NoScript issuing XSS warning/block on the loband MSDN

[masklinn]

http://msdn.microsoft.com/en-us/library ... band).aspx

For some reason, NoScript seems not to appreciate the parens in the URL:

[NoScript XSS] Sanitized suspicious request. Original URL [http://msdn.microsoft.com/en-us/library ... band).aspx] requested from [chrome://browser/content/browser.xul]. Sanitized URL: [http://msdn.microsoft.com/en-us/library ... 6001087289].

Except with other filters e.g. http://msdn.microsoft.com/en-us/library ... S.85).aspx or using loband in a compound filter http://msdn.microsoft.com/en-us/library ... band).aspx (or switching them around http://msdn.microsoft.com/en-us/library ... S.85).aspx) the page loads fine.

The page's code doesn't seem to do anything special (or anything at all, really) and only the URL seems to have an impact on the behavior, which would point to a bug/false positive in some URL filter in NoScript.

[Giorgio Maone]

Code: Select all

system.object(loband).aspx

Is syntactically valid JavaScript, and complex enough to be harmful (semantics aside, but no checker could check semantics without the context of the whole document and before all the scripts are executed -- and at that point it would be too late to block).

Neither

Code: Select all

system.object(VS.85).aspx

nor

Code: Select all

system.object(VS.85,loband).aspx

nor

Code: Select all

system.object(loband,VS.85).aspx

are syntactically valid JavaScript, instead.

[m60freeeman]

I have a somewhat similar problem. Whenever I am in Visual Studio 2010 and ask for help on something, I get an XSS warning from NoScript. Here is a typical example:

[NoScript XSS] Sanitized suspicious request. Original URL [http://msdn.microsoft.com/query/dev10.q ... 2)&rd=true] requested from [chrome://browser/content/browser.xul]. Sanitized URL: [http://msdn.microsoft.com/query/dev10.q ... 9058295266].

I have entered an exception for:

^http://msdn.microsoft.com/query/dev10.query[^"'<>\?%]+$

However, I still get the errors. What exception do I need to avoid having these URLs flagged for XSS?

Thanks,

Mark

[Giorgio Maone]

I have entered an exception for:

^http://msdn.microsoft.com/query/dev10.query[^"'<>\?%]+$

However, I still get the errors. What exception do I need to avoid having these URLs flagged for XSS?

That won't work because the target URIs do contain question marks and percent sign, which you're explicitly excluding.
Try

Code: Select all

^http://msdn\.microsoft\.com/query/dev10\.query\?[^"'<>]+$

[m60freeman]

^http://msdn\.microsoft\.com/query/dev10\.query\?[^"'<>]+$

That doesn't work either. I still get the XSS warning. This is the console message:

[NoScript XSS] Sanitized suspicious request. Original URL [http://msdn.microsoft.com/query/dev10.q ... P)&rd=true] requested from [chrome://browser/content/browser.xul]. Sanitized URL: [http://msdn.microsoft.com/query/dev10.q ... 0494491255].

[Giorgio Maone]

That doesn't work either.

That's weird, since

Code: Select all

javascript:alert(/^http:\/\/msdn\.microsoft\.com\/query\/dev10\.query\?[^"'<>]+$/.test(
"http://msdn.microsoft.com/query/dev10.query?appId=Dev10IDEF1&l=EN-US&k=k(MICROSOFT.SQLSERVER.MANAGEMENT.COMMON.SERVERCONNECTION);k(SERVERCONNECTION);k(TargetFrameworkMoniker-%22.NETFRAMEWORK%2cVERSION%3dV4.0%22);k(DevLang-CSHARP)&rd=true"))

says "true".
Did you use copy & paste?
Is the text in the exception box red (that would mean there's a syntax error)?

[m60freeman]

This is what I have in the NoScript Options Dialog:

Code: Select all

^https?://([a-z]+)\.google\.(?:[a-z]{1,3}\.)?[a-z]+/(?:search|custom|\1)\?
^https?://([a-z]*)\.?search\.yahoo\.com/search(?:\?|/\1\b)
^https?://[a-z]+\.wikipedia\.org/wiki/[^"<>\?%]+$
^https?://translate\.google\.com/translate_t[^"'<>\?%]+$
^http://msdn\.microsoft\.com/query/dev10\.query\?[^"'<>]+$

I don't see anything in red. When the MSDN page displays, I get the XSS message at the top and have to do an "Unsafe Reload" to display the page and see this in the console as an information message:

Code: Select all

[NoScript XSS] Sanitized suspicious request. Original URL [http://msdn.microsoft.com/query/dev10.query?appId=Dev10IDEF1&l=EN-US&k=k(SYSTEM.WINDOWS.FORMS.MESSAGEBOX);k(MESSAGEBOX);k(TargetFrameworkMoniker-%22.NETFRAMEWORK%2cVERSION%3dV4.0%22);k(DevLang-CSHARP)&rd=true] requested from [chrome://browser/content/browser.xul]. Sanitized URL: [http://msdn.microsoft.com/query/dev10.query?appId=Dev10IDEF1&l=EN-US&k=k%20SYSTEM.WINDOWS.FORMS.MESSAGEBOX%20%3Bk%20MESSAGEBOX%20%3Bk%20TargetFrameworkMoniker-%20.NETFRAMEWORK%2CVERSION%20V4.0%20%20%3Bk%20DevLang-CSHARP%20&rd=true#03343241566010924190].

[Giorgio Maone]

Confirmed. Something weird going on (a bug?). Investigating, thanks.
[EDIT]
Nothing weird, nor a bug: there are double quotes in those JavaScript-like strings which trigger the filter.
Change the exception into:

Code: Select all

^http://msdn\.microsoft\.com/query/dev10\.query\?[^'<>]+$

and you'll be set.

[m60freeman]

That works perfectly. Thanks!