From d38a067c9e81542082f27ef312acef72944ec3b3 Mon Sep 17 00:00:00 2001
From: Jeremias Pettinen <hi@jeremi.as>
Date: Sun, 9 Nov 2025 13:29:35 +0200
Subject: [PATCH] [XSS] Fix harmless dots in URLs not being replaced

`InjectionChecker._removeDots` was called with `this` bound to
`globalThis` instead of `InjectionChecker`, causing the dot-replacing
intended to reduce false positives to not work properly.

Fixes #415.
---
 src/xss/InjectionChecker.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/xss/InjectionChecker.js b/src/xss/InjectionChecker.js
index 76698178..8a767e1b 100644
--- a/src/xss/InjectionChecker.js
+++ b/src/xss/InjectionChecker.js
@@ -388,7 +388,7 @@ XSS.InjectionChecker = (async () => {
       ) return true;
 
       expr = // dotted URL components can lead to false positives, let's remove them
-        expr.replace(this._removeDotsRx, this._removeDots)
+        expr.replace(this._removeDotsRx, this._removeDots.bind(this))
         .replace(this._arrayAccessRx, '_ARRAY_ACCESS_')
         .replace(/<([\w:]+)>[^</(="'`]+<\/\1>/g, '<$1/>') // reduce XML text nodes
         .replace(/<!--/g, '') // remove HTML comments preamble (see next line)