From 3c74ee8d9759965d7ab4e2e00121f2f5f1fc9440 Mon Sep 17 00:00:00 2001
From: Christian Mehlmauer <firefart@gmail.com>
Date: Tue, 25 Oct 2016 20:44:00 +0200
Subject: [PATCH] remove scripts before calculating hashes

---
 lib/wpscan/web_site.rb           |  9 ++++++---
 spec/lib/wpscan/web_site_spec.rb | 11 +++++++++++
 2 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/lib/wpscan/web_site.rb b/lib/wpscan/web_site.rb
index ec299eff..002f324b 100644
--- a/lib/wpscan/web_site.rb
+++ b/lib/wpscan/web_site.rb
@@ -91,15 +91,18 @@ class WebSite
   end
 
   # Compute the MD5 of the page
-  # Comments are deleted from the page to avoid cache generation details
+  # Comments and scripts are deleted from the page to avoid cache generation details
   #
   # @param [ String, Typhoeus::Response ] page The url of the response of the page
   #
   # @return [ String ] The MD5 hash of the page
   def self.page_hash(page)
     page = Browser.get(page, { followlocation: true, cache_ttl: 0 }) unless page.is_a?(Typhoeus::Response)
-
-    Digest::MD5.hexdigest(page.body.gsub(/<!--.*?-->/m, ''))
+    # remove comments
+    page = page.body.gsub(/<!--.*?-->/m, '')
+    # remove javascript stuff
+    page = page.gsub(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/m, '')
+    Digest::MD5.hexdigest(page)
   end
 
   def homepage_hash
diff --git a/spec/lib/wpscan/web_site_spec.rb b/spec/lib/wpscan/web_site_spec.rb
index 0b5611b0..4eeda2eb 100644
--- a/spec/lib/wpscan/web_site_spec.rb
+++ b/spec/lib/wpscan/web_site_spec.rb
@@ -176,6 +176,17 @@ describe 'WebSite' do
         @expected = "yolo\n\n\nworld!"
       end
     end
+
+    context 'when there are scripts' do
+      let(:page) {
+        body = "yolo\n\n<script type=\"text/javascript\">alert('Hi');</script>\nworld!"
+        Typhoeus::Response.new(body: body)
+      }
+
+      it 'removes them' do
+        @expected = "yolo\n\n\nworld!"
+      end
+    end
   end
 
   describe '#homepage_hash' do