From http://forums.informaction.com/viewtopi ... =15#p11809
I suggest adding this info to the FAQ so users understand how NoScript protects them if their financial website gets hacked, and also so users understand the dangers of allowing all scripts on a page.Giorgio Maone wrote: Script blocking (which you turn off) prevents 3rd party scripts from being included in your whitelisted site if their origins are not whitelisted as well.
This has nothing to do with Anti-XSS, but helps in most persistent XSS / SQL Injection scenarios, because using a remote inclusion is much more practical, and often the only feasible path for an attacker (e.g. if the injectable field has length constraints, see http://ha.ckers.org/blog/20080110/dimin ... st-wrapup/ ).