friggingee
commented
1 month ago Turns out, our integration was buggy AND this is an actual false positive.
The tool doesn't consider context and flags this as XSS which isn't correct. But I'm not sure if this is within the scope of this tool to consider context.
What is this feature about (expected vs actual behaviour)?
Input: "move test to productive system (November)"
Expected: "move test to productive system (November)", i.e. no change
Actual: "" (empty string, all content is being filtered)
How can I reproduce it?
Run just "system (" against the tool and it will filter albeit no danger comes from this string without more dangerous context
Does it take minutes, hours or days to fix?
hours
Any additional information?
None at the moment