False postive "Behavior:"

Question

False postive "Behavior:"

attrib opened this issue a year ago · 0 comments

attrib commented a year ago

What is this feature about (expected vs actual behaviour)?

A false postive detection of an XSS.

How can I reproduce it?

Input: a research paper Behavior: subtitle

Actual: a research paper

Expected: a research paper Behavior: subtitle (no change to input)

Does it take minutes, hours or days to fix?

Any additional information?

Relates to https://html5sec.org/#behavior (AntiXSS::$_never_allowed_call_strings)

Workaround: $antiXss->removeNeverAllowedCallStrings(['behavior']);
If I understand html5sec correctly, this can be safely done if IE <= 8 are not supported?