Stumbleupon and XSS

Post a reply


In an effort to prevent automatic submissions, we require that you complete the following challenge.
Smilies
:D :) ;) :( :o :shock: :? 8-) :lol: :x :P :oops: :cry: :evil: :twisted: :roll: :!: :?: :idea: :arrow: :| :mrgreen: :geek: :ugeek:

BBCode is ON
[img] is ON
[flash] is OFF
[url] is ON
Smilies are ON

Topic review
   

Expand view Topic review: Stumbleupon and XSS

Re: Stumbleupon and XSS

by share666 » Thu Jul 02, 2009 1:21 am

I went into the JS file and changed the wording around and rearchived it.
It still generates a line but it is now meaningless.

Re: Stumbleupon and XSS

by share666 » Wed Jul 01, 2009 11:26 pm

What must I do to stop it?

Thanks.

Re: Stumbleupon and XSS

by therube » Wed Jul 01, 2009 3:25 pm

Sure enough, StumbleUpon is doing it.
(Also looks to be using an older, tldEmulation.js.)

stumbleuponOverlay.js:

Code: Select all

function su_update_noscript_whitelists()
{
   if (! su_ds.isPrefDefined("noscript.filterXExceptions"))
      return;
   
   var str = su_ds.getValue("noscript.filterXExceptions");
   var exceptions = str.split("\n");
   var filter_str = "^(http|https)://[a-z0-9\\-]+\\.stumbleupon\\.com/";
   var i;
   var found = false;
   for (i = 0; i < exceptions.length; i++)
   {
      if (exceptions[i] == filter_str)
      {
         found = true;
         break;
      }
   }
   
   if (! found)
   {
      exceptions.push(filter_str);
      str = exceptions.join("\n");
      su_ds.setValue("noscript.filterXExceptions", str);
   }
   
   if ((typeof noscriptUtil) != "object")
      return;
   
   if (noscriptUtil.service &&
         noscriptUtil.service.jsPolicySites &&
         ((typeof noscriptUtil.service.jsPolicySites.add) == "function"))
   {
      noscriptUtil.service.jsPolicySites.add("stumbleupon.com");
   }
   
   su_ds.flushPrefs();
}

Stumbleupon and XSS

by share666 » Wed Jul 01, 2009 11:33 am

When I go to the option Advanced / XSS there is an Anti-XSS Protection Exception that is entered.

^(http|https)://[a-z0-9\-]+\.stumbleupon\.com/

I can erase this and the screen goes yellow. No problem.

Then, after I use my computer for awhile, I come back to this option and it has been re-entered.
This sounds like something Stumbleupon is doing but I don't know how to stop it.

I am running FF 3.5 but I noticed this happening before I migrated to 3.5.

Top