8000 Add functions to cover one half, the not encoded part, of issue 2512 by franbuehler · Pull Request #2521 · coreruleset/coreruleset · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Add functions to cover one half, the not encoded part, of issue 2512 #2521

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Add functions to cover one half, the not encoded part, of issue 2512 #2521

wants to merge 1 commit into from

Conversation

franbuehler
Copy link
Contributor
@franbuehler franbuehler commented May 1, 2022
edited
Loading

This PR tries to cover one half of issue #2512, the not Unicode encoded part, by adding some functions that were used in the bypass.
This PR only covers the reported functions, but maybe we should have a look at other document properties and not only document.domain (https://developer.mozilla.org/en-US/docs/Web/API/Document/domain).
And the same for atob(), btoa() and alert() (https://www.w3schools.com/jsref/obj_window.asp) -> I chose the PHP file because they have been mentioned together with eval() and the enhancement of this existing file was simple and quick. But maybe we should add a separate rule with Javascript functions instead of adding them to the existing PHP file?

Nevertheless, I'm pushing this PR now, also as a concrete basis for discussion. We can still make changes.

Next, we also need a PR to cover the Unicode part of the reported bypass. I'll have a look at this too.

@franbuehler franbuehler changed the title Add functions to cover one half, the not encoded part, of issue 2509 Add functions to cover one half, the not encoded part, of issue 2512 May 1, 2022
@dune73 dune73 mentioned this pull request May 2, 2022
Closed
@franbuehler franbuehler changed the base branch from v4.0/dev to v4.1/dev May 2, 2022 18:46
@lifeforms lifeforms deleted the branch coreruleset:v4.1/dev May 15, 2022 16:05
@lifeforms lifeforms closed this May 15, 2022
@lifeforms
Copy link
Member

@franbuehler My apologies, but our switch back to the v4.0/dev branch closed all the PRs and it turns out it is impossible to reopen them. Could you send this PR again, but based on the v4.0/dev branch? My apologies! Learning new things about GitHub every day...

@lifeforms lifeforms mentioned this pull request May 15, 2022
Closed
14 tasks
@theseion theseion mentioned this pull request May 16, 2022
Merged
@franbuehler franbuehler deleted the xss-bypass-1-functions branch February 1, 2024 08:48
@theseion theseion mentioned this pull request Feb 8, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@franbuehler @lifeforms
0