by tlu » Sat Oct 22, 2011 10:41 am
GµårÐïåñ wrote:tlu wrote:Absolutely. The question is only why the Noscript InjectionChecker doesn't recognize the request as a potential XSS attack "even if coming from a trusted source".
I guess you don't get what TRUSTED means which is to say that you are allowing it to do whatever because you TRUSTED it. Script injections are not that uncommon even by legitimate sources, and if you TRUST them, they can do it, if you don't, they can't. Simple enough, so I don't get why you are not getting this.
Because you're much more intelligent than I am?
If you have to allow a bad site for it to screw you over, then it was working just as it should and YOU chose to TRUST it to do what it needs to screw you over. Are we missing something here?
Yes, you are. There must be a reason why Giorgio constructed the XSS filter in such a way that it also blocks XSS attacks coming from trusted sites. It it were that simple as you suggest this wouldn't have been necessary. And if I remember correctly, this feature didn't exist in earlier versions - it was introduced later. Again, there must be a reason why.
Anyway, it's a built-in feature, and my only question was why it doesn't work in these examples. "Simple enough, so I don't get why you are not getting this."
[quote="GµårÐïåñ"][quote="tlu"]Absolutely. The question is only why the Noscript InjectionChecker doesn't recognize the request as a potential XSS attack "even if coming from a trusted source".[/quote]
I guess you don't get what TRUSTED means which is to say that you are allowing it to do whatever because you TRUSTED it. Script injections are not that uncommon even by legitimate sources, and if you TRUST them, they can do it, if you don't, they can't. Simple enough, so I don't get why you are not getting this.[/quote]
Because you're much more intelligent than I am? :evil:
[quote] If you have to allow a bad site for it to screw you over, then it was working just as it should and YOU chose to TRUST it to do what it needs to screw you over. Are we missing something here?[/quote]
Yes, you are. There must be a reason why Giorgio constructed the XSS filter in such a way that it also blocks XSS attacks coming from trusted sites. It it were that simple as you suggest this wouldn't have been necessary. And if I remember correctly, this feature didn't exist in earlier versions - it was introduced later. Again, there must be a reason why.
Anyway, it's a built-in feature, and my only question was why it doesn't work in these examples. "Simple enough, so I don't get why you are not getting this."