[NoScript Classic] XSS false positives on wikipedia (split from t=26968)

Ask for help about NoScript, no registration needed to post
kwiniec
Posts: 5
Joined: Thu Sep 17, 2009 9:32 pm
Location: Maryland, USA

[NoScript Classic] XSS false positives on wikipedia (split from t=26968)

Post by kwiniec »

Like BardRT, 100% repeatably, the Wikipedia URL

https://en.wikipedia.org/wiki/Lockwood_ ... _series%29

works, but then when I try to append

?useskin=vector

NoScript changes the URL to

https://en.wikipedia.org/wiki/Lockwood_ ... 8486105782

most notably replacing parentheses with spaces which breaks it.

If I then manually change the spaces back to parentheses using their codes %28 and %29 leaving the pound-random-number then it works, but if I use the characters ( ) or scrape off the pound-random-number then it continues to fail.

NoScript XSS preferences contains the exception

^https?://[a-z]+\.wikipedia\.org/wiki/[^"<>\?%]+$

and I tried adding more punctuation (both escaped and unescaped) to the [] list as well as deleting the list entirely, but did not find anything that helped. And I cannot understand the "Pattern matching sample" test -- whether a URL shows red or black in the test does not seem to correlate with whether or not NoScript replaces parentheses with spaces in practice.
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:45.0) Gecko/20100101 Firefox/45.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: [NoScript Classic] XSS false positives on wikipedia (split from t=26968)

Post by barbaz »

I don't have Firefox 45 or the last compatible NoScript version in front of me atm, but maybe try changing that XSS exception to

Code: Select all

^https?://[a-z]+\.wikipedia\.org/wiki/[^"<>\?%]+(?:\?useskin=vector)?$
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/112.0
kwiniec
Posts: 5
Joined: Thu Sep 17, 2009 9:32 pm
Location: Maryland, USA

Re: [NoScript Classic] XSS false positives on wikipedia (split from t=26968)

Post by kwiniec »

Works!  Thank you!  Now to see if I can figure out why it is necessary....
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:45.0) Gecko/20100101 Firefox/45.0
Post Reply