XSS on Techcrunch Page

[qwerty017]

Page: http://techcrunch.com/2012/11/14/uber-class-action-lawsuit-response/
Console Errors: Can't post as it keeps getting caught in the spam filter. Please go to the page and check the Console for the errors received.

[therube]

Is this what you're seeing?

Code: Select all

[NoScript XSS] Sanitized suspicious request. Original URL [http://wpcomwidgets.com/?frameborder=0&scrolling=no&resize=1&replace_attributes=1&fallback=%3Cp+class%3D%22protected-embed-fallback%22%3EThis+embed+is+invalid%3C%2Fp%3E&width=600&height=800&_data=PGlmcmFtZSBpZD0iZG9jXzYxMTMwIiBzcmM9Imh0dHA6Ly93d3cuc2NyaWJkLmNvbS9lbWJlZHMvMTEzMjY5MjU2L2NvbnRlbnQ%2Fc3RhcnRfcGFnZT0xJmFtcDt2aWV3X21vZGU9c2Nyb2xsJmFtcDthY2Nlc3Nfa2V5PWtleS1ydXM1dWFkbHIwM2w3N3lwZDFjIiBoZWlnaHQ9IjgwMCIgd2lkdGg9IjYwMCIgZGF0YS1hdXRvLWhlaWdodD0iZmFsc2UiIGRhdGEtYXNwZWN0LXJhdGlvPSIiPjwvaWZyYW1lPg%3D%3D%2Cc8d76ae56cc5a4f7f3ebbdddafe9d7746e452666&_tag=protected-iframe&_hash=495086da9201912f82d87c0ba5bcfa9f] requested from [http://techcrunch.com/2012/11/14/uber-class-action-lawsuit-response/]. Sanitized URL: [http://wpcomwidgets.com/?frameborder=0&scrolling=no&resize=1&replace_attributes=1&fallback=%20p+class%20%20protected-embed-fallback%20%3EThis+embed+is+invalid%20/p%3E&width=600&height=800&_data=PGlmcmFtZSBpZD0iZG9jXzYxMTMwIiBzcmM9Imh0dHA6Ly93d3cuc2NyaWJkLmNvbS9lbWJlZHMvMTEzMjY5MjU2L2NvbnRlbnQ%2Fc3RhcnRfcGFnZT0xJmFtcDt2aWV3X21vZGU9c2Nyb2xsJmFtcDthY2Nlc3Nfa2V5PWtleS1ydXM1dWFkbHIwM2w3N3lwZDFjIiBoZWlnaHQ9IjgwMCIgd2lkdGg9IjYwMCIgZGF0YS1hdXRvLWhlaWdodD0iZmFsc2UiIGRhdGEtYXNwZWN0LXJhdGlvPSIiPjwvaWZyYW1lPg%20%20%2Cc8d76ae56cc5a4f7f3ebbdddafe9d7746e452666&_tag=protected-iframe&_hash=495086da9201912f82d87c0ba5bcfa9f#543225106806905452].

[qwerty017]

Is this what you're seeing?

That is one of the messages I am seeing. I am seeing a total of 5. 3 for [NoScript InjectionChecker] HTML injection: and 2 for [NoScript XSS] Sanitized suspicious request.

EDIT: That's strange. Even replying to your post with the code throws up the spam blocker. Weird.

[Giorgio Maone]

They're sending and rendering potentially dangerous HTML fragments around.
I'm not sure there's a suitable work-around.
Does this actually cause the page to malfunction?

[qwerty017]

They're sending and rendering potentially dangerous HTML fragments around.
I'm not sure there's a suitable work-around.
Does this actually cause the page to malfunction?

It stops the embedded PDF from showing and instead shows the text "No hotlinking please.".

[Giorgio Maone]

Hum, you can add the following line to your NoScript Options|Advanced|XSS exceptions box then:

Code: Select all

^http://wpcomwidgets\.com/?[^<"'\(]+$

I'll try to incorporate a safe exception in next release.

[qwerty017]

Hum, you can add the following line to your NoScript Options|Advanced|XSS exceptions box then:

Code: Select all

^http://wpcomwidgets\.com/?[^<"'\(]+$

I'll try to incorporate a safe exception in next release.

Added the exception rule which worked for 3 of the messages but I am still seeing 2 left and the embed is still not showing.

[therube]

This set of domains looks to work without dealing with wordpress/wp* at all, so no XSS:

Code: Select all

+scribd.com
+scribdassets.com
+techcrunch.com

Now I did have to click on the placeholder, twice, before the scribd* domains showed up, but to me that seems a better route?