NYTimes TimesPeople Vs. XSS

[Jim Too]

If I enable TimesPeople on my NYTimes.com account and follow someone, I get a large "[NoScript XSS]: sanitized window.name" entry in the error console when I am on the nytimes.com pages except when I am on "http://timespeople.nytimes.com/". I am not sure how to write an anti-xss exception rule. Note: if you don't follow anyone there isn't a problem. This should be reproducible but I can PM you the entire noscript xss entry from the error console if needed.

NoScript 1.9.5.6

[Giorgio Maone]

Beside the console entry, have you got any other problem?
window.name sanitization is logged on the console for troubleshooting purposes, but it doesn't get notified because it usually cause no inconvenience to users.

[Jim Too]

The feature doesn't work at all when XSS is enabled. The list of articles never appears (in fact the entire timespeople bar across the top of the page never fills). I looked at the error console to see if the reason it wasn't working was something being blocked which is when I found the noscript entry. When I disable XSS then feature works.

[Giorgio Maone]

OK, could you please show me the whole message?

[Jim Too]

Error Console message sent via PM.

[Giorgio Maone]

OK, they're clearly crazy.
They're stuffing a lot of JSON data in window.name. I bet it's extremely vulnerable to XSS.
However I'll try to put a reasonable work-around in next dev build, stay tuned.

[Jim Too]

Thank you.
Jim