[RESOLVED] Why does this search trigger XSS filter?

[barbaz]

Using the DuckDuckGo browser searchplugin (the xml file only, not the XPI they offer), searching for

Code: Select all

ksh add username to prompt

sets off the XSS filter. I haven't previously had XSS filter trouble with this searchplugin, and I don't think it auto-updates.
Why this particular search?
Console messages: (had to capture with a video capture program to view, so there may be typos, especially in that last set of numbers)

Code: Select all

[NoScript InjectionChecker]JavaScript Injection in ///?q=ksh+add+username+to+prompt
(function anonymous() {
q=ksh+add+username+to+prompt /* COMMENT_TERMINATOR */
DUMMY_EXPR
})

[NoScript XSS] Sanitized suspicious request.  Original URL [https://duckduckgo.com
/?q=ksh+add+username+to+prompt] requested from [chrome://navigator/content/navigator.xul].  Sanitized URL:
[https://duckduckgo.com/?q=ksh+add+userNAME+to+PROMPT#40824949409240163382].

[Thrawn]

Have you whitelisted DuckDuckGo?

If not, then the XSS filter is very aggressive.

[barbaz]

Yes, DDG is in my whitelist...

[Thrawn]

Well, judging by what the filter did, it doesn't like 'name', which is frequently a JavaScript attribute, or 'prompt', which pops up an input box.

Does it still happen if you have another keyword after 'prompt'?

[barbaz]

Well, judging by what the filter did, it doesn't like 'name', which is frequently a JavaScript attribute, or 'prompt', which pops up an input box.

That kinda makes sense, but I didn't make "name" a completely separate word...

Does it still happen if you have another keyword after 'prompt'?

Testing with the keyword "terminal", yes...

[Giorgio Maone]

It's a false negative from the new rules against exfiltration, which surely needs to be tweaked.
Checking it...

[barbaz]

Fixed in 2.6.9rc2, thanks.