Description

This PR implements an XSS context analyzer that properly handles edge cases mentioned in #7086.

Changes

New Files

• pkg/fuzz/analyzers/xss/types.go - Context type definitions
• pkg/fuzz/analyzers/xss/context.go - Context analyzer implementation
• pkg/fuzz/analyzers/xss/context_test.go - Comprehensive tests

Features

1. javascript: URI Detection

   • Detects javascript: scheme in href/src attributes
   • Prevents false positive XSS detection
   • Case-insensitive matching

2. JSON Script Block Detection

   • Identifies <script type="application/json"> blocks
   • Identifies <script type="application/ld+json"> blocks
   • Skips XSS analysis for JSON data (not executable)

3. Context Classification

   • HTML Text
   • Attribute (quoted/unquoted)
   • Script/Script String
   • Style
   • HTML Comment
   • JSON (NEW)
   • Javascript URI (NEW)
   • None

Testing

All tests pass:

• TestIsJavascriptURI - 7 test cases
• TestIsJSONScript - 5 test cases
• TestAnalyzeContext - 3 integration tests

Related Issues

• Closes #7086 (XSS Context Analyzer edge cases)
• Extends #7076 (XSS fuzzing engine)

Checklist

• Code implemented
• Tests added
• Documentation (code comments)
• Ready for review

/claim #7086 for Algora bounty

Summary by CodeRabbit

• New Features

  • XSS analysis now recognizes JSON script blocks and javascript: URIs as distinct contexts for more accurate detection.

• Tests

  • Added comprehensive tests covering the new context detection and normalization behavior.

• Documentation

  • Updated the implementation plan with steps, branch tracking, and ETA for rolling out the new contexts.