feat: new isolated test 941100-6 (941100 PL1) (Christian Folini) #3362
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
I'll review this one now… |
|
Race condition in the 980xxx tests has hit again… re-running the automated CI tests. |
RedXanadu
approved these changes
Nov 9, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Status page test. See #3351
The payload used on this test is loosely based on one of the examples on the portswigger XSS cheatsheet.
I took said payload and reduced it and re-encoded it to go around the other rules triggering.
I also had to pick a JS event name that is not yet in use (or other XSS rule 941160 PL1 would trigger). I think this is warranted since there might always new JS events that 941160 does not yet detect.
So I think the result is a test that is isolated and still triggers on something that might be an attack.