Skip to content

false positives #5

Description

@wilson9x1

good project!!
but, I find this rule will cause false positives:

(r"<[^>]*'[^>']*%(chars)s[^>']*'[^>]*>", ('\'',), "\"<.'.xss.'.>\", inside the tag, inside single-quotes, %(filtering)s filtering", r"(?s)<script.+?</script>|<!--.*?-->") 

egg:
demo.php:

<?php
$input= str_replace("\"", "&quot;" ,$_GET['xss']);
$input=str_replace(">","&lt;",$input);
$input=str_replace("<","&gt;",$input);
echo '<meta name="description" content="';
print($input);
echo '#23578';
print($input);
echo '#23578';
print($input);
echo '#23578"/>';
?>

2018-01-09 3 06 48

for help~

Metadata

Metadata

Assignees

Labels

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions