Rework Pullrequest #122, avoid xss false positives starting with 'on.*'

[blappm]

It is safer to use a list of event handlers than just matching strings > 5 chars

[lifeforms]

As a CRS maintainer, I agree that a fix for this problem would be very interesting. Our users regularly turn up false positives due to generic onfoo= matching. Some examples:

SpiderLabs/owasp-modsecurity-crs#820
SpiderLabs/owasp-modsecurity-crs#967

A discrete blacklist would solve this problem, although it may require more regular maintenance as new event handlers are added.

[blappm]

Looks like there were some eventhandlers missing. Adding them now.

[lifeforms]

build passed 🎉

[blappm]

Well :-) It's now sorted alphabetically. This makes it easier to add new event handlers.

[blappm]

We are now successfully using this patch in production. While we were seeing 20-30 FP per day before, the rate has now dropped to 1-2 per day.

One of the worst FP caused by this was 'online'.

[fgsch]

Is there anything holding this PR? It'd be great if it's merged.

[frankyhun]

@client9 is this project abandoned?

[zimmerle]

@client9 is this project abandoned?

You may want to look here: libinjection/libinjection#7 we are giving o followup on that discussion there.