[XSS] Faster invalidCharsRx initialization on Gecko 78 and above.

hackademix · hackademix · commit 25cd549da9d7 · 2022-02-04T00:18:15.000+01:00
diff --git a/src/test/XSS_test.js b/src/test/XSS_test.js
@@ -21,7 +21,7 @@
 if (UA.isMozilla) {
   let y = async (url, originUrl = '') => await XSS.test({originUrl, url, method: "GET"});
   let n = async (...args) => !await y(...args);
-  Promise.all([
+  let xssTest = Promise.all([
       () => y("https://noscript.net/<script"),
       () => n("https://noscript.net/<script", "https://noscript.net/"),
       () => y("https://vulnerabledoma.in/char_test?body=%80%3Cscript%3Ealert(1)%3C/script%3E"),
@@ -32,25 +32,25 @@ if (UA.isMozilla) {
       () => y("https://vulnerabledoma.in/xss_link?url=javascript%26colo%00n%3Balert%u00281%29"),
       () => y("https://vulnerabledoma.in/xss_link?url=javascript:\\u{%0A6e}ame"),
       ].map(t => Test.run(t))
-    ).then(() => Test.report());
+    );
 
     let invalidCharsTest =  async () => {
 
       await include("xss/InjectionChecker.js");
       let IC = await XSS.InjectionChecker;
       let rx = new IC().invalidCharsRx;
-
+      console.log("Testing invalidCharsRx", rx);
       let x = n => '\\u' + ("0000" + n.toString(16)).slice(-4);
       function check(ch) {
-       eval(`{let _${ch}_}`);
+       Function(`let _${ch}_`);
       }
       let cur = 0x7e;
       let fail = false;
-      while (cur++ < 0xffff) {
+      while (cur++ < 0xffff && !fail) {
         let ch = String.fromCharCode(cur);
         try {
           check(ch);
-          if (tx.test(ch)) {
+          if (rx.test(ch)) {
             console.error(x(cur) + " should not test invalid!");
             fail = true;
           }
@@ -64,6 +64,10 @@ if (UA.isMozilla) {
       }
       return !fail;
     };
-
-    Test.run(invalidCharsTest, "InjectionChecker.invalidCharsRx").then(Test.report());
+    (async () => {
+      await xssTest;
+      Test.report();
+      await Test.run(invalidCharsTest, "InjectionChecker.invalidCharsRx");
+      Test.report();
+    })();
 }
diff --git a/src/xss/InjectionChecker.js b/src/xss/InjectionChecker.js
@@ -526,7 +526,15 @@ XSS.InjectionChecker = (async () => {
     },
 
     get invalidCharsRx() {
-      let value = new RegExp("^[^\"'`/<>]*[" + this._createInvalidRanges() + "]");
+      let preamble = "^[^\"'`/<>]*";
+      let value;
+      try {
+        // see https://mathiasbynens.be/notes/javascript-identifiers-es6#acceptable-unicode-symbols
+        value = new RegExp(preamble + "[^$_\\p{ID_Start}\\p{ID_Continue}\\u200c\\u200d\\u2028\\u2029]", "u");
+      } catch (e) {
+        // Unicode entities are not supported in Gecko <= 77
+        value = new RegExp(preamble + `[${this._createInvalidRanges()}]`, "u");
+      }
       Object.defineProperty(Object.getPrototypeOf(this), 'invalidCharsRx', {value});
       return value;
     },
