Skip to content

[XSS] Fix harmless dots in URLs not being replaced#484

Open
pettinen wants to merge 1 commit intohackademix:mainfrom
pettinen:fix-415
Open

[XSS] Fix harmless dots in URLs not being replaced#484
pettinen wants to merge 1 commit intohackademix:mainfrom
pettinen:fix-415

Conversation

@pettinen
Copy link

@pettinen pettinen commented Nov 9, 2025

InjectionChecker._removeDots was called with this bound to globalThis instead of InjectionChecker, causing the dot-replace intended to reduce false positives to not work properly:

_removeDots(p) {
  // this === [object DedicatedWorkerGlobalScope]
  // this._dotRx === undefined
  return p.replace(this._dotRx, '|');
},
...
expr.replace(this._removeDotsRx, this._removeDots)

Fixes #415 at least.

I considered doing simply

-expr.replace(this._removeDotsRx, this._removeDots)
+expr.replace(this._removeDotsRx, (p) => p.replace(this._dotRx, '|'))

but presumably there might be some performance benefit from defining a function only once.

@pettinen
[XSS] Fix harmless dots in URLs not being replaced
d38a067 
`InjectionChecker._removeDots` was called with `this` bound to
`globalThis` instead of `InjectionChecker`, causing the dot-replacing
intended to reduce false positives to not work properly.

Fixes hackademix#415.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Warning against Beethoven Wikipedia page

1 participant

@pettinen