Hello!
In Wikidata there are Links to the various wikipedia pages, when such a page has the format "<identifier>. <identifier> (<text>)" the XSS-Alert from noscript pops up.
Example: https://www.wikidata.org/wiki/Q2579319
When you click on the link to the german wikipedia page (either on the bottom of the page or top-right – depends on the width of the browser window), which is https://de.wikipedia.org/wiki/V._Armeekorps_(Wehrmacht) the alert pops up. Not every time, but about every second time.
I think, this is a little bit too much check, maybe wikipedia needs an exception?
Other example is https://www.wikidata.org/wiki/Q7946085 (Klick on link to english wikipedia) and about 700 more links to en. wikipedia and about 5400 more example on german wikipedia
Another is https://www.wikidata.org/wiki/Q1925273 all links to wikipedia.org containing a bracket are affected.
I am using Firefox 60.3.0esr / 64-bit (from OpenSuse 42.3) with NoScript 10.1.9.9
Thanks
XSS-Alert in Wikidata
XSS-Alert in Wikidata
Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 SeaMonkey/2.49.4
-
skriptimaahinen
- Master Bug Buster
- Posts: 244
- Joined: Wed Jan 10, 2018 7:37 am
Re: XSS-Alert in Wikidata
It's a false positive for sure. Caused by checkJSBreak tripping on something it should not.
However, wikipedia.org does have a XSS exception. The XSS popup showing every other time is caused by the exception check failing for some reason.
That can be remedied by setting Watch Expressions for the test in the debugger or (bit more permanently) by re-factoring the test (for example):
Exceptions.js:52
Why this makes any difference is beyond me...
However, wikipedia.org does have a XSS exception. The XSS popup showing every other time is caused by the exception check failing for some reason.
That can be remedied by setting Watch Expressions for the test in the debugger or (bit more permanently) by re-factoring the test (for example):
Exceptions.js:52
Code: Select all
let aaa = this.legacyExceptions.test(unescapedDest);
let bbb = this.isBadException(destObj.hostname);
let ccc = this.legacyExceptions.test("@" + unescape(srcUrl));
// destination or @source matching legacy regexp
if (aaa && !bbb || ccc) {
logEx("Legacy exception", this.legacyExceptions);
return true;
}Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:63.0) Gecko/20100101 Firefox/63.0
Re: XSS-Alert in Wikidata
BTW: The error message itself mangles some UTF-8 characters, as you can see here: https://www.wikidata.org/wiki/Q15129616
click a few times on the link to the german wikipedia to see the message, it reports "(URL) https://de.wikipedia.org/wiki/St._Matth ... egensburg)" and not the pretty umlaut-ä
click a few times on the link to the german wikipedia to see the message, it reports "(URL) https://de.wikipedia.org/wiki/St._Matth ... egensburg)" and not the pretty umlaut-ä
Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 SeaMonkey/2.49.4