MentalJS bypasses

I managed to find time to fix a couple of MentalJS bypasses by LeverOne and Soroush Dalili (@irsdl). LeverOne's vector was outstanding since it bypassed the parsing itself which is no easy task. The vector was as follows:

for(var i
i/'/+alert(location);0)break//')

Basically my parser was inserting a semi colon in the wrong place causing a different state than the actual state executed. My fix inserts the semi colon in the correct place. Before the fix the rewritten code looked like this:

for (var i$i$; / '/+alert(location);0)break//')

As you can see the variables have been incorrectly joined and so the next state is a regex whereas Mental thinks it's a divide. After the fix the rewritten code looks like this:

for (var i$;i$ / '/+alert(location);0)break//')

So now the divide is an actual divide. Technically I shouldn't be inserting a semi-colon in the for statement, I might fix this at a later stage if I have time.

The second bypass was from Soroush that basically assigned innerHTML on script nodes bypassing the rewriting completely. Cool bug. The fix was pretty simple, I prevented innerHTML assignments on script nodes. Here is the bypass:-

parent=document.getElementsByTagName('body')[0];
img=document.getElementsByTagName('img')[0];
x=document.createElement('script');
x.innerHTML='alert(location)';
parent.appendChild(x);