xss/Exceptions.js
I can't post the code as it won't let me get it past the forum spam guard, unfortunately.
Have I read the intent here wrongly, or is this allowing (for example) Microsoft to run XSS unrestrictedly, for things like logins using a Microsoft ID?
Code: Select all
if (!srcOrigin && isGet) {
if (/^https?:\/\/msdn\.microsoft\.com\/query\/[^<]+$/.test(unescapedDest)) {
return true; // MSDN from Microsoft VS
}
}
I realise that might be a bad example because it actually specifically says MSDN, but there's a bunch of stuff in there that I might not really want to have XSS.
I realise that we have to jump around a touch (here & here) to modify the XSS options that we *can* change, and I'm aware of the built in 'Allows' that come with the package, and the acceptible caveat given to including them. They're options that I can change. These I worry that I can't remove for whatever reason.
This isn't a 'shouting at noscript' thing, I'm just trying to find out how I can ensure there's no more of these, and to change the ones that I don't wish to have in there.