From 168edfda297215620ca0b7f6edbc2d04718f3c1a Mon Sep 17 00:00:00 2001
From: Christian Folini <email_github.com@tikon.ch>
Date: Wed, 26 Feb 2020 19:35:01 +0100
Subject: [PATCH 1/2] Fix FP in 941130 and rearrange regex with new
 regex-assemble file

---
 rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf |  7 ++++++-
 util/regexp-assemble/regexp-941130.data       | 10 ++++++++++
 2 files changed, 16 insertions(+), 1 deletion(-)
 create mode 100644 util/regexp-assemble/regexp-941130.data

diff --git a/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf b/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
index 725e3ddfd..2e170d396 100644
--- a/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
+++ b/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
@@ -126,7 +126,12 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
 #
 # -=[ XSS Filters - Category 3 ]=-
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\s\S]((?:x(?:link:href|html|mlns)|!ENTITY.*?(?:SYSTEM|PUBLIC)|data:text\/html|formaction|\@import|base64)\b|pattern\b.*?=)" \
+# Regexp generated from util/regexp-assemble/regexp-941130.data using Regexp::Assemble.
+# To rebuild the regexp:
+#   cd util/regexp-assemble
+#   ./regexp-assemble.pl regexp-941130.data
+#
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\s\S](?:!ENTITY.*?(?:PUBLIC|SYSTEM)|x(?:link:href|html|mlns)|data:text\/html|pattern\b.*?=|formaction|\@import|;base64)\b" \
     "id:941130,\
     phase:2,\
     block,\
diff --git a/util/regexp-assemble/regexp-941130.data b/util/regexp-assemble/regexp-941130.data
new file mode 100644
index 000000000..060c5d485
--- /dev/null
+++ b/util/regexp-assemble/regexp-941130.data
@@ -0,0 +1,10 @@
+(?i)[\s\S]xlink:href\b
+(?i)[\s\S]xhtml\b
+(?i)[\s\S]xmlns\b
+(?i)[\s\S]!ENTITY.*?SYSTEM\b
+(?i)[\s\S]!ENTITY.*?PUBLIC\b
+(?i)[\s\S]data:text\/html\b
+(?i)[\s\S]formaction\b
+(?i)[\s\S]\@import\b
+(?i)[\s\S];base64\b
+(?i)[\s\S]pattern\b.*?=\b

From 2feeb6aa5da4da7e0a3768a2e77de1d39519e942 Mon Sep 17 00:00:00 2001
From: Christian Folini <email_github.com@tikon.ch>
Date: Wed, 26 Feb 2020 19:49:44 +0100
Subject: [PATCH 2/2] Drop escapes

---
 util/regexp-assemble/regexp-941130.data | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/util/regexp-assemble/regexp-941130.data b/util/regexp-assemble/regexp-941130.data
index 060c5d485..9453a6758 100644
--- a/util/regexp-assemble/regexp-941130.data
+++ b/util/regexp-assemble/regexp-941130.data
@@ -3,8 +3,8 @@
 (?i)[\s\S]xmlns\b
 (?i)[\s\S]!ENTITY.*?SYSTEM\b
 (?i)[\s\S]!ENTITY.*?PUBLIC\b
-(?i)[\s\S]data:text\/html\b
+(?i)[\s\S]data:text/html\b
 (?i)[\s\S]formaction\b
-(?i)[\s\S]\@import\b
+(?i)[\s\S]@import\b
 (?i)[\s\S];base64\b
 (?i)[\s\S]pattern\b.*?=\b