Skip to content

Too general regular expression

This regular expression can pass a string for XSS or an arbitrary URL that will be loaded in iFrame.

my ($patch) = ($params{data} =~ m,^# patch http[s]?://[^/]+(/[^\s]+),m);

It will most likely never be used for this purpose, but just in case I would change it to something more specific.

my ($patch) = ($params{data} =~ m|^# patch http[s]?://[^/]+(/ddt\.cgi\?diff1=\d+&diff2=\d+&language=[[:alpha:]_]{2,5})|am);