Potential Cross-Site scripting alert question

[20questions]

Hi, I'm a bit of a numpty when it comes to computer stuff and am not sure how to handle a Noscript alert I keep getting when trying to pay a membership fee for a site that uses paypal. Whenever I go to make the payment, the site redirects to paypal but the form information (company, amount of purchase etc) is blocked by noscript. The alert message says Noscript filtered a potential cross-site scripting attempt from (name of site I'm trying to pay). On the console, the message says: [NoScript XSS] Sanitised suspicious upload to [https://www.paypal.com/cgi-bin/webscr## ... Fscript%3E] from [http://www.fantasyfootballscout.co.uk/? ... ibe=1&ud=1]: transformed into a download-only GET request.

I trust this site and have allowed scripts for it but don't want to do an 'unsafe reload' to make the payment if it really is potentially unsafe. I have no clue how to tell either way though. Any thoughts would be appreciated and thanks in advance from a complete ignoramous!


**oops, forgot to mention that I have the latest noscript version- 2.1.2.3

[20questions]

Sorry for the double post but wanted to give a wee update on the issue: I talked to the site (http://www.fantasyfootballscout.co.uk/) owner about the payment link being flagged by noscript. He talked to his coder and passed this on:

"The code we use for membership and payments on the site sends information to paypal for payment only. Fields include amount, currency and our paypal address. These are all necessary In order to complete any payment and should not be treated as malicious."

Like I said in my first post, I trust this site (my husband has subscribed before with no problems). They're on my whitelist, as is paypal. Is this possibly a false positive or is there possibly still a problem? I don't know whether to try an unsafe reload or if that would be unwise.

Thanks again in advance.

[Alan Baxter]

Hi. I usually leave it up to the developer, Giorgio, to handle these issues, but he may have overlooked this topic. Could you update to the latest development build and try again? A lot of fixes have been made to NoScript since 2.1.2.3. Before trying again though, go to your paypal account and verify that the payment didn't go through already. You don't want to pay twice accidentally.

If your problem persists with the updated NoScript. I'd go ahead and do an unsafe reload to make your payment. From your description of the problem and your input from the fantasy football site, I think it would be safe for you to do that.

Edit: Please get back to us and let us know if your problem was fixed in the latest NoScript or if you had to do an "unsafe reload" instead.

[20questions]

Hi, thanks so much for getting back to me and for the suggestions! I did upgrade to the latest developmental version but it still didn't go through. However, I did eventually try removing both sites from my whitelist on noscript and this actually wound up doing the trick- the transaction went through just fine without having to do an unsafe reload. So, hurray, it's been resolved!

Thanks again for getting back to me. Really appreciate all the work you guys put in.

cheers.

[Giorgio Maone]

Could you temporarily revert to your previous configuration and email (or PM) me any [NoScript XSS] line you can find in your Tools>Error Console when this happens?
Than you.

[Alan Baxter]

This was included in the original post. Does it help?

[NoScript XSS] Sanitised suspicious upload to [https://www.paypal.com/cgi-bin/webscr## ... Fscript%3E] from [http://www.fantasyfootballscout.co.uk/? ... ibe=1&ud=1]: transformed into a download-only GET request.

[Giorgio Maone]

This was included in the original post. Does it help?

[NoScript XSS] Sanitised suspicious upload to [https://www.paypal.com/cgi-bin/webscr## ... Fscript%3E] from [http://www.fantasyfootballscout.co.uk/? ... ibe=1&ud=1]: transformed into a download-only GET request.

Sorry, did not notice.
It's almost surely a site bug, then, because no Paypal button needs to send the "<script></script>" string (which correctly triggers NoScript) to Paypal.

[20questions]

Interesting- is that something I should pass onto the site owner then? ..Also, did you want more information about the XSS warning messages generated from the link or was that message enough?

Cheers for the help Giorgio (and Alan)

[Giorgio Maone]

Interesting- is that something I should pass onto the site owner then?

It would be awesome if you could get him to explain what that string was for.

Also, did you want more information about the XSS warning messages generated from the link or was that message enough?

It was enough, thanks.