A frustrating discovery: NoScript generates a false-positive XSS error when a bookmark's URL contains parentheses "(" or ")", or the sanitized %28 or %29. It thinks there's JavaScript code embedded in the URL. This happened to me with a bookmarked Craigslist search for "(rider|riding)+(lawn|mower)+(bagging|bagger)" which ends up looking like "http://rochester.craigslist.org/search/ ... ng|bagger)".
I tried allowing the "requested from" of the XSS per the console—chrome://browser/content/browser.xul—but that didn't work. I didn't think it would be wise to whitelist Craigslist search ... basically it would be gambling that a potential exploit (admittedly as unlikely as it would be) would not happen.
[RESOLVED] False XSS error on bookmark URL with ( or )
-
jolshefsky
- Posts: 5
- Joined: Mon Jun 23, 2014 3:14 pm
- Location: Rochester, NY, U.S.
- Contact:
[RESOLVED] False XSS error on bookmark URL with ( or )
May your deeds return to you tenfold,
---Jason Olshefsky
---Jason Olshefsky
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:38.0) Gecko/20100101 Firefox/38.0
Re: False XSS error on bookmark URL with ( or )
You might want to check if the site is actually vulnerable to XSS before making exception for it.
If you choose to do that, disable the XSS filter (un-check everything in NoScript Options > Advanced > XSS), search for something like
and see what happens?
(If you don't get an alert thrown in your face, but just a search, you're probably fine.)
Make sure to re-enable XSS filtering afterwards!
Anyway, if you're comfortable with it, try this XSS exception?
NoScript Options > Advanced > XSS
This allows any craigslist search with parenthesis in the query to be exempt from XSS checking.
(I'm not sure if those parentheses at the end need to be escaped - if so it'd be \(\) instead of () . If what I posted doesn't work verbatim try that?)
If you choose to do that, disable the XSS filter (un-check everything in NoScript Options > Advanced > XSS), search for something like
Code: Select all
<script>alert(0)</script>(If you don't get an alert thrown in your face, but just a search, you're probably fine.)
Make sure to re-enable XSS filtering afterwards!
Anyway, if you're comfortable with it, try this XSS exception?
NoScript Options > Advanced > XSS
Code: Select all
^https?://(?:[^/:]+\.)?craigslist\.org/search/sss\?query=.*[()](I'm not sure if those parentheses at the end need to be escaped - if so it'd be \(\) instead of () . If what I posted doesn't work verbatim try that?)
*Always* check the changelogs BEFORE updating that important software!
-
Re: False XSS error on bookmark URL with ( or )
Or.. see the sticky for how to whitelist origin of request, it'd look like this:
offtopic: I find your website interesting 
Code: Select all
^@chrome://browser/content/browser\.xul$*Always* check the changelogs BEFORE updating that important software!
-
-
jolshefsky
- Posts: 5
- Joined: Mon Jun 23, 2014 3:14 pm
- Location: Rochester, NY, U.S.
- Contact:
Re: False XSS error on bookmark URL with ( or )
Thanks all! Both techniques worked but I went with barbaz's.
May your deeds return to you tenfold,
---Jason Olshefsky
---Jason Olshefsky
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:38.0) Gecko/20100101 Firefox/38.0
Re: False XSS error on bookmark URL with ( or )
You're welcome. 
(I actually posted both replies. Sometimes I space on some possibilities and don't realize it until a lot later or it's pointed out.)
(I actually posted both replies. Sometimes I space on some possibilities and don't realize it until a lot later or it's pointed out.)
*Always* check the changelogs BEFORE updating that important software!
-