0

I have this special XSS line I am trying to catch/detect with a regex. I have tried multiple ones, none seems to work. Although online regex test sites catch it, when I try it in actual code, it does not work.

Here is thee special line that I need to catch with regex:

<<​ ​​ ​ScRiPT​ ​​ ​​ ​>alert("XSS");//<</​ ​ScRiPT​ ​​ ​>

And here is what I have so far:

/[<]*<\s*script\s*>.*[/]*[<]*<\s*\/\s*script\s*>/ig;

What am I missing?

Patrick Evans
  • 41,991
  • 6
  • 74
  • 87
Taner
  • 1
  • 1
  • 1
    Is there meant to be a closing ? Also, when pasting into regexer, that text has a bunch of odd invisible characters that aren't normal space characters. I'm not sure what you pasted is correct. – jas7457 Sep 17 '17 at 04:37
  • 2
    This is the first mistake one can do whenever he tries to apply security measurements. You should not accept any tag if your content is not allow that. for example I can bypass your regex entirely just by using other tag. `` will alert(1). – felixmosh Sep 17 '17 at 04:44
  • Why don't you use CSP? – Daniel Herr Sep 17 '17 at 04:55
  • You need to tell us *exactly* what you desire to detect & *exactly* what you desire to reject. In this instance, the text you are attempting to detect contains a bunch of [Zero Width Space (`\u200B`) characters](http://www.fileformat.info/info/unicode/char/200B/index.htm). You will need to include those along with the `\s`. However, you will probably want to go with including any possible [Unicode space character in your RegExp](https://stackoverflow.com/q/280712/3773011). If you want to specifically select some groups of characters, [my answer](https://stackoverflow.com/a/26135188) has some. – Makyen Sep 17 '17 at 05:14

1 Answers1

0

The whitespace class (\s) doesn't contain zero-width space. So you have to specify that explicitly:

/[<]*<[\s\u200B]*script[\s\u200B]*>.*[/]*[<]*<[\s\u200B]*\/[\s\u200B]*script[\s\u200B]*>/ig;

Here is a snippet of it working:

var str = "<<​ ​​ ​ScRiPT​ ​​ ​​ ​>alert(\"XSS\");//<</​ ​ScRiPT​ ​​ ​>";
var regex = /[<]*<[\s\u200B]*script[\s\u200B]*>.*[/]*[<]*<[\s\u200B]*\/[\s\u200B]*script[\s\u200B]*>/ig;
document.write("Regex matched: " + regex.test(str));
Anders Carstensen
  • 2,949
  • 23
  • 23