Page 1 of 1
Stumbleupon and XSS
Posted: Wed Jul 01, 2009 11:33 am
by share666
When I go to the option Advanced / XSS there is an Anti-XSS Protection Exception that is entered.
^(http|https)://[a-z0-9\-]+\.stumbleupon\.com/
I can erase this and the screen goes yellow. No problem.
Then, after I use my computer for awhile, I come back to this option and it has been re-entered.
This sounds like something Stumbleupon is doing but I don't know how to stop it.
I am running FF 3.5 but I noticed this happening before I migrated to 3.5.
Re: Stumbleupon and XSS
Posted: Wed Jul 01, 2009 3:25 pm
by therube
Sure enough,
StumbleUpon is doing it.
(Also looks to be using an older, tldEmulation.js.)
stumbleuponOverlay.js:
Code: Select all
function su_update_noscript_whitelists()
{
if (! su_ds.isPrefDefined("noscript.filterXExceptions"))
return;
var str = su_ds.getValue("noscript.filterXExceptions");
var exceptions = str.split("\n");
var filter_str = "^(http|https)://[a-z0-9\\-]+\\.stumbleupon\\.com/";
var i;
var found = false;
for (i = 0; i < exceptions.length; i++)
{
if (exceptions[i] == filter_str)
{
found = true;
break;
}
}
if (! found)
{
exceptions.push(filter_str);
str = exceptions.join("\n");
su_ds.setValue("noscript.filterXExceptions", str);
}
if ((typeof noscriptUtil) != "object")
return;
if (noscriptUtil.service &&
noscriptUtil.service.jsPolicySites &&
((typeof noscriptUtil.service.jsPolicySites.add) == "function"))
{
noscriptUtil.service.jsPolicySites.add("stumbleupon.com");
}
su_ds.flushPrefs();
}
Re: Stumbleupon and XSS
Posted: Wed Jul 01, 2009 11:26 pm
by share666
What must I do to stop it?
Thanks.
Re: Stumbleupon and XSS
Posted: Thu Jul 02, 2009 1:21 am
by share666
I went into the JS file and changed the wording around and rearchived it.
It still generates a line but it is now meaningless.