My web application allows users to make custom divs with whitelisted attributes. One of them is data-{user-input}.
Recently I have seen the following XSS payload:
[[div data-test/onmouseover=alert(1)]]
So I added the following code:
for attr in attributes:
attr_name = attr[0].lower()
if attr_name not in attr_whitelist and not re.match(r'^data-([a-z0-9\-_]+)$', attr_name):
continue
Is it possible to bypass the python implementation of re.match used here?
