XSS and reference manager

ezellohar · Post by **ezellohar** » Tue May 15, 2018 9:43 am

Hello, I'm using the reference manager Endnote. It uses a script to import references into my personal database. When it tries to do its stuff, it's blocked by xss protection.

Console reports this error:

Code: Select all

Bloccato il caricamento di contenuto misto attivo (mixed active content) “http://www.myendnoteweb.com/Bookmarklet/Bookmarklet.html?func=editCap&WNToolbar=off&captureID=WvqqPArYHK0AAB8LM9c”

Should I write an exception in XSS option? I hope to have provided all necessary information.
Thank you

PS: I tried to post the script but the antispam filter blocks me

Post by **barbaz** » Tue May 15, 2018 2:30 pm

That console message looks unrelated to NoScript.

As a test, does disabling NoScript (Tools > Add-ons Manager > NoScript > Disable > Yes, remove ALL protections) get it working?

ezellohar · Post by **ezellohar** » Wed May 16, 2018 12:46 pm

yes, when disabled it works. It works even if I use the 'reload page without protection' under the XSS tab. that's why I posted it with the subject. How can I provide more information to analyze the problem?

Console also give me this:

Code: Select all

[NoScript XSS] Upload sospetto verso [https://www.myendnoteweb.com/Bookmarklet/Bookmarklet.html?func=capture###DATA###<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<meta http-equiv="content-style-type" content="text/css">
<meta http-equiv="content-language" content="en-gb">
<meta http-equiv="imagetoolbar" content="no">
<meta name="resource-type" content="document">
<meta name="distribution" content="global">
<meta name="copyright" content="2000, 2002, 2005, 2007 phpBB Group">
<meta name="keywords" content="">
<meta name="description" content="">
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7; IE=EmulateIE9">
<title>InformAction Forums â¢ Post a reply</title>
<!--
	phpBB style name: prosilver
	Based on style:   prosilver (this is the default phpBB3 style)
	Original author:  Tom Beddard ( http://www.subBlue.com/ )
	Modified by:

	NOTE: This page was generated by phpBB, the free open-source bulletin board package.

(this is trying the script here)

Post by **barbaz** » Wed May 16, 2018 2:51 pm

If you trust that Endnote is not vulnerable to XSS, try adding this line in NoScript Options > Advanced > XSS > Anti-XSS Protection Exceptions -

Code: Select all

^https://www\.myendnoteweb\.com/Bookmarklet/Bookmarklet\.html\?

InformAction Forums

XSS and reference manager

XSS and reference manager

Re: XSS and reference manager

Re: XSS and reference manager

Re: XSS and reference manager