by Thrawn » Thu May 24, 2012 10:56 pm
obiwan wrote:Thrawn wrote:It's not really wise to use parentheses in an anchor name...
Why not? It's a perfectly valid anchor name as far as I can see.
It's legal, but it's not wise, because there are filters like NoScript and PHP-IDS that will flag it as suspicious. There's nothing illegal happening in
this webcomic, but...
obiwan wrote:Tom T. wrote:Agree that it's a site coding problem, not an NS problem. The sanitized URL provided by NS's XSS protection would be a better one to use for that link.
Actually, I disagree that it's not a NoScript problem, it seems like an obvious false positive to me.
The real issue here is that NoScript's anti-XSS feature is not very sophisticated, because it filters
any suspicious URLs regardless of whether they really are dangerous or not. It's unable to distinguish between a false positive and a real risk.
That depends on what you mean by 'false positive'. NoScript's filters are actually very sophisticated at distinguishing a potential attack from a request that just happens to contain special characters. If something gets filtered, then it was probably capable of being executed as an attack on a site that doesn't properly sanitise requests, and if a site is deliberately injecting scripts - XSS by design - then an attacker can do the same, thus there is a 'real risk'. If a particular site
does properly sanitise everything, and the filtering breaks it, and you know how to write regular expressions, then OK, you can add an exception to the XSS filter (Options-Advanced-XSS). In this case, you'll get a warning, but the filtered link will still work, so I'd leave it as-is.
[quote="obiwan"][quote="Thrawn"]
It's not really wise to use parentheses in an anchor name...
[/quote]
Why not? It's a perfectly valid anchor name as far as I can see.
[/quote]
It's legal, but it's not wise, because there are filters like NoScript and PHP-IDS that will flag it as suspicious. There's nothing illegal happening in [url=https://xkcd.com/576/]this webcomic[/url], but...
[quote="obiwan"]
[quote="Tom T."]Agree that it's a site coding problem, not an NS problem. The sanitized URL provided by NS's XSS protection would be a better one to use for that link.
[/quote]
Actually, I disagree that it's not a NoScript problem, it seems like an obvious false positive to me.
The real issue here is that NoScript's anti-XSS feature is not very sophisticated, because it filters [i]any[/i] suspicious URLs regardless of whether they really are dangerous or not. It's unable to distinguish between a false positive and a real risk.[/quote]
That depends on what you mean by 'false positive'. NoScript's filters are actually very sophisticated at distinguishing a potential attack from a request that just happens to contain special characters. If something gets filtered, then it was probably capable of being executed as an attack on a site that doesn't properly sanitise requests, and if a site is deliberately injecting scripts - XSS by design - then an attacker can do the same, thus there is a 'real risk'. If a particular site [b]does[/b] properly sanitise everything, and the filtering breaks it, and you know how to write regular expressions, then OK, you can add an exception to the XSS filter (Options-Advanced-XSS). In this case, you'll get a warning, but the filtered link will still work, so I'd leave it as-is.
