RFE: Remove obsolete default XSS Exceptions

[Tom T.]

Thrawn and I have been testing the default XSS exceptions. Neither of us was able easily to trigger an XSS warning with the exceptions removed.

I started deleting all exceptions a few years ago anyway. I use Google only when absolutely necessary, but have used Wikipedia, as both guest and registered user, including secure version, many times, with no XSS errors at either site. Couldn't create one in Yahoo search, either.

Last mention of XSS re: Wikipedia is

v 1.1.4.8.070424
x Improved Wikipedia XSS exception

or more than five years ago.

Wikimedia:

v 1.1.9.9
x Better compatibility with Wikimedia sites

(doesn't specify XSS)

With the continued fine-tuning of the XSS sensitivity, perhaps these may be deleted as defaults -- unless anyone can show a reasonable set of steps to trigger an XSS message when these exceptions are removed?

[dhouwn]

Wasn't it introduced because quite a lot of WP sites have brackets in them, e.g. http://en.wikipedia.org/wiki/John_Doe_(disambiguation) or one might search for things with braces http://en.wikipedia.org/wiki/Special:Se ... oe+(actor)?

[Tom T.]

Wasn't it introduced because quite a lot of WP sites have brackets in them, e.g. http://en.wikipedia.org/wiki/John_Doe_(disambiguation) or one might search for things with braces http://en.wikipedia.org/wiki/Special:Se ... oe+(actor)?

I just clicked both of your links, and neither produced an XSS message. Both went directly to the target pages.

Any more explicit steps to produce an XSS message?

[Thrawn]

I support this RFE, but I'm going to play devil's advocate for a moment and point out that the default exceptions provide a good set of examples for anyone needing to write a new one. If they're removed, there should be some replacement.

[Tom T.]

I support this RFE, but I'm going to play devil's advocate for a moment and point out that the default exceptions provide a good set of examples for anyone needing to write a new one. If they're removed, there should be some replacement.

Such as the one listed in the XSS FAQ, which would be well-advised reading for anyone before they start creating exceptions?

(or click "XSS FAQ..." at the top of the XSS tab itself.)

[Thrawn]

I support this RFE, but I'm going to play devil's advocate for a moment and point out that the default exceptions provide a good set of examples for anyone needing to write a new one. If they're removed, there should be some replacement.

Such as the one listed in the XSS FAQ, which would be well-advised reading for anyone before they start creating exceptions?

(or click "XSS FAQ..." at the top of the XSS tab itself.)

Yes, that's the ideal, of course. But it might be good to add

Code: Select all

^https?://www\.example.com/

to the default exceptions?

[Tom T.]

I support this RFE, but I'm going to play devil's advocate for a moment and point out that the default exceptions provide a good set of examples for anyone needing to write a new one. If they're removed, there should be some replacement.

Such as the one listed in the XSS FAQ, which would be well-advised reading for anyone before they start creating exceptions?

(or click "XSS FAQ..." at the top of the XSS tab itself.)

Yes, that's the ideal, of course. But it might be good to add

Code: Select all

^https?://www\.example.com/

to the default exceptions?

I might include that as a sample, but not a default exception. What if example.com gets XSSed?

[Thrawn]

<snip>it might be good to add

Code: Select all

^https?://www\.example.com/

to the default exceptions?

I might include that as a sample, but not a default exception. What if example.com gets XSSed?

Huh. I would have thought it was safe, but when I actually visit, turns out that it's trying to run 3 scripts. Who'd have thunk?

[Tom T.]

<snip>it might be good to add

Code: Select all

^https?://www\.example.com/

to the default exceptions?

I might include that as a sample, but not a default exception. What if example.com gets XSSed?

Huh. I would have thought it was safe, but when I actually visit, turns out that it's trying to run 3 scripts. Who'd have thunk?

"Never assume". ... I was working on a post in which the user was differentiating between internal LAN sites and external Internet sites, and used external dot com for the latter. Turns out there actually is a web site by that name.
Not surprising -- most common expressions have been co-opted as domain names, to get the "accidental" traffic, where their ads are displayed.

E. g., for ABE rules -- using as an example "friend dot com" (vs. foe dot com). There is a site at friend dot com, too.
So I check all "generic" domains for an actual site there before using them. At least example/IANA is a non-profit site.