Added
- New hideThis configuration key to hide thisArg in devtools for function sinks (#29 (Thanks @aristosMiliaressis).
- Improved leverage-innerHTML.json config to detect potential document DOM clobbering sinks.
- New Client-Side Prototype Pollution detection (cspp.json) configuration file.
- Devtools font size can now be configured from the settings.
Updated
- The CSPT config has been improved to properly handle "fetch(new Request('/'))".
- Banned words have been updated in all configs.
- The thisArg notation in devtools has been improved to make it easier to read (#29) (Thanks @aristosMiliaressis).
- JavaScript injection has been improved on Firefox (wasn't needed for Chromium) to limit the init race condition.
- The dupKey value is now computed in the DOM instead of the background script.
Fixed
- Fixed a bug that made attribute hooking impossible without set/get.
- Fixed a bug that blocked hooking postMessage without typing window.postMessage (#25).
- Fixed a DOS loop issue in the onmessage handler that triggered a hooked sink.
Contributors
aristosMiliaressis