Page 1 of 1

Trust URLs entered to address bar for XSS

Posted: Mon Jan 07, 2019 5:52 am
by jtojnar
When I enter the following URL into the address bar and press Enter, the dialogue below pops up:

Code: Select all

http://git.savannah.gnu.org/gitweb/?p=autoconf-archive.git;a=blob_plain;f=m4/ax_python_devel.m4
NoScript XSS Warning

NoScript detected a potential Cross-Site Scripting attack

from [...] to http://git.savannah.gnu.org.

Suspicious data:

(URL) http://git.savannah.gnu.org/gitweb/?p=autoconf-archive.git;a=blob_plain;f=m4/ax_python_devel.m4
Would it be possible to trust URLs entered through address bar and/or not block semicolons in URLs? I think some Perl apps use semicolons instead of ampersands for query strings and to support them is actually recommended by W3C.

NS: 10.2.2rc2
FF: 64.0

Re: Trust URLs entered to address bar for XSS

Posted: Mon Jan 07, 2019 3:39 pm
by barbaz
jtojnar wrote:
Mon Jan 07, 2019 5:52 am
Would it be possible to trust URLs entered through address bar
If this is done, it needs to be an option, disabled by default. It would increase the attack surface, making it possible for haxxor to completely bypass NoScript's XSS filter through social engineering and/or giving the malicious link outside of the browser.
jtojnar wrote:
Mon Jan 07, 2019 5:52 am
not block semicolons in URLs?
The issue here is not just the use of semicolon. It is that the portion of the URL after the ? is syntactically valid JavaScript. Allowing things that look like that would allow real XSS.

-1