potential cross-site scripting error

Ask for help about NoScript, no registration needed to post
Post Reply
NanoGeek

potential cross-site scripting error

Post by NanoGeek »

:o

The following works OK:

http://finance.yahoo.com/q?s=BKP.AX,AUD ... to+qcc&d=s


But if "qcc" is changed to "QCC", Noscript (last tried using 1.9.9.27) converts it to:

http://finance.yahoo.com/q?s=BKP.AX,AUD ... 6678466147

Just an annoyance for me, but thttp://finance.yahoo.com/q?s=BKP.AX,AUDUSD=X,CADUSD=X%2CAQN.to%2CALA-UN.to%2CCLL.to%2CDMM.to+dmmif.pk%2CDVT.to+dvtif.pk%2CFNV.to+FNnVf.pk%2CNBD.to+nbrxf.pk%2COPC.to+opcdf.pk%2CPEY-UN.to+peyuf.pk%2CPRT-UN.to+pfsrf.pk%2CWTE-UN.to+wtshf.pk%2CELD.to+EGO%2Circ.to+ROY%2Civn.to+IVN%2CKXM.v+KXM%2Cpve-un.to+PVX%2CQC.to+Q20&d=s#090714086678466147T

There appears to be a length of string issue. If the "BKP.AX," is removed, problem does not manifest.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2b5) Gecko/20091204 Firefox/3.6b5 (.NET CLR 3.5.30729)
Top
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: potential cross-site scripting error

Post by Tom T. »

I can't produce any XSS message at any of those sites, including fixing the third link. Searching for Quest Capital in either upper or lower case makes no difference. I allowed scripting for finance.yahoo.com, but not for the parent, http://www.yahoo.com. Even tried allowing streamapis.yahoo.com. RequestPolicy allows requests to yimg.com. I tried temp-allowing *all* requests from yahoo.com. No XSS.

Eventually, placeholder shows up for ad from ad.wsod.com, and shows in blocked-scripts and blocked-objects menu, but still no XSS.

Can you be more specific about what you entered as a search (or is this a saved portfolio page for you?) and where you are getting either a cross-site scripting message, or the potential for one? Everything appears normal to me. Thanks.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6
Top
Post Reply

Return to “NoScript Support”