Why are some adverts replaced with HTML code?

Ask for help about NoScript, no registration needed to post
01i
Posts: 3
Joined: Fri Jul 24, 2015 4:09 pm

Why are some adverts replaced with HTML code?

Post by 01i » Fri Jul 24, 2015 4:24 pm

Rather than whitelisting and blacklisting sites, I allow scripts globally and use NoScript primarily for the XSS, Clear Click and ABE protections.

Occasionally I will load a website and instead of adverts, I will see a load of HTML source without the opening < on each tag. I've gone through the various tick boxes in NoScript, and cannot make those particular adverts show up correctly unless I disable NoScript outright.

Now, I am assuming that these adverts are being modified by NoScript due to some security reason, but I am interested to know what that reason would be.

Here are a couple of examples of the same webpage. One shows NoScript in 'Allow Scripts Globally' mode, the other shows NoScript uninstalled.

NoScript uninstalled show Adverts on the Telegraph website

http://theten.co.uk/noscript-uninstalled.png

NoScript installed, but in allow all mode, converts adverts to html code

http://theten.co.uk/noscript-allowscriptsglobally.png

So why does this happen? What is being blocked?
Last edited by barbaz on Fri Jul 24, 2015 4:26 pm, edited 1 time in total.
Reason: linkify images that were loading too slowly
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0

barbaz
Senior Member
Posts: 9268
Joined: Sat Aug 03, 2013 5:45 pm

Re: Why are some adverts replaced with HTML code?

Post by barbaz » Fri Jul 24, 2015 4:29 pm

*Always* check the changelogs BEFORE updating that important software!
-

01i
Posts: 3
Joined: Fri Jul 24, 2015 4:09 pm

Re: Why are some adverts replaced with HTML code?

Post by 01i » Fri Jul 24, 2015 4:47 pm

barbaz wrote:https://forums.informaction.com/viewtopic.php?f=7&t=20358
viewtopic.php?f=7&t=20670


Sorry, I'm still confused as those links don't answer the question. Both those threads report the same behaviour, but neither explains why NoScript is actually blocking the adverts, which is what I'm asking.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0

barbaz
Senior Member
Posts: 9268
Joined: Sat Aug 03, 2013 5:45 pm

Re: Why are some adverts replaced with HTML code?

Post by barbaz » Fri Jul 24, 2015 4:52 pm

01i wrote:but neither explains why NoScript is actually blocking the adverts

Sure they do. Did you actually read the whole threads (particularly the second)?
Feel free to ask for clarification afterwards.
*Always* check the changelogs BEFORE updating that important software!
-

User avatar
therube
Ambassador
Posts: 7461
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Why are some adverts replaced with HTML code?

Post by therube » Fri Jul 24, 2015 5:25 pm

Oh, so it seemingly would be XSS related.
I've seen that around, but never bothered with why it might or might not be there.


(I've probably mentioned elsewhere, but IMO, XSS related stuff ought to be more easily determinable.)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 5.1; rv:36.0) Gecko/20100101 SeaMonkey/2.33.1

01i
Posts: 3
Joined: Fri Jul 24, 2015 4:09 pm

Re: Why are some adverts replaced with HTML code?

Post by 01i » Fri Jul 24, 2015 6:43 pm

Those threads make sense, but they don't really explain what's going on, what I can really make from them is that you think that http://tpc.googlesyndication.com is vulnerable to XSS and should be added to ABE with a deny rule. If I do that, then the google ads that were being converted to html, just get converted to a white space and an ABE error message instead.

Nothing has really been "fixed".

http://tpc.googlesyndication.com is a domain owned and hosted by google, and is a part of the google advertising system, used for serving certain types of rich ads, or tracked ads. Also, by blocking this domain, all google ads served through it are blocked, rather than just adverts that NoScript converts to code. I have also learned that these ads typically have a high click-through rate, so blocking them is a dis-service to the website owner

While typing this I've done a bit of research, and this webpage explains what is going on.

http://www.iab.net/safeframe/safeframe_infographic

Having read this webpage, I believe that NoScript users should have the choice about whether they wish to trust safe frames or not, rather than having them blocked automatically.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0

barbaz
Senior Member
Posts: 9268
Joined: Sat Aug 03, 2013 5:45 pm

Re: Why are some adverts replaced with HTML code?

Post by barbaz » Fri Jul 24, 2015 7:58 pm

01i wrote:Nothing has really been "fixed".

Well, the *real* fix is for the ads to not use/rely on inherently unsafe practices.

01i wrote:Having read this webpage, I believe that NoScript users should have the choice about whether they wish to trust safe frames or not, rather than having them blocked automatically.

You've already got the choice, but I do NOT recommend choosing to allow that because what it's doing is NOT safe. I'm also not completely sure how, but since you REALLY seem to want to do this.. see what this does?
NoScript Options > Advanced > XSS, add to Anti-XSS Protection Exceptions

Code: Select all

^https?://tpc\.googlesyndication\.com/safeframe

Again, this is NOT RECOMMENDED and potentially DANGEROUS.
*Always* check the changelogs BEFORE updating that important software!
-

User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: Why are some adverts replaced with HTML code?

Post by Thrawn » Sun Jul 26, 2015 9:58 pm

The actual answer to "why does the HTML code appear?" is that it's probably a side effect of the way NoScript blocks the XSS vulnerability. NoScript alters the request to neutralise the suspicious payload, and the page is very unwisely dumping the result into its own code, so it makes sense that what was supposed to be markup (controllable by any other site!) becomes non-markup.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0

Post Reply