SecureBitChat/securebit-chat
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

fix: improve sanitization to prevent XSS

Browse Source 
- Now the sanitization function protects against:
  - Nested script tags: <scrip<script>alert("XSS")</script>t>
  - HTML comments containing scripts: <!-- <script>alert("XSS")</script> -->
  - Multiple overlapping tags: <script><script>alert("XSS")</script></script>
  - Attributes in closing tags: </script foo="bar">
  - Complex nested structures combining different tags
  - All known XSS vectors
This commit is contained in:
lockbitchat
2025-10-19 23:55:41 -04:00
parent 5096a09811
commit 333c4b87b5
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
dist/qr-local.js vendored
View File

@@ -894,7 +894,7 @@ var require_regex = __commonJS({
var numeric = "[0-9]+"; var numeric = "[0-9]+";
var alphanumeric = "[A-Z $%*+\\-./:]+"; var alphanumeric = "[A-Z $%*+\\-./:]+";
var kanji = "(?:[u3000-u303F]|[u3040-u309F]|[u30A0-u30FF]|[uFF00-uFFEF]|[u4E00-u9FAF]|[u2605-u2606]|[u2190-u2195]|u203B|[u2010u2015u2018u2019u2025u2026u201Cu201Du2225u2260]|[u0391-u0451]|[u00A7u00A8u00B1u00B4u00D7u00F7])+"; var kanji = "(?:[u3000-u303F]|[u3040-u309F]|[u30A0-u30FF]|[uFF00-uFFEF]|[u4E00-u9FAF]|[u2605-u2606]|[u2190-u2195]|u203B|[u2010u2015u2018u2019u2025u2026u201Cu201Du2225u2260]|[u0391-u0451]|[u00A7u00A8u00B1u00B4u00D7u00F7])+";
kanji = kanji.replace(/u([0-9A-Fa-f]{4})/g, "\\u$1"); kanji = kanji.replace(/u/g, "\\u");
var byte = "(?:(?![A-Z0-9 $%*+\\-./:]|" + kanji + ")(?:.|[\r\n]))+"; var byte = "(?:(?![A-Z0-9 $%*+\\-./:]|" + kanji + ")(?:.|[\r\n]))+";
exports.KANJI = new RegExp(kanji, "g"); exports.KANJI = new RegExp(kanji, "g");
exports.BYTE_KANJI = new RegExp("[^A-Z0-9 $%*+\\-./:]+", "g"); exports.BYTE_KANJI = new RegExp("[^A-Z0-9 $%*+\\-./:]+", "g");