XSS sanitization

Bug reports and enhancement requests
Post Reply
Alan Baxter
Ambassador
Posts: 1586
Joined: Fri Mar 20, 2009 4:47 am
Location: Colorado, USA

XSS sanitization

Post by Alan Baxter »

I'm curious about a particular XSS sanitization. Why is %22#1339542234582004198 appended to the URL? Why that particular number? Enquiring minds want to know.

Code: Select all

[NoScript XSS] Sanitized suspicious request. Original URL [http://blogs.zdnet.com/microsoft/?p=527%22] requested from [http://boycottnovell.com/2007/12/03/]. Sanitized URL: [http://blogs.zdnet.com/microsoft/?p=527%22%22#1339542234582004198].
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1
Default theme, no other extensions
NoScript 1.9.6 default settings plus the following whitelisted sites:
cnet.com
com.com
yahooapis.com
zdnet.com

Load http://boycottnovell.com/2007/12/03/
Click on the link titled "Beware of undisclosed Microsoft patches"
The resulting page has the XSS sanitization.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1
Top
User avatar
therube
Ambassador
Posts: 7929
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: XSS sanitization

Post by therube »

I don't get any XSS message?
Anyhow, I believe the "#" is a randomly generated "tag"?

OK, if I Allow zdnet.com, get the XSS message.

My "tag" is different:

Code: Select all

[NoScript XSS] Sanitized suspicious request. Original URL [http://blogs.zdnet.com/microsoft/?p=527%22] requested from [http://boycottnovell.com/2007/12/03/]. Sanitized URL: [http://blogs.zdnet.com/microsoft/?p=527%22%22#7444142728524984407].
There is probably some security reason for it being random.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1pre) Gecko/20090716 SeaMonkey/2.0b1pre
Top
Post Reply

Return to “NoScript Development”