Proposed Changes

Fixes the four context-classification edge cases reported in #7086, improving the accuracy of the XSS context analyzer introduced in #7076.

Note: This PR depends on #7076 being merged first, as it fixes issues in the XSS context analyzer code introduced there.

Changes

1. javascript: URIs → ContextScript — Attributes like href="javascript:..." on URL-capable attributes (href, src, action, formaction, etc.) are now correctly classified as ContextScript instead of ContextAttribute.

2. Non-executable <script> types — <script type="application/json">, <script type="application/ld+json">, <script type="text/template">, etc. are no longer treated as executable script context. Only known executable types (text/javascript, module, etc.) set inScript = true. MIME parameters like ; charset=utf-8 are stripped before matching.

3. Case-insensitive marker detection — The early-exit check in DetectReflections now uses case-insensitive comparison, matching the behavior of the rest of the detection logic.

4. srcdoc → ContextHTMLText — <iframe srcdoc="..."> attributes allow full HTML injection and are now classified as ContextHTMLText instead of ContextAttribute.

5. Word boundary in extractAttrFromRaw — Prevents data-type="application/json" from being matched when searching for the type attribute on <script> tags.

Proof

Before (on #7076 branch):

<a href="javascript:CANARY">           → ContextAttribute  ❌
<script type="application/json">CANARY → ContextScript     ❌
<iframe srcdoc="<b>CANARY</b>">        → ContextAttribute  ❌
UPPERCASECANARY                         → not detected      ❌

After (this PR):

<a href="javascript:CANARY">           → ContextScript    ✅
<script type="application/json">CANARY → ContextHTMLText  ✅
<iframe srcdoc="<b>CANARY</b>">        → ContextHTMLText  ✅
UPPERCASECANARY                         → detected         ✅

Test results:

$ go test ./pkg/fuzz/analyzers/xss/ -v -count=1
PASS
ok  github.com/projectdiscovery/nuclei/v3/pkg/fuzz/analyzers/xss  0.678s

All 32 tests pass (24 existing + 8 new).

New Test Cases

• TestDetectReflections_JavascriptURI — href, src, formaction with javascript: URIs
• TestDetectReflections_ScriptTypeJSON — application/json not treated as executable
• TestDetectReflections_ScriptTypeLDJSON — application/ld+json not treated as executable
• TestDetectReflections_ScriptTypeExecutable — text/javascript, module, no-type still work
• TestDetectReflections_CaseInsensitiveMarker — uppercase marker detection
• TestDetectReflections_SrcdocAttribute — srcdoc classified as HTMLText
• TestDetectReflections_ScriptTypeWithParams — MIME parameters stripped correctly
• TestDetectReflections_DataTypeCollision — data-type does not interfere with type

Checklist

• PR created against dev branch
• All checks passed (go vet, unit tests)
• Tests added that prove the fix is effective (8 new test cases)
• No documentation changes needed (internal analyzer logic)

/claim #7086

Summary by CodeRabbit

• New Features

  • Added a context-aware XSS analyzer that detects reflections across HTML, attributes, scripts, styles, comments, and tag names and verifies unencoded reflections.
  • Fuzzer now exposes HTTP response details (body, headers, status code) for richer analysis results.

• Improvements

  • Made random payload generation concurrency-safe for reliable concurrent fuzzing.
  • Expanded analyzer context metadata used for payload selection.

• Tests

  • Added extensive unit tests and benchmarks for XSS detection and context resolution.