Summary

Fixes four bugs in DetectReflections (pkg/fuzz/analyzers/xss/context.go) identified in #7086.

Bug #1 - javascript: URIs misclassified as ContextAttribute

Root cause: The attribute-scanning loop only upgraded the context to ContextScript for event-handler attributes (onclick, onerror, .). URL-type attributes (href, src, action, formaction, data, poster, ping) whose value begins with javascript: were left as ContextAttribute.

Impact: The analyser selected HTML attribute break-out payloads instead of JavaScript payloads, causing false negatives on javascript:-URI XSS.

Fix: Added isURLAttribute() and hasJavaScriptScheme() helpers. hasJavaScriptScheme strips leading whitespace/control chars (matching browser normalisation) and performs a case-insensitive prefix check.

Bug #2 - <script type="application/json"> treated as executable JavaScript

Root cause: The case "script": branch set inScript = true unconditionally, before reading the tag’s attributes.

Impact: Marker reflections inside non-executable script blocks (application/json, application/ld+json, text/template, .) were reported as ContextScript, producing false positives and wrong payloads.

Fix: Added isExecutableScriptTag(rawToken) which parses the type= attribute from the raw token string. Only standard executable MIME types (text/javascript, application/javascript, module, and their variants) set inScript = true.

Bug #3 - Case-sensitive initial marker check causes missed reflections

Root cause: if !strings.Contains(body, marker) used the original-case marker for the early-exit guard, while every subsequent check used markerLower.

Impact: Servers that transform the canary (e.g. all-uppercase) triggered the early return, silently missing the vulnerability.

Fix: Changed the guard to strings.Contains(strings.ToLower(body), markerLower).

Bug #4 - srcdoc attribute classified as ContextAttribute

Root cause: No special handling for srcdoc.

Impact: srcdoc attribute values are parsed by browsers as complete HTML documents; injection is HTML injection, not attribute injection. Wrong context ? wrong payload selection.

Fix: srcdoc reflections are now classified as ContextHTMLText.

Tests

40+ unit tests added to context_test.go covering:

• All four bug fixes with representative inputs
• Edge cases: uppercase JAVASCRIPT:, leading-whitespace javascript: URIs, JAVASCRIPT: in action/formaction
• All non-executable script MIME types
• Case-insensitive canary detection (upper, mixed)
• srcdoc context classification
• Existing functionality (HTML text, attribute, event handler, script, style, comment)
• BestReflection priority, detectScriptStringContext quote tracking

/claim #7086

Summary by CodeRabbit

• New Features
  • Added an XSS context analyzer that detects reflected payloads, identifies precise reflection contexts (text, attributes, scripts, styles, comments), and verifies reflections with CSP awareness.
  • Analyzer results now include HTTP response details (body, headers, status) for richer reporting.
• Bug Fixes
  • Improved randomness handling for more reliable, concurrency-safe payload generation.
• Tests
  • Extensive unit tests added for XSS context detection and payload verification.