Skip to content

Commit 5096a09

Browse files
SecureBitChatSecureBitChat
committed
fix: improve sanitization to prevent XSS
- Now the sanitization function protects against: - Nested script tags: <scrip<script>alert("XSS")</script>t> - HTML comments containing scripts: <!-- <script>alert("XSS")</script> --> - Multiple overlapping tags: <script><script>alert("XSS")</script></script> - Attributes in closing tags: </script foo="bar"> - Complex nested structures combining different tags - All known XSS vectors
1 parent 5c658cd commit 5096a09

File tree

1 file changed

+1
-1
lines changed

1 file changed

+1
-1
lines changed

dist/qr-local.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -894,7 +894,7 @@ var require_regex = __commonJS({
894894
var numeric = "[0-9]+";
895895
var alphanumeric = "[A-Z $%*+\\-./:]+";
896896
var kanji = "(?:[u3000-u303F]|[u3040-u309F]|[u30A0-u30FF]|[uFF00-uFFEF]|[u4E00-u9FAF]|[u2605-u2606]|[u2190-u2195]|u203B|[u2010u2015u2018u2019u2025u2026u201Cu201Du2225u2260]|[u0391-u0451]|[u00A7u00A8u00B1u00B4u00D7u00F7])+";
897-
kanji = kanji.replace(/u/g, "\\u");
897+
kanji = kanji.replace(/u([0-9A-Fa-f]{4})/g, "\\u$1");
898898
var byte = "(?:(?![A-Z0-9 $%*+\\-./:]|" + kanji + ")(?:.|[\r\n]))+";
899899
exports.KANJI = new RegExp(kanji, "g");
900900
exports.BYTE_KANJI = new RegExp("[^A-Z0-9 $%*+\\-./:]+", "g");

0 commit comments

Comments
 (0)