InformAction Forums

When scripting on target site is disabled and site contains meta refresh url with single quotes in the noscript tag, it redirects to wrong page such as original url + new url with quotes included that in many cases ends in 404 page.

When all addons are disabled page works ok and setting preference to false in when all addons disabled page redirects to correct page like it should do.

For example this Lithuanian site redirects to which is a 404 page.
The offending tag is In this example http in url replaced with hxxp and www replaced with wxw.

Edit: Fixed truncated noscript tag in above example.
Edit2: Bug fixed completely in AMO version 10.1.8.5

Noscript 10.1.8.2
Firefox 61.0.1
Ubuntu Linux 18.04 LTS, codename bionic

Can confirm. Needs sanitation of single quotes out of the url if present.

Fix here (not released yet), thank you.

Will there be a similar fix for NoScript 5.x ?

therube wrote:Will there be a similar fix for NoScript 5.x ?

Is NoScript 5 affected? As far as I can see there's already code there to handle quoted URLs...

Oops, you're right.

Been using different computers & different settings.
When I looked the other day, all seemed OK - as I remembered.
Looking again today, to confirm, it looped over to 'PageSpeed=noscript'.
But... I forgot to enable, 'Forbid META redirections inside <NOSCRIPT> elements.

Set correctly, all is well.

Fixed in latest development build, thanks.
v 10.1.8.3rc11
=============================================================
x [XSS] Fixed InjectionChecker choking at some big JSON
payloads sents as POST form data
x Fixed meta-refresh emulation confused by quoted URLs
x Fixed regression - popup first row not showing the active
preset initially
x [ESR60] Fixed some edge cases still breaking feeds

This still happens in AMO version 10.1.8.4, the latest update from AMO didn't solve the thing. Still redirecting to wrong page when scripting on the site is turned off and meta redirect in noscript element has an url with quotes before and after it like posted above :\

Is that a typo? There is no 10.1.8.4 (currently).

(And theoretically, there should be no difference between 10.1.8.3 release & 10.1.8.3rc11 - except the update channel.)

(Don't remember offhand if I ever tested the testcase against 10.1.8.3rc11 ?)

Yes. 10.1.8.4 is posted in amo, as version in screenshot shows. Dunno what got messed up in the amo though :\


Also in actual amo page shows 10.1.8.4 not anything else, last screenshot taken 2018-07-16 18:05:07 (GMT+2, Summer time, Date time in the file name).

juozas wrote:This still happens in AMO version 10.1.8.4, the latest update from AMO didn't solve the thing. Still redirecting to wrong page when scripting on the site is turned off and meta redirect in noscript element has an url with quotes before and after it like posted above :\

Ops, you're right, the fix was partial. Will go in next release, sorry.

So I'll have to "downgrade" to 10.1.8.3 when it gets fixed it appears that 10.1.8.3 was already out in amo before, so no need to downgrade to previous version, the right choice is to opgrade

juozas wrote:So I'll have to "downgrade" to 10.1.8.3 when it gets fixed

No, you actually need to upgrade to 10.1.8.5

10.1.8.3rc11
http://www.numeris.info/869860104
rolls to
http://www.numeris.info/'http://www.numeris.info/869860104?PageSpeed=noscript%27

10.1.8.7
http://www.numeris.info/869860104
"rolls to"
http://www.numeris.info/869860104?PageSpeed=noscript


Which I guess is OK?

The second one is correct. The script that redirects when no scripting is enabled is in the most of pages on the domain, not just the number pages such as shown in the example, also other language mirrors are located on the top right location of the pages.