1.24b - XSS detection now accounts for commented out text.
This commit is contained in:
parent
ffa63decdb
commit
71f2ea83b4
|
@ -1,3 +1,8 @@
|
|||
Version 1.24b:
|
||||
--------------
|
||||
|
||||
- XSS detection now accounts for commented out text.
|
||||
|
||||
Version 1.23b:
|
||||
--------------
|
||||
|
||||
|
|
10
analysis.c
10
analysis.c
|
@ -1529,6 +1529,16 @@ void content_checks(struct http_request* req, struct http_response* res) {
|
|||
u32 len = strcspn((char*)++tmp, "> \t\r\n"), space_len;
|
||||
u8 remote_script = 0;
|
||||
|
||||
/* Skip comments where possible. */
|
||||
|
||||
if (!strncmp((char*)tmp, "!--", 3)) {
|
||||
u8* next = (u8*)strstr((char*)tmp + 3, "-->");
|
||||
if (next) {
|
||||
tmp = next + 3;
|
||||
continue;
|
||||
}
|
||||
}
|
||||
|
||||
/* Grab tag name. */
|
||||
|
||||
tag_name = ck_memdup(tmp, len + 1);
|
||||
|
|
2
config.h
2
config.h
|
@ -23,7 +23,7 @@
|
|||
#ifndef _HAVE_CONFIG_H
|
||||
#define _HAVE_CONFIG_H
|
||||
|
||||
#define VERSION "1.23b"
|
||||
#define VERSION "1.24b"
|
||||
|
||||
#define USE_COLOR 1 /* Use terminal colors */
|
||||
|
||||
|
|
|
@ -1295,7 +1295,7 @@ u8* new_xss_tag(u8* prefix) {
|
|||
|
||||
if (!scan_id) scan_id = R(999999) + 1;
|
||||
|
||||
sprintf((char*)ret, "%s>\">'>'\"<sfi%06uv%06u>",
|
||||
sprintf((char*)ret, "%s-->\">'>'\"<sfi%06uv%06u>",
|
||||
prefix ? prefix : (u8*)"", cur_xss_id, scan_id);
|
||||
|
||||
return ret;
|
||||
|
|
Loading…
Reference in New Issue