False positive on < 1 year
Closed this issue · 3 comments
mathiasselleslach commented
Similar to #78
We have discovered that it generates a false positive hit on < 1 year
When looking into the code, we believe that this might be a fix to the problem:
AntiXSS.php:1464
Change from
'#<(?!!--|!\[)((?<start>/*\s*)((?<tagName>[\p{L}:]+)(?=[^\p{L}]|$|)|.+)[^\s"\'\p{L}>/=]*[^>]*)(?<closeTag>>)?#iusS'
to
'#<(?!!--|!\[)((?<start>/*\s*)((?<tagName>[\p{L}:]+)(?=[^\p{L}]|$|)|.+)[^\s"\'\p{L}>/=]*[^>]*)(?<closeTag>>)#iusS'
Removed the last ?
Not sure if this opens up any other attack vectors though.
voku commented
Can you please try it:
- fork it on github
- apply the changes
- commit & push
- pull request on github
=> then the github action will test your changes and we will see if one of the tests will fail 🐛
mathiasselleslach commented
PR made.
Seems to be timing out on scrutinizer though
voku commented
fixed in version 4.1.34