False positive - data:

[sevicbb]

Hello,

We are using the voku/anti-xss library for XSS validation and noticed that a specific term is being detected as XSS by its implementation: data:. While the library has generally worked well, this issue resembles a previous problem we encountered with the terms profile( and system(, which were resolved in a newer version.

Could you please investigate this issue? Additionally, is there a way to whitelist or handle such terms on our side as a workaround until a fix is available?

Thank you for your support.

Best regards,
Djordje Sevic

[voku]

Hi, can you provide examples, that we can put into the unit tests?

[epysqyli]

Hello,
I believe I've encountered a similar case, where the colon after a specific word is leading to a false positive, such that the following string is marked as containing xss:

Consumer Behavior: Buying, Having, and Being, Global Edition (Book)

Cleaning the string results in:

Consumer (Book)

Thank you.