fix: improve sanitization to prevent XSS
- Now the sanitization function protects against:
- Nested script tags: <scrip<script>alert("XSS")</script>t>
- HTML comments containing scripts: <!-- <script>alert("XSS")</script> -->
- Multiple overlapping tags: <script><script>alert("XSS")</script></script>
- Attributes in closing tags: </script foo="bar">
- Complex nested structures combining different tags
- All known XSS vectors
This commit is contained in:
lockbitchat
2
dist/qr-local.js
vendored
2
dist/qr-local.js
vendored
@@ -894,7 +894,7 @@ var require_regex = __commonJS({
|
||||
var numeric = "[0-9]+";
|
||||
var alphanumeric = "[A-Z $%*+\\-./:]+";
|
||||
var kanji = "(?:[u3000-u303F]|[u3040-u309F]|[u30A0-u30FF]|[uFF00-uFFEF]|[u4E00-u9FAF]|[u2605-u2606]|[u2190-u2195]|u203B|[u2010u2015u2018u2019u2025u2026u201Cu201Du2225u2260]|[u0391-u0451]|[u00A7u00A8u00B1u00B4u00D7u00F7])+";
|
||||
kanji = kanji.replace(/u([0-9A-Fa-f]{4})/g, "\\u$1");
|
||||
kanji = kanji.replace(/u/g, "\\u");
|
||||
var byte = "(?:(?![A-Z0-9 $%*+\\-./:]|" + kanji + ")(?:.|[\r\n]))+";
|
||||
exports.KANJI = new RegExp(kanji, "g");
|
||||
exports.BYTE_KANJI = new RegExp("[^A-Z0-9 $%*+\\-./:]+", "g");
|
||||
|
||||
Reference in New Issue
Block a user