[XSS] Fixed regression in invalid characters optimization causing false negatives (thanks Tsubasa for reporting).

Author: hackademix

src/test/XSS_test.js

@@ -31,6 +31,8 @@ if (UA.isMozilla) {
       () => y("https://vulnerabledoma.in/char_test?body=%3Ca%20href=javascript%26colo%u0000n%3balert%281%u0029%3ECLICK"),
       () => y("https://vulnerabledoma.in/xss_link?url=javascript%26colo%00n%3Balert%u00281%29"),
       () => y("https://vulnerabledoma.in/xss_link?url=javascript:\\u{%0A6e}ame"),
+      () => y("https://sandbox.hack.vet/issue/noscript/bypass/multibyte/?q=alert(document.cookie)//＜"),
+      () => y("https://sandbox.hack.vet/issue/noscript/bypass/multibyte/?q=/**🚫*/alert(document.cookie)"),
       ].map(t => Test.run(t))
     );
 

src/xss/InjectionChecker.js

@@ -530,7 +530,7 @@ XSS.InjectionChecker = (async () => {
       let value;
       try {
         // see https://mathiasbynens.be/notes/javascript-identifiers-es6#acceptable-unicode-symbols
-        value = new RegExp(preamble + "[^$_\\p{ID_Start}\\p{ID_Continue}\\u200c\\u200d\\u2028\\u2029]", "u");
+        value = new RegExp(preamble + "[^\\x00-\\x7E\\p{ID_Start}\\p{ID_Continue}\\u200c\\u200d\\u2028\\u2029]", "u");
       } catch (e) {
         // Unicode entities are not supported in Gecko <= 77
         value = new RegExp(preamble + `[${this._createInvalidRanges()}]`, "u");
@@ -665,13 +665,14 @@ XSS.InjectionChecker = (async () => {
 
           lastExpr = expr;
 
-          if (invalidCharsRx && invalidCharsRx.test(expr)) {
-            this.log("Quick skipping invalid chars");
-            break;
+          if (invalidCharsRx) {
+            let m = invalidCharsRx.test(expr);
+            if (m) {
+              this.log(`Quick skipping invalid chars on ${expr}, (${JSON.stringify(m)}).`);
+              break;
+            }
           }
 
-
-
           if (quote) {
             if (this.checkNonTrivialJSSyntax(expr)) {
               this.log("Non-trivial JS inside quoted string detected", iterations);