[BUG] [XSS] False XSS positives for Wikimedia secure site

[schnee]

Hi folks,

I just got the following false XSS positives that I'd like to report as a bug:

Code: Select all

[NoScript XSS] Sanitized suspicious request. Original URL [https://secure.wikimedia.org/wikipedia/en/wiki/Symphony_No._7_(Beethoven)] requested from [https://encrypted.google.com/search?hl=en&q=beethoven%27s+7th]. Sanitized URL: [https://secure.wikimedia.org/wikipedia/en/wiki/Symphony_No._7_%20Beethoven%20#6355658425021999302].
[NoScript XSS] Sanitized suspicious request. Original URL [https://secure.wikimedia.org/wikipedia/en/wiki/Symphony_No._7_(Beethoven)] requested from [chrome://browser/content/browser.xul]. Sanitized URL: [https://secure.wikimedia.org/wikipedia/en/wiki/Symphony_No._7_%20Beethoven%20#46670769589367445329].

This happens with Mozilla 3.6.8 and NoScript 2.0.1. Apologies if this is already known/fixed in a development version/the wrong way to file a bug report.

[schnee]

Well, "Symphony_No._7_(Beethoven)" is a syntactically correct JavaScript expression that would call the _7_ method on a Symphony_No object. But NoScript already ships with an XSS filter exception to fix this exact thing (false positives from Google search Wikipedia articles) -- did you delete that exception by any chance?

No, I didn't delete anything. I just checked, though, and the Wikipedia exception at least only applies to wikipedia.org, not wikimedia.org (which is where the secure site is located). I'm not sure about the rest, though: the Google exception (^https?://([a-z]+)\.google\.(?:[a-z]{1,3}\.)?[a-z]+/(?:search|custom|\1)\?) is there.

EDIT:

edit: Actually, disregard that, the XSS filter exception NoScript currently ships with only applies to the non-secure version of Wikipedia... this rule should match the secure version

Thanks for that! It might be worth adding this to the default exceptions in the next NoScript release, too.

Cheers!

[Giorgio Maone]

It will be in next dev build, thanks.