dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

relax detection regex (#757)

Browse Source 
Allow for content before and after the script; Allow optional semicolon
This commit is contained in:
August Detlefsen 2020-02-20 11:00:07 -08:00 committed by GitHub
parent cd3fb8040f
commit 208aa42fdb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java
View File

@ -45,7 +45,7 @@ public class CrossSiteScriptingLesson5a extends AssignmentEndpoint {
@RequestParam Integer QTY4, @RequestParam String field1, @RequestParam Integer QTY4, @RequestParam String field1,
@RequestParam String field2) { @RequestParam String field2) {
if (field2.toLowerCase().matches("<script>.*(console\\.log\\(.*\\)|alert\\(.*\\))<\\/script>")) { if (field2.toLowerCase().matches(".*<script>.*(console\\.log\\(.*\\)|alert\\(.*\\));?<\\/script>.*")) {
return failed(this).feedback("xss-reflected-5a-failed-wrong-field").build(); return failed(this).feedback("xss-reflected-5a-failed-wrong-field").build();
} }