Don't Say No - XSS Warning?

Post by **therube** » Wed Sep 10, 2025 5:01 pm

Don't Say No - XSS Warning?

NoScript .903, Win7 x64, FF 115 ESR

Search Engine is set to: https://www.startpage.com/

Search, dr. no
First hit, Dr. No (film) - Wikipedia -> https://en.wikipedia.org/wiki/Dr._No_(film)

by default (in Startpage), I have left-click set to open link in new tab

clicking (or center-clicking) the wikipedia page link to, https://en.wikipedia.org/wiki/Dr._No_(film)
generates XSS warning?

Code: Select all

NoScript detected a potential Cross-Site Scripting attack

from https://www.startpage.com to https://en.wikipedia.org.

Suspicious data:

(URL) https://en.wikipedia.org/wiki/Dr._No_(film)

If I paste, 'https://en.wikipedia.org/wiki/Dr._No_(film)' into a new tab & hit return, I get the same (sort of) warning?

Code: Select all

NoScript detected a potential Cross-Site Scripting attack

from [...] to https://en.wikipedia.org.

Suspicious data:

(URL) https://en.wikipedia.org/wiki/Dr._No_(film)

?

(The same does not occur in NoScript 5.1.9

.)

Post by **barbaz** » Wed Sep 10, 2025 5:46 pm

Can confirm that URL trips the XSS filter in NoScript 13.0.8.903. Relevant Browser Console messages:

Code: Select all

[NoScript] [InjectionChecker]  
wiki/Dr._No_(film) /**/
DUMMY_EXPR
 has been flagged as dangerous JS (_() log.js:34:15

[NoScript] [InjectionChecker]  JavaScript Injection in ///wiki/Dr._No_(film)
function anonymous(
) {
wiki/Dr._No_(film) /* COMMENT_TERMINATOR */
DUMMY_EXPR
}

Looks like a false positive, should be safe to allow.

amloessb · Post by **amloessb** » Sun Dec 28, 2025 10:16 am

I am also encountering this issue, even when inputting the URL directly into the navigation bar.

In my case, this is triggered by the Wikipedia page USS William D. Porter (DD-579)

I was going to suggest that presence of a period/full stop & parentheses in the URL was tripping the XSS detection somehow, but then USS John F. Kennedy (CV-67) doesn't trigger the spurious warning.

(NoScript 13.5.5, Firefox 146.0.1, tested on a fresh profile with only NoScript installed)

Post by **barbaz** » Sun Dec 28, 2025 5:15 pm

Browser Console messages:

Code: Select all

[NoScript] [InjectionChecker]  
wiki/USS_William_D._Porter_(DD-579) /**/
DUMMY_EXPR
 has been flagged as dangerous JS (_()

[NoScript] [InjectionChecker]  JavaScript Injection in ///wiki/USS_William_D._Porter_(DD-579)
function anonymous(
) {
wiki/USS_William_D._Porter_(DD-579) /* COMMENT_TERMINATOR */
DUMMY_EXPR
}

amloessb wrote: ↑Sun Dec 28, 2025 10:16 am I was going to suggest that presence of a period/full stop & parentheses in the URL was tripping the XSS detection somehow, but then USS John F. Kennedy (CV-67) doesn't trigger the spurious warning.

It does for me:

Code: Select all

[NoScript] [InjectionChecker]  
wiki/USS_John_F._Kennedy_(CV-67) /**/
DUMMY_EXPR
 has been flagged as dangerous JS (_()

[NoScript] [InjectionChecker]  JavaScript Injection in ///wiki/USS_John_F._Kennedy_(CV-67)
function anonymous(
) {
wiki/USS_John_F._Kennedy_(CV-67) /* COMMENT_TERMINATOR */
DUMMY_EXPR
}

Quick testing your suggestion, these do not trigger XSS warning:

Code: Select all

http://localhost/foo(aaa)
http://localhost/foo_(aaa)
http://localhost/foo.(aaa)

But these do:

Code: Select all

http://localhost/foo._(aaa)
http://localhost/foo.a(bcd)

The triggering pattern seems to be if it looks like valid Javascript code of the form

Code: Select all

object.function(argument)

Not sure if this can be "globally fixed" without weakening the XSS filter?

InformAction Forums

Don't Say No - XSS Warning?

Don't Say No - XSS Warning?

Re: Don't Say No - XSS Warning?

Re: Don't Say No - XSS Warning?

Re: Don't Say No - XSS Warning?