[RESOLVED] XSS Filtering blocks comments on huffingtonpost

[Guest]

As of recently (past week or so) the articles on the site (huffingtonpost.com) are perfectly viewable but clicking the button which should bring up a comments frame on the right hand side just brings up an empty frame showing the title "Comments" but no content. Allowing all permissions temporarily for the site did not fix the issue but disabling the add-on entirely did. When I viewed the console there was an error indicating an XSS link was blocked.

Code: Select all

[NoScript InjectionChecker] JavaScript Injection in ///plugins/comments.php?api_key=&channel_url=http://staticxx.facebook.com/connect/xd_arbiter/r/XBwzv5Yrm_1.js?version=42#cb=f2c501c15eb1bba&domain=www.huffingtonpost.com&origin=http://www.huffingtonpost.com/f306cefcd80d418&relation=parent.parent&colorscheme=light&href=http://www.huffingtonpost.com/entry/new-amelia-earhart-photo-bs_us_59664c48e4b005b0fdca6dae&locale=en_US&numposts=10&sdk=joey&skin=light&version=v2.4&width=100%
(function anonymous(
) {
www.huffingtonpost.com/f306cefcd80d418&relation==parent.parent&colorscheme==light
})
[NoScript XSS] Sanitized suspicious request. Original URL [https://www.facebook.com/plugins/comments.php?api_key=&channel_url=http%3A%2F%2Fstaticxx.facebook.com%2Fconnect%2Fxd_arbiter%2Fr%2FXBwzv5Yrm_1.js%3Fversion%3D42%23cb%3Df2c501c15eb1bba%26domain%3Dwww.huffingtonpost.com%26origin%3Dhttp%253A%252F%252Fwww.huffingtonpost.com%252Ff306cefcd80d418%26relation%3Dparent.parent&colorscheme=light&href=http%3A%2F%2Fwww.huffingtonpost.com%2Fentry%2Fnew-amelia-earhart-photo-bs_us_59664c48e4b005b0fdca6dae&locale=en_US&numposts=10&sdk=joey&skin=light&version=v2.4&width=100%25] requested from [http://www.huffingtonpost.com/entry/new-amelia-earhart-photo-bs_us_59664c48e4b005b0fdca6dae?ncid=inblnkushpmg00000009]. Sanitized URL: [https://www.facebook.com/plugins/comments.php?api_key=&channel_url=http%3A%2F%2Fstaticxx.facebook.com%2Fconnect%2Fxd_arbiter%2Fr%2FXBwzv5Yrm_1.js%3Fversion%3D42%23cb%2520f2c501c15eb1bba%2526domain%2520www.huffingtonpost.com%2526origin%2520http%253A%252F%252Fwww.huffingtonpost.com%252Ff306cefcd80d418%2526relation%2520parent.parent&colorscheme=light&href=http%3A%2F%2Fwww.huffingtonpost.com%2Fentry%2Fnew-amelia-earhart-photo-bs_us_59664c48e4b005b0fdca6dae&locale=en_US&numposts=10&sdk=joey&skin=light&version=v2.4&width=100%25].
SyntaxError: JSON.parse: end of data while reading object contents at line 1 column 2 of the JSON data[Learn More]  desktop-694c9ce9b2ee44f1ede5afd1bd6e5b17309d457a3e699b0dfd829818914f6982.js:5:10302

        

I tried adding manual exceptions in the xss section under Advanced settings options in NoScript but I'm not sure I had the correct site and/or syntax to allow the comments to display.

[barbaz]

Does the issue occur with NoScript latest development build 5.0.7rc1?

[Guest]

Didn't help

[barbaz]

Does this XSS exception help? -

Code: Select all

^https://www\.facebook\.com/plugins/comments\.php\?

[Guest]

Still the same problem

[barbaz]

With the exception in place, please post the new console messages.

[Guest]

Code: Select all

[NoScript InjectionChecker] JavaScript Injection in ///plugins/feedback.php?api_key&channel_url=http://staticxx.facebook.com/connect/xd_arbiter/r/XBwzv5Yrm_1.js?version=42#cb=f549ea67fd7c2&domain=www.huffingtonpost.com&origin=http://www.huffingtonpost.com/f157b236c58939c&relation=parent.parent&colorscheme=light&href=http://www.huffingtonpost.com/entry/sherman-impeach-trump-article-obstruction_us_59666d71e4b0a0c6f1e5517f&locale=en_US&numposts=10&sdk=joey&skin=light&version=v2.4&width=100%
(function anonymous(
) {
www.huffingtonpost.com/f157b236c58939c&relation==parent.parent&colorscheme==light
})
[NoScript XSS] Sanitized suspicious request. Original URL [https://www.facebook.com/plugins/feedback.php?api_key&channel_url=http%3A%2F%2Fstaticxx.facebook.com%2Fconnect%2Fxd_arbiter%2Fr%2FXBwzv5Yrm_1.js%3Fversion%3D42%23cb%3Df549ea67fd7c2%26domain%3Dwww.huffingtonpost.com%26origin%3Dhttp%253A%252F%252Fwww.huffingtonpost.com%252Ff157b236c58939c%26relation%3Dparent.parent&colorscheme=light&href=http%3A%2F%2Fwww.huffingtonpost.com%2Fentry%2Fsherman-impeach-trump-article-obstruction_us_59666d71e4b0a0c6f1e5517f&locale=en_US&numposts=10&sdk=joey&skin=light&version=v2.4&width=100%25] requested from [http://www.huffingtonpost.com/entry/sherman-impeach-trump-article-obstruction_us_59666d71e4b0a0c6f1e5517f?4b&ncid=inblnkushpmg00000009]. Sanitized URL: [https://www.facebook.com/plugins/feedback.php?api_key&channel_url=http%3A%2F%2Fstaticxx.facebook.com%2Fconnect%2Fxd_arbiter%2Fr%2FXBwzv5Yrm_1.js%3Fversion%3D42%23cb%2520f549ea67fd7c2%2526domain%2520www.huffingtonpost.com%2526origin%2520http%253A%252F%252Fwww.huffingtonpost.com%252Ff157b236c58939c%2526relation%2520parent.parent&colorscheme=light&href=http%3A%2F%2Fwww.huffingtonpost.com%2Fentry%2Fsherman-impeach-trump-article-obstruction_us_59666d71e4b0a0c6f1e5517f&locale=en_US&numposts=10&sdk=joey&skin=light&version=v2.4&width=100%25].

[Guest]

I just got it working with a second exception to

Code: Select all

^https://www\.facebook\.com/plugins/feedback\.php\?

Thanks for the help though

[barbaz]

You're welcome.