From 525ce1f9233ae2b87405c02ee3dbcfe6aac9f837 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=88=98=E7=A5=A5=E8=B6=85?= <iwind.liu@gmail.com>
Date: Sun, 10 Dec 2023 19:40:29 +0800
Subject: [PATCH] =?UTF-8?q?=E4=BC=98=E5=8C=96WAF=20XSS=E6=A3=80=E6=B5=8B?=
 =?UTF-8?q?=EF=BC=8C=E5=87=8F=E5=B0=91=E5=AF=B9=E5=9B=BE=E7=89=87=E5=86=85?=
 =?UTF-8?q?=E5=AE=B9=E7=9A=84=E8=AF=AF=E5=88=A4?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../libinjection/src/libinjection_xss.c              | 12 +++++++-----
 internal/waf/injectionutils/libinjection_xss.c       |  4 +++-
 internal/waf/injectionutils/utils_xss_test.go        |  8 ++++++++
 3 files changed, 18 insertions(+), 6 deletions(-)

diff --git a/internal/waf/injectionutils/libinjection/src/libinjection_xss.c b/internal/waf/injectionutils/libinjection/src/libinjection_xss.c
index 5275757..c135a36 100644
--- a/internal/waf/injectionutils/libinjection/src/libinjection_xss.c
+++ b/internal/waf/injectionutils/libinjection/src/libinjection_xss.c
@@ -667,10 +667,11 @@ static attribute_t is_black_attr(const char* s, size_t len)
 
 
         /* XMLNS can be used to create arbitrary tags */
-        if (cstrcasecmp_with_null("XMLNS", s, 5) == 0 || cstrcasecmp_with_null("XLINK", s, 5) == 0) {
+        // goedge: commented for photo uploading
+        //if (cstrcasecmp_with_null("XMLNS", s, 5) == 0 || cstrcasecmp_with_null("XLINK", s, 5) == 0) {
             /*      printf("Got XMLNS and XLINK tags\n"); */
-            return TYPE_BLACK;
-        }
+        //    return TYPE_BLACK;
+        //}
     }
 
     black = BLACKATTR;
@@ -789,9 +790,10 @@ int libinjection_is_xss(const char* s, size_t len, int flags)
             attr = TYPE_NONE;
         } else if (h5.token_type == TAG_COMMENT) {
             /* IE uses a "`" as a tag ending char */
-            if (memchr(h5.token_start, '`', h5.token_len) != NULL) {
+            // goedge: commented for photo uploading
+            /**if (memchr(h5.token_start, '`', h5.token_len) != NULL) {
                 return 1;
-            }
+            }**/
 
             /* IE conditional comment */
             if (h5.token_len > 3) {
diff --git a/internal/waf/injectionutils/libinjection_xss.c b/internal/waf/injectionutils/libinjection_xss.c
index 2189045..72c861f 100644
--- a/internal/waf/injectionutils/libinjection_xss.c
+++ b/internal/waf/injectionutils/libinjection_xss.c
@@ -1,4 +1,6 @@
 #define LIBINJECTION_VERSION "3.9.1"
 
 #include "libinjection/src/libinjection_xss.c"
-#include "libinjection/src/libinjection_html5.c"
\ No newline at end of file
+#include "libinjection/src/libinjection_html5.c"
+
+#define GOEDGE_VERSION "23" // last version is for GoEdge change
\ No newline at end of file
diff --git a/internal/waf/injectionutils/utils_xss_test.go b/internal/waf/injectionutils/utils_xss_test.go
index 4cab416..4bec531 100644
--- a/internal/waf/injectionutils/utils_xss_test.go
+++ b/internal/waf/injectionutils/utils_xss_test.go
@@ -24,6 +24,14 @@ func TestDetectXSS(t *testing.T) {
 	a.IsTrue(injectionutils.DetectXSS("<iframe scrolling='no'>"))
 	a.IsFalse(injectionutils.DetectXSS("<html><body><span>RequestId: 1234567890</span></body></html>"))
 	a.IsTrue(injectionutils.DetectXSS("name=s&description=%3Cscript+src%3D%22a.js%22%3Edddd%3C%2Fscript%3E"))
+	a.IsFalse(injectionutils.DetectXSS(`<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="XMP Core 6.0.0">
+   <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
+      <rdf:Description rdf:about=""
+            xmlns:tiff="http://ns.adobe.com/tiff/1.0/">
+         <tiff:Orientation>1</tiff:Orientation>
+      </rdf:Description>
+   </rdf:RDF>
+</x:xmpmeta>`)) // included in some photo files
 }
 
 func BenchmarkDetectXSS_MISS(b *testing.B) {