False positive on undeadlinks.com

[ndr]

Hello,

I noticed that NoScript 1.9.8.86 reports a XSS attempt from http://www.undeadlinks.com whenever the user clicks on the "Valid HTML" badge that links to the W3C HTML validator.

The site does not use JavaScript, nor does it include objects from external sites.

The issue has been noticed using Firefox 3.0.14.

Thank you for looking into this.

[Alan Baxter]

I don't see anything labeled "Valid HTML". Do you mean the button labeled "W3C HTML 4.01"? Assuming you do, I don't see a XSS report on Fx 3.5.3 or Fx 3.0.14. I'm using NoScript 1.9.8.89 on Windows XP SP3.

Perhaps it's a Linux problem. Does the problem persist if you use the most recent NoScript version, available at http://noscript.net/getit#devel?

[ndr]

I don't see anything labeled "Valid HTML". Do you mean the button labeled "W3C HTML 4.01"?

Yes, it was shorthand for that button.

Assuming you do, I don't see a XSS report on Fx 3.5.3 or Fx 3.0.14. I'm using NoScript 1.9.8.89 on Windows XP SP3.
Perhaps it's a Linux problem. Does the problem persist if you use the most recent NoScript version, available at http://noscript.net/getit#devel?

I just installed 1.9.8.89 and, unfortunately, it still complains about the non-existing XSS attempt.

The following is what appears in Firefox's error console after NoScript's error:

Code: Select all

[NoScript XSS] Sanitized suspicious request. Original URL [http://validator.w3.org/check?uri=http%3A%2F%2Fwww.undeadlinks.com%2Findex.php;accept=text%2Fhtml%2Capplication%2Fxhtml%2Bxml%2Capplication%2Fxml%3Bq%3D0.9%2C*%2F*%3Bq%3D0.8;accept-language=it%2Cen%3Bq%3D0.7%2Cen-us%3Bq%3D0.3;accept-charset=ISO-8859-1%2Cutf-8%3Bq%3D0.7%2C*%3Bq%3D0.7] requested from [http://www.undeadlinks.com/index.php]. Sanitized URL: [http://validator.w3.org/check?uri=http%3A%2F%2Fwww.undeadlinks.com%2Findex.php;accept=text%2Fhtml%2Capplication%2Fxhtml%2Bxml%2Capplication%2Fxml%3Bq%200.9%2C*%2F*%3Bq%200.8;accept-language=it%2Cen%3Bq%200.7%2Cen-us%3Bq%200.3;accept-charset=ISO-8859-1%2Cutf-8%3Bq%200.7%2C*%3Bq%200.7#6667989680425983726].

[Alan Baxter]

OK. I see it if I Allow w3.org. You can avoid the XSS message by removing it from your whitelist, but that might not be what you had in mind.
Does anything in the FAQ help? http://noscript.net/faq#qa4_1

[ndr]

Frankly, I'd rather have NoScript not make my site look malicious.

For now, I've just disabled the link to W3C, hoping that the bug will soon be fixed. If the developers need that link again to check for NoScript's behaviour, please use this ad-hoc page:

http://www.undeadlinks.com/index2.php

Thank you.

[Nan M]

I notice that the uri for the link is the general "referrer", rather than an expression.
http://farm3.static.flickr.com/2570/395 ... 3f8f_o.gif
This makes a hole for the developer only to fall into perhaps?

[ndr]

That's how the W3C advised to link to the validator until recently. But, while I was perusing their site to find a source to quote, I noticed that they are now endorsing a different link format in their docs:

http://validator.w3.org/check/referer

while retaining compatibility with the older scheme. NoScript doesn't seem to have a problem with the new URL, so I'll just use that.

Thank you for steering me into the right direction.

[GµårÐïåñ]

I think there is something else going on as I went to your site, without allowing anything, I clicked on the button, I was taken to the site and on error or warnings of any kind was generated. Perhaps your profile is compromised or has interference by another addon that IS making it suspicious and NS is protecting you from it by letting you know. Another thing is, are you on the same machine as the webserver hosting your site? If so it might be a case of detection that its coming back to a LOCAL resource and it is intercepting it. That is normal and might be why we are not experiencing it but you are.

[ndr]

You aren't seeing errors because I've already changed that link to a URL that won't upset NoScript. If you use this page:

http://www.undeadlinks.com/index2.php

You'll see the error upon clicking on the "Valid HTML" button.

[GµårÐïåñ]

You aren't seeing errors because I've already changed that link to a URL that won't upset NoScript. If you use this page:

http://www.undeadlinks.com/index2.php

You'll see the error upon clicking on the "Valid HTML" button.

1. When you post a link, we assume that's the one with the problem, if you change it in the meantime, defeats the attempt to support it when it can't be recreated.

2. I used the link you just provided and without allowing ANYTHING, I was able to go and see the validation successful page and no error.

Once again, no error, so there must be something else going on unless you change this link as well. You still did not respond to a question that I asked which would be 100% relevant here to your problem and that is, ARE YOU ON THE SAME MACHINE AS THE WEBSERVER FOR THE SITE YOU HAVE LINKED?

[ndr]

1. When you post a link, we assume that's the one with the problem, if you change it in the meantime, defeats the attempt to support it when it can't be recreated.

If you had taken the trouble to read the rest of the thread, you would've known that I had moved the link that triggers NoScript's bug to an ad-hoc page, and - since my problem is now solved - I set up "index2.php" only to give the developers a chance to test NoScript's behaviour with the original link.

I could have simply changed the link and the hell with it.

What do you think I'm supposed to do, leave the old link there for NoScript to badmouth my site?

2. I used the link you just provided and without allowing ANYTHING, I was able to go and see the validation successful page and no error.

If you don't allow anything, surely enough, you won't see anything. Set NoScript to trust w3.org.

Once again, no error, so there must be something else going on unless you change this link as well. You still did not respond to a question that I asked which would be 100% relevant here to your problem and that is, ARE YOU ON THE SAME MACHINE AS THE WEBSERVER FOR THE SITE YOU HAVE LINKED?

I don't see how that is relevant, anyway: NO I'M NOT and, again, my problem is now solved.

[GµårÐïåñ]

What do you think I'm supposed to do, leave the old link there for NoScript to badmouth my site?

No one is bad mouthing you as you are the only one getting the error. So perhaps something wrong on your side to cause it to begin with.

If you don't allow anything, surely enough, you won't see anything. Set NoScript to trust w3.org.

Well I allowed your site and still got no error. And yes on the one you kindly provided for testing so we wouldn't bad mouth you.

I don't see how that is relevant, anyway: NO I'M NOT and, again, my problem is now solved.

Well there is alot of things you don't see and that seems to be the problem. We are trying to help you and if you feel answering questions to help us do that is unreasonable, then feel free to not answer and it is relevant that in that case the request is made and return to the same location which could imply a LOCAL access and that IS protected against, its a function of NS and that I suggested could be why you saw the problem and not the rest of us.

Now if your problem is solved, how did it get solved? I mean unless you had something wrong, it wouldn't just vanish, no?

[Nan M]

Quoth GµårÐïåñ

Now if your problem is solved, how did it get solved?

By changing the uri to something with less ambiguous/suspicious code.
The original Error message quoted by the developer pointed out that the original link was sus; the developer changed the link to non-code text, NS now doesn't need to sanitise it.

I'm sure that if Giorgio had seen something pointing to an error within NS's code sanitising algorithm, he would already have participated in this thread. As it stands, the developer has found a better uri and the problem is fixed.

This thread is verging on the ridiculous.
I wasn't aware that adults, apparently both with responsible positions wrt to web development could become so tetchy over trifles.
Santa will cross you both off his list if you don't improve.