[XSS] Fix false positive on Microsoft authentication (thanks GrK and Hanna_Payne for reporting).

hackademix · hackademix · commit 962cfda0b700 · 2022-01-30T00:34:14.000+01:00
diff --git a/src/xss/InjectionChecker.js b/src/xss/InjectionChecker.js
@@ -886,7 +886,7 @@ XSS.InjectionChecker = (async () => {
           l = l.replace(/[^=]*=\s*/i, '').replace(/[\u0000-\u001f]/g, '');
           l = /^["']/.test(l) ? l.replace(/^(['"])([^]*?)\1[^]*/g, '$2') : l.replace(/[\s>][^]*/, '');
 
-          if (/^(?:javascript|data):|\[[^]+\]/i.test(l) || /[<'"(]/.test(unescape(l)) && await this.checkUrl(l)) return true;
+          if (/^(?:javascript|data):/i.test(l) || /[<'"([]/.test(unescape(l)) && await this.checkUrl(l)) return true;
         }
       }
       return this._rxCheck("HTML", s) || this._rxCheck("Globals", s);

Original file line number	Diff line number	Diff line change
`@@ -886,7 +886,7 @@ XSS.InjectionChecker = (async () => {`
`886`	`886`	`l = l.replace(/[^=]=\s/i, '').replace(/[\u0000-\u001f]/g, '');`
`887`	`887`	`l = /^["']/.test(l) ? l.replace(/^(['"])([^]?)\1[^]/g, '$2') : l.replace(/[\s>][^]*/, '');`
`888`	`888`
`889`		`- if (/^(?:javascript\|data):\|\[[^]+\]/i.test(l) \|\| /[<'"(]/.test(unescape(l)) && await this.checkUrl(l)) return true;`
	`889`	`+ if (/^(?:javascript\|data):/i.test(l) \|\| /[<'"([]/.test(unescape(l)) && await this.checkUrl(l)) return true;`
`890`	`890`	`}`
`891`	`891`	`}`
`892`	`892`	`return this._rxCheck("HTML", s) \|\| this._rxCheck("Globals", s);`