Code: Select all
[NoScript XSS] Sanitized suspicious upload to [https://xxx:yyy/zzz] from [https://access.qgcidm.citec.com.au/openam/UI/Login]: transformed into a download-only GET request.
[RESOLVED]XSS false positive: access.qgcidm.citec.com.au
[RESOLVED]XSS false positive: access.qgcidm.citec.com.au
The SAML-based Single Sign-On service at access.qgcidm.citec.com.au triggers the XSS filter after logging in, when it attempts to send you back to the site that was using the service.
Will send POST data via PM.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:21.0) Gecko/20100101 Firefox/21.0
-
Giorgio Maone
- Site Admin
- Posts: 9557
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: XSS false positive: access.qgcidm.citec.com.au
- Is citec.com.au whitelisted at the moment of submission?
- Is there also a message from the InjectionChecker in your error console? (you may want to PM it as well)?
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0
Re: XSS false positive: access.qgcidm.citec.com.au
Ah. We had left it untrusted so that we could test the non-JavaScript version. That would explain it.
Whitelisting it, but switching off JavaScript, fixes the problem. Thanks
.
Whitelisting it, but switching off JavaScript, fixes the problem. Thanks
.Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:21.0) Gecko/20100101 Firefox/21.0