This repository has been archived by the owner on Apr 23, 2022. It is now read-only.
Bug in "Activated but not in block mode" check. #1
Comments
thomaspatzke
pushed a commit
that referenced
this issue
Mar 13, 2014
…ch causes false positives. Detailed description: #1
|
Hi Adrian, thanks a lot for the report! Just fixed and pushed it to the repo! |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
On line 308 you check that headersXXP[0][0].group(1) is equal to 1 and then check if the same thing is not equal to "block", rather than checking the actual mode value against "block". So effectively, as long as the X-XSS header is set to 1, the "mode" is not actually checked, and an issue will appear stating that the X-XSS protection header is active but not running in block mode.
The fix is to change the second headersXXP[0][0].group(1) to headersXXP[0][0].group(2), so the entire line should read:
elif len(headersXXP) == 1 and int(headersXXP[0][0].group(1)) == 1 and headersXXP[0][0].group(2) != "block":It's a great extension otherwise! Use it all the time, hence how I found this bug.
Edited to correct a few errors in my explanation.
The text was updated successfully, but these errors were encountered: