Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
XSS Protection API 2.0.10
Description
The XSSFilter is erroneously rejecting URLs that consist only of queries, (potentially empty) fragments or both, e.g. "#", "#test", "?foo=bar" etc.
Even though the RELATIVE_PART regexp contains an PATH_EMPTY group, it is explicitly matching the entire string, so will fail if the QUERY or FRAGMENT groups match.
A potential solution (see attached patch and tests) might be to remove the PATH_EMPTY group from the RELATIVE_PART, and make the entire RELATIVE_PART optional by adding ? to the group in RELATIVE_REF. This will still match completely empty URLs.