I got an XSS warning when doing searches from the context menu on script-disabled pages with duckduckgo html/ssl, others search plugins are working for me.
Maybe related?
My STR:
1)FireFox 45.5 ESR new, clean profile.
2)Install NoScript 2.9.5.1
3)Install duckduckgo html/ssl from
https://addons.mozilla.org/en-US/firefox/addon/duckduckgo-html/
and make it default search engine.
4)Delete "addons.mozilla.org" whitelist entry.
See
https://postimg.org/image/6ho3g70k3/
5)In NoScript Options/Advanced/Untrusted select "Block scripting in whitelisted subdocuments of non-whitelisted pages".
See
https://postimg.org/image/6sl5bjtqv/
6)Go to
https://addons.mozilla.org/en-US/firefox/addon/noscript/
Select some text and search for it:
See
https://postimg.org/image/txtrfl05r/
This will result in an xss warning.
Not happening with NoScript 2.9.0.14
See
https://postimg.org/image/jwzrhjmcn/
System: Debian Stable x86_64
Consistently reproducible with firefox 45.5 ESR (both debian version and Mozilla binary tarball) and with
SeaMonkey 2.47 unofficial from Adrian Kalla
https://l10n.mozilla-community.org/~aka ... e-linux64/
Not reproducible with FireFox 50 (Mozilla binary tarball).
I've added this exception
^https://duckduckgo\.com/html/
to the XSS filter and it's working for me.
I got an XSS warning when doing searches from the context menu on script-disabled pages with duckduckgo html/ssl, others search plugins are working for me.
Maybe related? :?:
My STR:
1)FireFox 45.5 ESR new, clean profile.
2)Install NoScript 2.9.5.1
3)Install duckduckgo html/ssl from
https://addons.mozilla.org/en-US/firefox/addon/duckduckgo-html/
and make it default search engine.
4)Delete "addons.mozilla.org" whitelist entry.
See [url]https://postimg.org/image/6ho3g70k3/[/url]
5)In NoScript Options/Advanced/Untrusted select "Block scripting in whitelisted subdocuments of non-whitelisted pages".
See [url]https://postimg.org/image/6sl5bjtqv/[/url]
6)Go to
https://addons.mozilla.org/en-US/firefox/addon/noscript/
Select some text and search for it:
See [url]https://postimg.org/image/txtrfl05r/[/url]
This will result in an xss warning.
Not happening with NoScript 2.9.0.14
See [url]https://postimg.org/image/jwzrhjmcn/[/url]
System: Debian Stable x86_64
Consistently reproducible with firefox 45.5 ESR (both debian version and Mozilla binary tarball) and with
SeaMonkey 2.47 unofficial from Adrian Kalla
[url]https://l10n.mozilla-community.org/~akalla/unofficial/seamonkey/nightly/latest-comm-release-linux64/[/url]
[u]Not[/u] reproducible with FireFox 50 (Mozilla binary tarball).
I've added this exception
^https://duckduckgo\.com/html/
to the XSS filter and it's working for me.