XSS protection on tinypic.com

[NJNP]

I'm having problems trying to upload pictures to tinypic.com. The normal upload uses a captcha which refuses to load for me at all. I don't know which of my plugins is blocking it (I run a bunch: Privacy Badger, Priv3, et al.), but I used to get around it with a Greasemonkey script which allows me to use a plugin upload mode which bypasses the captcha. Unfortunately NoScript has started blocking my picture uploads as malicious XSS (it seems to be freaked out about plugin.tinyscript.com) and I can't convince NoScript to stop blocking it with anything short of a full uninstall. Any suggestions?

[Guest]

This is what I get from the console:

[NoScript InjectionChecker] JavaScript Injection in ##OÅQA¶9æc\éœöˆÌpN҂õ@ÛÒ½òŒº˜ÆC†Á’e¨\bWõ7_îÔì[Č9£“•“ðv1
[NoScript XSS] Sanitized suspicious upload to [http://s9.tinypic.com/upload.php###DATA ... ¨\bWõ7_îÔì[Č9£“•“ðv1] from [http://tinypic.com/]: transformed into a download-only GET request.

[barbaz]

I have no idea what NoScript sees in that jumbled mess.

While waiting for someone to give some insight, please try adding this XSS exception in NoScript Options > Advanced > XSS > Anti-XSS Protection Exceptions

Code: Select all

^https?://s\d+\.tinypic\.com/upload\.php

Does it help?

Do note that I really have no idea how safe the exception is. In suggesting the exception I'm assuming that the upload data NoScript doesn't like is part of an image from your own computer and is therefore probably OK.

[NJNP]

Okay, that did... something.

Instead of giving me a ribbon warning that NoScript had blocked an XSS attempt, I just get a message from Tinypic that the upload failed. But if I turn off the "sanitize" and "turn cross-site" box options off, the upload works, which it didn't before I added your recipe.

[barbaz]

Hmm. With the exception in place and the two boxes checked, do you get any different message from NoScript in the Browser Console (Ctrl-Shift-J)?