XSS question

[gordon55y]

barbaz,
I have a question about an XSS problem.
What was the XSS problem?
Is it that culuredfoodlive.com sent the name/email to aweber.com?

When I go to this web site:
http://www.culturedfoodlife.com/

There is a email request (free ebook) on the top right.
When I put in my name and email, and then submit, it has an error:
The connection was reset
This is because NS is blocking an XSS.

Here is console:

Code: Select all

[NoScript InjectionChecker] JavaScript Injection in ##name (awf_first),name (awf_last),email
(function anonymous() {
name (awf_first),name (awf_last),email /* COMMENT_TERMINATOR */
DUMMY_EXPR
})
[NoScript XSS] Sanitized suspicious upload to [http://www.aweber.com/scripts/addlead.pl###DATA###name+%28awf_first%29%2Cname+%28awf_last%29%2Cemail] from [http://www.culturedfoodlife.com/]: transformed into a download-only GET request.
JavaScript 1.6's for-each-in loops are deprecated; consider using ES6 for-of instead ScriptSurrogate.js:344:1634

I have the following selected:
Turn cross site POST requests into GET requests

So I added the following to the XSS exceptions:
^http://www.aweber.com/scripts/addlead.pl
and NS no longer has an XSS error.

thanks
gordon

[barbaz]

Splitting to a new topic because this isn't related to the other topic.
Feel free to pick a better topic title.

What was the XSS problem?
Is it that culuredfoodlive.com sent the name/email to aweber.com?

I think there is not "actual" XSS problem and you solved it the right way, it's just that that string looks like valid JavaScript, so NoScript took action.

[Thrawn]

Also, you should tighten your regular expression. Dots are wildcards, so currently it would match wwwxaweber.com and other such variations.
Try something like this:

Code: Select all

^http://www\.aweber\.com/scripts/addlead\.pl

(You did make a really good effort, by the way).