-
Notifications
You must be signed in to change notification settings - Fork 8
/
XSSB-min.js
1 lines (1 loc) · 11.2 KB
/
XSSB-min.js
1
!function(window,Object,Array){var NativeFunction,Rprototype,cookie,cookieDesc,cookieIndex,cookiePair,cookiePairs,elPrototype,innerHTML,nativeAppendChild,nativeAtob,nativeCreateContextualFragment,nativeEval,nativeExecScript,nativeInsertAdjacentElement,nativeInsertAdjacentHTML,nativeInsertBefore,nativeLocalStorage,nativeReplaceChild,nativeSessionStorage,nativeSetImmediate,nativeSetInterval,nativeSetTimeout,nativeWrite,nativeWriteln,outerHTML,valIndex,win,winOrigin,taintedStrings=[],origin=window.location.origin||window.location.protocol+"//"+window.location.host,blacklistRe=/{{|}}|&#?\w{2,7};?|\b(?:on[a-z]+\W*?=|(?:(?:d\W*a\W*t\W*a)|(?:v\W*b|j\W*a\W*v\W*a)\W*s\W*c\W*r\W*i\W*p\W*t)\W*?:)/gi,getType=function(e){var t=Object.prototype.toString;return"string"==typeof e||"[object String]"===t.call(e)?"string":"[object Object]"===t.call(e)?"object":Array.isArray&&Array.isArray(e)||"[object Array]"===t.call(e)?"array":"[object Map]"===t.call(e)?"map":"[object Set]"===t.call(e)?"set":"[object RegExp]"===t.call(e)?"regex":"[object File]"===t.call(e)?"file":"[object FileList]"===t.call(e)?"fileList":"other"},toPlain=function(e){var t=window.encodeURI,n=window.decodeURI,i=window.encodeURIComponent,r=window.decodeURIComponent,o=0,a=[],c=function(e){var s,l,u,d;try{for(;r(e)!==e;)u=r(e),n(e)===u?(e=n(e),a.push(t)):(e=u,a.push(i)),++o}catch(t){if("function"==typeof window.escape&&"function"==typeof window.unescape?(s=window.escape,d=window.unescape):(s=(l=function(e){var t=/(?:[^%]|%(?:40|2[b-f]|2[0-9]|3[a-e]|[57][b-d]))+/gi;return function(n){return(n=n.match(t))?e(n.join("")):null}})(i),d=l(r)),e=d(e),a.push(s),++o,d(e)!==e)return c(e)}return e};return{output:e=c(e),depth:o,revMethod:a}},reEncode=function(e,t,n){for(;t--;)e=n[t](e);return e},sanitize=function(e){var t,n,i,r,o,a,c,s,l,u=/[^\w\s\/+=$#@!&*|,;:.?%()[\]{}^-]/g,d=!1,f=getType(e);if("string"===f)/\S/.test(e)&&(/%/.test(e)&&(a=toPlain(e),e=a.output),u.test(e)&&(e=e.replace(u,""),d=!0),blacklistRe.test(e)&&(e=e.replace(blacklistRe,""),d=!0),taintedStrings.push(e),a&&(e=reEncode(e,a.depth,a.revMethod)));else if("object"===f){s=function(t){var n=sanitize(e[t]);!1!==n&&(e[t]=n,d=!0)};try{for(i in o=Object.getOwnPropertyNames(e))s(o[i])}catch(t){for(c in n=Object.prototype.hasOwnProperty,e)n.call(e,c)&&s(c)}}else if("set"===f){try{l=new Set,e.forEach(function(e){var t=sanitize(e);e=t||e,l.add(e)}),e=l}catch(t){e=null}d=!0}else if("map"===f){try{l=new Map,e.forEach(function(e,t){var n=sanitize(e),i=sanitize(t);e=n||e,t=i||t,l.set(t,e)}),e=l}catch(t){e=null}d=!0}else if("regex"===f)!1!==(l=sanitize(e.source))&&(e=new RegExp(l),d=!0);else if("file"===f)try{!1!==(l=sanitize(e.name))&&((t=new FormData).append("file",e,l),e=t.get("file"),!1!==sanitize(e.name)&&(e=null),d=!0)}catch(t){e=null}else if("array"===f||"fileList"===f){if("fileList"===f){for(l=[],i=e.length;i--;)l[i]=e[i];l.item=function(e){return this[e]}}else l=e;for(i=l.length;i--;)!1!==(r=sanitize(l[i]))&&(l[i]=r,d=!0);d&&(e=l)}return!!d&&e},parseUrl=function(e){var t;try{e=new URL(e)}catch(n){(t=document.createElement("a")).href=e,e=t}return e},auditUrl=function(e){var t,n,i,r,o,a,c,s,l=!1;if(!1!==(o=sanitize(e.pathname))&&(e.pathname=o,l=!0),c=e.search){for(r=!1,i=(c=c.slice(1).split("&")).length;i--;){if((n=c[i].split("=")).length<3)!1!==(a=sanitize(n[0]))&&(n[0]=a,r=!0),n[1]&&!1!==(a=sanitize(n[1]))&&(n[1]=a,r=!0);else for(s=n.length;s--;)!1!==(a=sanitize(n[s]))&&(r=!0,n[s]=a);r&&(c[i]=n.join("="))}r&&(e.search=c.join("&"),l=!0)}return(t=e.hash.slice(1))&&!1!==(t=sanitize(t))&&(e.hash=t,l=!0),!!l&&e.href},addListener=window.addEventListener?function(e,t,n,i){("window"===t?window.addEventListener:document.addEventListener).call(e,n,i)}:function(e,t,n,i){var r;"DOMContentLoaded"===n?(r=function(){"interactive"===e.readyState&&i()},e.attachEvent("onreadystatechange",r)):e.attachEvent("on"+n,i)},defineProperties=function(e,t){for(var n,i,r=t.length;r--;)n=(i=t[r]).value,i=i.isDefault?{value:n,enumerable:!0,writable:!0,configurable:!0}:i;try{Object.defineProperties(e,t)}catch(e){}},auditWinName=function(e){var t=e.name;defineProperties(e,{name:{get:function(){return t},set:function(e){var n=sanitize(e);t=!1!==n?n:e},enumerable:!0}}),e.name=t},auditWin=function(e){var t,n,i,r,o=function(e){var t,n,i,r=e.ports;try{t=e.origin||e.originalEvent.origin}catch(e){}if(t!==origin&&(!1!==(n=sanitize(e.data))&&defineProperties(e,{data:{value:n,isDefault:!0}}),r))for(i=r.length;i--;)r[i].onmessage=o};addListener(e,"window","hashchange",function(){var t=sanitize(e.location.hash.slice(1));!1!==t&&(e.location.hash=t)}),addListener(e,"window","message",o),auditUrl(e.location),(n=e.name)&&!1!==(n=sanitize(n))&&(e.name=n),!1!==(r=sanitize(e.document.title))&&(e.document.title=r),(i=e.document.referrer)&&!1!==(i=auditUrl(parseUrl(i)))&&defineProperties(e.document,{referrer:{value:i,isDefault:!0}}),t=function(){var t,n=document.getElementsByTagName.call(e.document,"iframe"),i=function(e){var t;try{t=e.contentWindow,e.src!==t.location.href&&(auditWinName(t),auditWin(t))}catch(e){}};for(t=n.length;t--;)!function(e){addListener(e,"document","load",function(){i(e)})}(n[t])},addListener(e.document,"document","DOMContentLoaded",t)},getPrototypeOf=function(){try{return Object.getPrototypeOf.apply(this,arguments)}catch(e){}},guardWrite=function(e){return function(t){var n;isSafeArg(t)?e.call(document,t):(t=toSafeStr(t),(n=document.getElementsByTagName("*"))[n.length-1].parentElement.innerHTML=t)}},some=Array.prototype.some||function(e){for(var t=this.length;t--;)if(e(this[t]))return!0;return!1},isSafeArg=function(){return!some.call(arguments,function(e){return e=toPlain(e).output,some.call(taintedStrings,function(t){return isNaN(t)&&t.length>6&&-1!==e.indexOf(t)})})},guardSink=function(e){return function(){if(isSafeArg.apply(null,arguments))return e.apply(this,arguments)}},isUnsafeNode=function(e){var t,n,i,r,o,a,c=e.nodeName;try{if(e.hasChildNodes()){if((t=e.getElementsByTagName("applet")).length>0)return some.call(t,isUnsafeNode);if((n=e.getElementsByTagName("embed")).length>0)return some.call(n,isUnsafeNode);if((i=e.getElementsByTagName("frame")).length>0)return some.call(i,isUnsafeNode);if((r=e.getElementsByTagName("iframe")).length>0)return some.call(r,isUnsafeNode);if((o=e.getElementsByTagName("object")).length>0)return some.call(o,isUnsafeNode);if((a=e.getElementsByTagName("script")).length>0)return some.call(a,isUnsafeNode)}}catch(e){}return"SCRIPT"===c?!isSafeArg(e.text)||!isSafeArg(e.src):"OBJECT"===c?!isSafeArg(e.data):"IFRAME"===c||"FRAME"===c||"EMBED"===c?!(isSafeArg(e.src)&&(!e.srcdoc||isSafeArg(e.srcdoc))):"APPLET"===c?!!(!isSafeArg(e.code)||e.codebase&&!isSafeArg(e.codebase)||e.archive&&!isSafeArg(e.archive)):void 0},toSafeNode=function(e){var t,n,i,r;e.innerHTML="",e.hasAttribute("src")&&e.removeAttribute("src"),e.hasAttribute("srcdoc")&&e.removeAttribute("srcdoc"),e.hasAttribute("data")&&e.removeAttribute("data"),e.hasAttribute("code")&&e.removeAttribute("code"),e.hasAttribute("archive")&&e.removeAttribute("archive"),e.hasAttribute("codebase")&&e.removeAttribute("codebase"),e.hasAttribute("object")&&e.removeAttribute("object");try{if(e.hasAttributes())for(r=(i=e.attributes).length;r--;)n=(t=i[r]).name,/^on./.test(n)&&!isSafeArg(t.value)&&e.removeAttribute(n)}catch(e){}return e},guardMethod=function(e){return function(t){return isUnsafeNode(t)&&(t=toSafeNode(t)),e.apply(this,arguments)}},getOwnPropertyDescriptor=function(){try{return Object.getOwnPropertyDescriptor.apply(this,arguments)}catch(e){}},guardStorage=function(e){return{setItem:function(t,n){isSafeArg(t,n)&&e.setItem(t,n)},getItem:function(t){return e.getItem(t)}}},toSafeStr=function(e){return-1!==e.indexOf("<")&&blacklistRe.test(e)&&(e=(e=e.replace(blacklistRe,"")).replace(/\bsrcdoc=/gi,"redacted=")),e},genDescriptor=function(e){return{get:function(){return e.get.call(this)},set:function(t){return isSafeArg(t)||(t=toSafeStr(t)),e.set.call(this,t)}}};if(auditWin(window),window!==top){win=parent;try{winOrigin=win.location.origin||win.location.protocol+"//"+win.location.host}catch(e){}do{try{winOrigin!==origin&&(auditWinName(win),auditWin(win))}catch(e){continue}finally{win=win.parent}}while(win!==top)}NativeFunction=window.Function,nativeEval=window.eval,nativeSetInterval=window.setInterval,nativeSetTimeout=window.setTimeout,nativeWrite=document.write,nativeWriteln=document.writeln,document.write=guardWrite(nativeWrite),document.writeln=guardWrite(nativeWriteln),window.eval=guardSink(nativeEval),window.setTimeout=guardSink(nativeSetTimeout),window.setInterval=guardSink(nativeSetInterval),window.Function=function(){var e=function(){var e=NativeFunction.apply(null,arguments);e.constructor=Function;try{Object.setPrototypeOf(e,Function)}catch(t){e.__proto__=Function}return e};return isSafeArg.apply(null,arguments)?e.apply(null,arguments):e()},window.Function.prototype=Function;try{elPrototype=window.Element.prototype,nativeAppendChild=elPrototype.appendChild,nativeReplaceChild=elPrototype.replaceChild,nativeInsertBefore=elPrototype.insertBefore,nativeInsertAdjacentHTML=elPrototype.insertAdjacentHTML,nativeInsertAdjacentElement=elPrototype.insertAdjacentElement,innerHTML=getOwnPropertyDescriptor(elPrototype,"innerHTML"),outerHTML=getOwnPropertyDescriptor(elPrototype,"outerHTML"),elPrototype.appendChild=guardMethod(nativeAppendChild),elPrototype.replaceChild=guardMethod(nativeReplaceChild),elPrototype.insertBefore=guardMethod(nativeInsertBefore),elPrototype.insertAdjacentHTML=function(e,t){return isSafeArg(t)||(t=toSafeStr(t)),nativeInsertAdjacentHTML.call(this,e,t)},elPrototype.insertAdjacentElement=function(e,t){return isUnsafeNode(t)&&(t=toSafeNode(t)),nativeInsertAdjacentElement.call(this,e,t)},defineProperties(elPrototype,{innerHTML:genDescriptor(innerHTML),outerHTML:genDescriptor(outerHTML)})}catch(e){}window.execScript&&(nativeExecScript=window.execScript,eval("var execScript;"),window.execScript=guardSink(nativeExecScript)),window.setImmediate&&(nativeSetImmediate=window.setImmediate,window.setImmediate=guardSink(nativeSetImmediate)),window.atob&&(nativeAtob=window.atob,window.atob=function(e){return isSafeArg(e)?nativeAtob(e):e=sanitize(nativeAtob(e))});try{Rprototype=window.Range.prototype,nativeCreateContextualFragment=Rprototype.createContextualFragment,Rprototype.createContextualFragment=function(e){return isSafeArg(e)||(e=""),nativeCreateContextualFragment.call(this,e)}}catch(e){}for(cookie=document.cookie,cookieDesc=function(){try{return getOwnPropertyDescriptor(document,"cookie")||getOwnPropertyDescriptor(getPrototypeOf(document),"cookie")||{get:document.__lookupGetter__("cookie"),set:document.__lookupSetter__("cookie")}}catch(e){}}(),defineProperties(document,{cookie:{get:function(){try{return cookieDesc.get.call(this)}catch(e){return cookie}},set:function(e){if(isSafeArg(e))try{return cookieDesc.set.call(this,e)}catch(t){cookie+=";"+e}}}}),cookiePairs=cookie.split(";"),cookieIndex=cookiePairs.length;cookieIndex--;)for(cookiePair=cookiePairs[cookieIndex].split("="),valIndex=cookiePair.length;valIndex--;)taintedStrings.push(cookiePair[valIndex]);try{window.localStorage&&(nativeLocalStorage=window.localStorage,delete window.localStorage,window.localStorage=guardStorage(nativeLocalStorage)),window.sessionStorage&&(nativeSessionStorage=window.sessionStorage,delete window.sessionStorage,window.sessionStorage=guardStorage(nativeSessionStorage))}catch(e){}}(window,Object,Array);