From 41050c2bd87235c7733fc683f3957bbfc71d78e3 Mon Sep 17 00:00:00 2001
From: Felipe Zipitria <felipe.zipitria@owasp.org>
Date: Tue, 3 Mar 2026 23:38:42 +0100
Subject: [PATCH] refactor: create 941250 `.ra` file

---
 regex-assembly/941250.ra                      | 71 +++++++++++++++++++
 rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf |  7 +-
 2 files changed, 77 insertions(+), 1 deletion(-)
 create mode 100644 regex-assembly/941250.ra

diff --git a/regex-assembly/941250.ra b/regex-assembly/941250.ra
new file mode 100644
index 0000000000..5c2eeb2bdb
--- /dev/null
+++ b/regex-assembly/941250.ra
@@ -0,0 +1,71 @@
+##! Please refer to the documentation at
+##! https://coreruleset.org/docs/development/regex_assembly/.
+
+##! Rule 941250: IE XSS Filters - detects XSS via META http-equiv attribute.
+##! Matches <META http-equiv="X"> where X starts with c (content-type),
+##! r (refresh), or s (set-cookie), including HTML entity encoded variants.
+
+##!+ i
+
+##! HTML entity codes for 'c'/'C': 67=C dec, 43=C hex, 99=c dec, 63=c hex
+##!> assemble
+  67
+  43
+  99
+  63
+  ##!=< c-entity-codes
+##!<
+
+##! HTML entity codes for 'r'/'R': 82=R dec, 52=R hex, 114=r dec, 72=r hex
+##!> assemble
+  82
+  52
+  114
+  72
+  ##!=< r-entity-codes
+##!<
+
+##! HTML entity codes for 's'/'S': 83=S dec, 53=S hex, 115=s dec, 73=s hex
+##!> assemble
+  83
+  53
+  115
+  73
+  ##!=< s-entity-codes
+##!<
+
+##! Main pattern: <META http-equiv="[c|r|s]..."
+##! Each letter (c, r, s) can appear literally or as an HTML entity
+##!> assemble
+  <META[\s/+].*?http-equiv[\s/+]*=[\s/+]*["'`]?
+  ##!=>
+  ##!> assemble
+    ##! Letter 'c' literal or as HTML entity
+    ##!> assemble
+      c
+      ##!> assemble
+        &#x?0*
+        ##!=> c-entity-codes
+        ;?
+      ##!<
+    ##!<
+    ##! Letter 'r' literal or as HTML entity
+    ##!> assemble
+      r
+      ##!> assemble
+        &#x?0*
+        ##!=> r-entity-codes
+        ;?
+      ##!<
+    ##!<
+    ##! Letter 's' literal or as HTML entity
+    ##!> assemble
+      s
+      ##!> assemble
+        &#x?0*
+        ##!=> s-entity-codes
+        ;?
+      ##!<
+    ##!<
+  ##!<
+##!<
diff --git a/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf b/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
index f04a39d509..bc2429c8b8 100644
--- a/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
+++ b/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
@@ -467,7 +467,12 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|X
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
-SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i:<META[\s/+].*?http-equiv[\s/+]*=[\s/+]*[\"'`]?(?:(?:c|&#x?0*(?:67|43|99|63);?)|(?:r|&#x?0*(?:82|52|114|72);?)|(?:s|&#x?0*(?:83|53|115|73);?)))" \
+# Regular expression generated from regex-assembly/941250.ra.
+# To update the regular expression run the following shell script
+# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
+#   crs-toolchain regex update 941250
+#
+SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)<META[\s\x0b\+/].*?http-equiv[\s\x0b\+/]*=[\s\x0b\+/]*[\"'`]?(?:[crs]|&#x?0*(?:6[37]|43|99|[578][23]|11[45]);?)" \
     "id:941250,\
     phase:2,\
     block,\