[RESOLVED] ABE and XSS breaking site's preview function

[Tom T.]

I was trying to post at a site that allows previewing, then editing, re-previewing, etc. (Sure would like that feat at Hackademix! ) Never had a problem in previous 250+ posts. This time, after several such edits, ABE logo showed up next to NS logo in status bar. Clicked - tried "Unsafe reload". Got this confirm message:

UNSAFELY reloading a suspicious
POST [http://www.amiright.com/parody/displayPreview.php)
FROM [http://www.amiright.com/genericForm.php ... rodyLyrics]
NS will NOT protect this request!
Are you sure?

Confirmed OK, it worked once or twice. Then it again started blocking the reloading of the preview page. Finally, out of frustration (and hunger) I disabled ABE. Same problem recurred after a bit. So I clicked ABE logo, clicked "XSS", got the same "Unsafe reload" > OK > same message as above. Also, several times in this process, the screen went blank completely, with the site's URL still in the address bar, so had to start all over again.

Site: http://www.amiright.com/genericForm.php ... rodyLyrics

After successfully submitting (several hours later), tried to reproduce: Closed browser, which deletes cache, cookies, etc. Went back there. Typed some random strings in the Lyrics box, hit "preview" many times, couldn't reproduce. You can try -- no account required, don't need to fill in all the boxes to use the "preview" function, just some random ones. (Don't fill in the CAPTCHA or hit "send', or it'll be submitted for moderation, though probably not approved LOL).

From the warning display, any idea what's happening? TIA.

NS 1.9.3.5 on Fx 2.0.0.20. Scripting from amiright.com in whitelist, though all others disallowed. Same config that worked yesterday, before installing ABE version. No changes to any other add-ons or anything else since yesterday's successful preview and submission.

[therube]

Just to point out, each time you hit Preview is does send another POST regardless of whether you have changed the form or not.

Code: Select all

POST /parody/displayPreview.php HTTP/1.1

I hit Preview a LOT & unable to duplicate.

amiright.com Allowed, but nothing else.

[GµårÐïåñ]

I have been getting some random unstable and funky behavior but nothing I could reproduce or pin down. Maybe some kinks that will work out when the full release it finally stable.

[Tom T.]

OK thanks, guys. I don't plan to post there again until Monday, so will see if it was just the aliens attempting to subvert our communications before they take over. ...Resistance is fu-ti-le.

I have been getting some random unstable and funky behavior but nothing I could reproduce or pin down. Maybe some kinks that will work out when the full release it finally stable.

Ditto. Ditto on awaiting stable release.

Edit: On Yahoo Classic Mail page loads (e. g., after deleting one message, auto-goes back to Inbox) the page does a little "curtsey" ... dips down on the screen a few inches, then jumps back up. A little dizzying. Will comment at the "Slow Reload" thread.

[Tom T.]

I replaced my profile with a "good" backup (browser worked perfectly) from a week or two ago and updated to latest stable 1.9.3.3.

The page-dancing and weird loading were fixed, so perhaps something in the newest profile had gotten corrupted.

However, I still could not post -- got an XSS "unsafe reload". Message: "NS blocked an unsafe *upload* to ..." What's unsafe? My post had a couple of HTML links, like to a particular YouTube video. The site allows such links, as all posts are moderated for spam, etc. before being posted. The only other code was a couple of line breaks <BR><BR>, which are also permitted. I don't know why NS thought this was an unsafe upload, and also, I thought it was supposed to protect *me*, not the target site lol.

So I added an XSS exception to http://www.amiright.com/parody/displayPreview.php, and everything works fine. So this is a false positive XSS report now.
As for ABE, I believe I'll wait for it to stabilize a bit more -- or perhaps on the next post to that site, see if the XSS exception keeps the issue cleared, in which case the fault was not ABE's, even though there were ABE block messages.

[GµårÐïåñ]

I have been getting a HUGE rash of XSS notifications for sites like gmail and bank of america and stuff that have NEVER given me an XSS message before, I am not sure if the rules for evaluating them have changed but it has become not only annoying but causing alot of instability and I doubt all these sites suddenly went stupid and decided to use a different programming technique that triggers it.

[Tom T.]

I have been getting a HUGE rash of XSS notifications for sites like gmail and bank of america and stuff that have NEVER given me an XSS message before, I am not sure if the rules for evaluating them have changed but it has become not only annoying but causing alot of instability and I doubt all these sites suddenly went stupid and decided to use a different programming technique that triggers it.

@Giorgio, can you shed any light on GµårÐïåñ's report?

I have successfully posted at the site I complained of, using stable 1.9.3.3 and an XSS exception for that site. I'll install ABE again and try to post there, probably within a day. If it still works OK, then it was an XSS false pos issue all along, and I mistakenly blamed ABE because that's when I noticed the issue.

However, I would still like to be able to disable ABE notifications, since every single page reload at Yahoo Classic Mail (view message, delete, back to inbox, compose, etc.) produced a notification of deny Request GET to the ad agency. They got old after a while. TIA.

[Giorgio Maone]

I have been getting a HUGE rash of XSS notifications for sites like gmail and bank of america and stuff that have NEVER given me an XSS message before, I am not sure if the rules for evaluating them have changed but it has become not only annoying but causing alot of instability and I doubt all these sites suddenly went stupid and decided to use a different programming technique that triggers it.

@Giorgio, can you shed any light on GµårÐïåñ's report?

Yes, I noticed one on GMail while auto-saving.
This almost surely due to the request origin checking algorithm for XSS protections, which now is delegated to ABE and slightly modified, apparently attaching "origin unidentified" to some requests previously marked as "same-origin".
I'll fix that before releasing a stable NoScript with ABE inside, together with the DNS-related "hangs".

[therube]

It is not unexpected for me to receive Unresponsive Script warnings at BoA, but I have yet to see anything ABE related anywhere.

[GµårÐïåñ]

Thank you Giorgio and after that post which I was running x.5 I updated to x.6 dev build, just in case it matters. Thank you and I look forward to the final build, let me know if I can test anything for you.

[Tom T.]

I updated to 1.9.3.6 and went back to the site in question. Same issue with XSS notifications after some number of repeated "previews", then when I was satisfied with the post and hit "submit", it hung. Clicked the XSS logo, told it "reload". It did, but I got a server error -- "String too long etc...." Of course, when I went back to the original form, everything I had typed in all of the multiple field boxes was lost.

This proved to be the XSS exception that fixed it: http://www.amiright.com/parody/displayPreview.php?=*
I don't know why, but I guess it needed the wildcard. (I have not yet studied regular expressions.) With that, the site works normally again.

Looking forward to the friendly ABE-XSS President-Vice President ticket!

@therube: I have had a couple of those "unresponsive script"warnings, one at Yahoo Classic Mail, and one at the site described above. In each case, the sites, or at least the pertinent scripts, have been whitelisted. What is a likely cause of that?
The only consequence is that at Yahoo, I believe it was the "auto-save" script, that saves drafts as you type, in case you lose them. (I save them to text doc anyway. Lost far too many and had to reconstruct from feeble memory -- mine, not the puter's lol).

[therube]

I don't recall offhand any problems with Yahoo Classic Mail. I don't send all that often from Yahoo.
Most times, I run Yahoo with yahoo.com Allowed, but sometimes not. Don't recall Unresponsive Scripts there.

BoA is another story. I try my best to not allow JavaScript at BoA, but some sections require it. Sometimes I'll leave it enabled when I testing. Too often I'll get Unresponsive Script warnings there.

[Tom T.]

What is a likely cause of that?

Any idea -- either at Yahoo or B of A? TIA.

[therube]

Unresponsive Script Warning

[Tom T.]

Unresponsive Script Warning

Bookmarked, thanks.