[RESOLVED] Mendeley Importer and NoScript

[tnumrych]

I am having trouble successfully using NoScript and the Mendeley Web Importer. Mendeley is a research management tool and the Web Importer is a tool that "lets you import references and documents from over 30 academic databases with a single click." I don't know much about Java but the importer uses the following script to allow for automatic importing:

javascript:document.getElementsByTagName('body')[0].appendChild(document.createElement('script')).setAttribute('src','http://www.mendeley.com/min.php/bookmarklet');

The only way I can use the Web Importer is to disable NoScript. It has been whitelisted.

Can anyone help?

Thanks.

[Giorgio Maone]

Does whitelisting both mendeley.com and the website you're trying to import from help?
Could you provide a working example?

[tnumrych]

Not sure what you mean by "working example" but let me try to explain it better.

Without NoScript enabled, clicking on the Web Importer in the bookmarks toolbar opens a window lists all of the references and documents available on the current webpage (for example scholar.google.com) and gives you a choice of the references and documents you would like to import (but only if the source site you are attempting to import contains references/documents in a format compatible with Mendley of which there is a list on Mendeley.com). With NoScript enabled clicking on the Web Importer yields nothing, the window does not open which prevents me from choosing which references and documents I want to import.

Both mendeley.com and google.com are whitelisted.

[Giorgio Maone]

Not sure what you mean by "working example" but let me try to explain it better.

Without NoScript enabled, clicking on the Web Importer in the bookmarks toolbar opens a window lists all of the references and documents available on the current webpage (for example scholar.google.com)

I suppose http://scholar.google.com is not enough, it needs to be populated with search results.
Could you please provide me with the address of a page where I can launch the bookmarklet on and expect it to visibly work?
Thanks.

[tnumrych]

Any search query in scholar.google.com would work, but here is one:

http://scholar.google.com/scholar?hl=en ... =&as_vis=0

[Giorgio Maone]

Please check latest development build.

[Dr. Gunn]

Giorgio, let me know if you need help getting the bookmarklet to be compatible with NoScript. I can put you in touch with one of the Mendeley devs if you need to know more about the bookmarklet.

[Giorgio Maone]

Giorgio, let me know if you need help getting the bookmarklet to be compatible with NoScript. I can put you in touch with one of the Mendeley devs if you need to know more about the bookmarklet.

Thanks, but as far as I can tell latest development build should just work. Doesn't it?

[AnotherMendeleyUser]

No, it doesn't
The importer is at: http://www.mendeley.com/import/

Thanks

[Giorgio Maone]

Unfortunately their code has changed in the meanwhile, and to cope with the asynchronous technique they're using now you need:

1. latest development build
2. Allowing both the current site and mendeley.com

[AnotherMendeleyUser]

It works fine for me now! Lots of thanks.

[ace28]

Hi, I am using the current mendeley importer. It is basically a bookmark that contains a javascript:

javascript:document.getElementsByTagName('body')[0].appendChild(document.createElement('script')).setAttribute('src','https://www.mendeley.com/minified/bookmarklet.js');

When I want to use it with google scholar mendeley gets blocked for cross site scripting. But I would like to allow it. I think that the soloution is to write an exeption like the one for google:

^https?://([a-z]+)\.google\.(?:[a-z]{1,3}\.)?[a-z]+/(?:search|custom|\1)\?

My attempt for google scholar is:

^https://scholar\.google\.de

But it does not work. Does anyone know how to write the exeption correctly? Maybe google scholar could get a built in exeption just like the google main page has?

Thanks in advance.

[Thrawn]

If the XSS filter is being triggered, then there should be messages in the Browser Console (Ctrl+Shift+J). Can you copy and paste them here?

[ace28]

Hi Thrawn,

I just noticed that the previously postet output has some youtube in there. So it should be the wrong output.

This has NoScript in it, so it should be the correct output:

[NoScript InjectionChecker] JavaScript Injection in u;setTimeout(function(){U={};},1000);}break;}t=(n==="SPAN"||n==="B"||n==="I"||n==="EM")&&t.parentNode;}});}(navigator.sendBeacon,{});gs_is_ios&&gs_uas("AppleWebKit")&&!gs_uas("CriOS")&&(gs_uas("OS
(function anonymous() {
(navigator.sendBeacon,{});gs_is_ios&&gs_uas("AppleWebKit") /* COMMENT_TERMINATOR */
DUMMY_EXPR
})
[NoScript XSS] Ein verdächtiger Upload zu [https://www.mendeley.com/import/html/## ... llapse%3Ac

I hope it is correct this time. I will delete the previous post if I can.

[barbaz]

Only Moderators can delete posts, I'll do it for you.

I can come up with an XSS exception from that console message but I'm unable to get enough information about Mendeley to determine whether it's actually XSS vulnerable or not. What they are doing is equivalent to XSS...