noscript icon indicating copy to clipboard operation
noscript copied to clipboard
verified publisher icon hackademix

[XSS] Fix harmless dots in URLs not being replaced

Open pettinen opened this issue 2 months ago • 0 comments

InjectionChecker._removeDots was called with this bound to globalThis instead of InjectionChecker, causing the dot-replace intended to reduce false positives to not work properly:

_removeDots(p) {
  // this === [object DedicatedWorkerGlobalScope]
  // this._dotRx === undefined
  return p.replace(this._dotRx, '|');
},
...
expr.replace(this._removeDotsRx, this._removeDots)

Fixes #415 at least.

I considered doing simply

-expr.replace(this._removeDotsRx, this._removeDots)
+expr.replace(this._removeDotsRx, (p) => p.replace(this._dotRx, '|'))

but presumably there might be some performance benefit from defining a function only once.

pettinen avatar Nov 09 '25 12:11 pettinen