]+", "g");