Does NoScript protect us here?

[luntrus]

Hi users of NoScript,

Re: http://forum.avast.com/index.php?topic= ... #msg383401

This vulnerability was found up:

Code: Select all

 http://www.avast.nl/web/index.php?pageId=33&mode="><script>alert(String.fromCharCode(88,83,83))</script>

by MethodMan
Firekeeper alerts like mad when I try to give in this request in google:

Code: Select all

<script>alert(String.fromCharCode(88,83,83))</script>

XXS & Iframe injection flaw.
This should be covered by NoScript, is that so?

luntrus

[Giorgio Maone]

Yes, that's a basic XSS PoC.
It's innocuous if you've got JavaScript disabled on that page, but if you've got it enabled it's immediately detected and neutralized by NoScript's XSS protection.

[GµårÐïåñ]

Confirmed, it gets caught just fine should scripting be allowed. Also keep in mind as Giorgio has said in the past, and forgive me if I am misquoting, can't find the exact post or PM, but NoScript also evaluates the threat of an XSS and intercepts it when malicious. I had sent some test cases that were not malicious and wondering why they weren't' caught and Giorgio was kind enough to enlighten me that NS only gets involved when its malicious, otherwise no point since its doing no harm.