Page 1 of 1

Stumbleupon and XSS

Posted: Wed Jul 01, 2009 11:33 am
by share666
When I go to the option Advanced / XSS there is an Anti-XSS Protection Exception that is entered.

^(http|https)://[a-z0-9\-]+\.stumbleupon\.com/

I can erase this and the screen goes yellow. No problem.

Then, after I use my computer for awhile, I come back to this option and it has been re-entered.
This sounds like something Stumbleupon is doing but I don't know how to stop it.

I am running FF 3.5 but I noticed this happening before I migrated to 3.5.

Re: Stumbleupon and XSS

Posted: Wed Jul 01, 2009 3:25 pm
by therube
Sure enough, StumbleUpon is doing it.
(Also looks to be using an older, tldEmulation.js.)

stumbleuponOverlay.js:

Code: Select all

function su_update_noscript_whitelists()
{
   if (! su_ds.isPrefDefined("noscript.filterXExceptions"))
      return;
   
   var str = su_ds.getValue("noscript.filterXExceptions");
   var exceptions = str.split("\n");
   var filter_str = "^(http|https)://[a-z0-9\\-]+\\.stumbleupon\\.com/";
   var i;
   var found = false;
   for (i = 0; i < exceptions.length; i++)
   {
      if (exceptions[i] == filter_str)
      {
         found = true;
         break;
      }
   }
   
   if (! found)
   {
      exceptions.push(filter_str);
      str = exceptions.join("\n");
      su_ds.setValue("noscript.filterXExceptions", str);
   }
   
   if ((typeof noscriptUtil) != "object")
      return;
   
   if (noscriptUtil.service &&
         noscriptUtil.service.jsPolicySites &&
         ((typeof noscriptUtil.service.jsPolicySites.add) == "function"))
   {
      noscriptUtil.service.jsPolicySites.add("stumbleupon.com");
   }
   
   su_ds.flushPrefs();
}

Re: Stumbleupon and XSS

Posted: Wed Jul 01, 2009 11:26 pm
by share666
What must I do to stop it?

Thanks.

Re: Stumbleupon and XSS

Posted: Thu Jul 02, 2009 1:21 am
by share666
I went into the JS file and changed the wording around and rearchived it.
It still generates a line but it is now meaningless.