[Fixed] Noscript tag Meta Refresh Quoted url Redirect bug

Bug reports and enhancement requests
Post Reply
User avatar
juozas
Junior Member
Posts: 22
Joined: Sat Nov 25, 2017 8:44 am
Location: Lithuania
Contact:

[Fixed] Noscript tag Meta Refresh Quoted url Redirect bug

Post by juozas »

When scripting on target site is disabled and site contains meta refresh url with single quotes in the noscript tag, it redirects to wrong page such as original url + new url with quotes included that in many cases ends in 404 page.

When all addons are disabled page works ok and setting

Code: Select all

javascript.enabled
preference to false in

Code: Select all

about:config
when all addons disabled page redirects to correct page like it should do.

For example this Lithuanian site

Code: Select all

hxxp://wxw.numeris.info/869860104
redirects to

Code: Select all

hxxp://wxw.numeris.info/'hxxp://wxw.numeris.info/869860104?PageSpeed=noscript%27
which is a 404 page.
The offending tag is

Code: Select all

<noscript><meta HTTP-EQUIV="refresh" content="0;url='hxxp://wxw.numeris.info/869860104?PageSpeed=noscript'" /><style><!--table,div,span,font,p{display:none} --></style><div style="display:block">Please click <a href="hxxp://wxw.numeris.info/869860104?PageSpeed=noscript">here</a> if you are not redirected within a few seconds.</div></noscript>
In this example http in url replaced with hxxp and www replaced with wxw.

Edit: Fixed truncated noscript tag in above example.
Edit2: Bug fixed completely in AMO version 10.1.8.5

Noscript 10.1.8.2
Firefox 61.0.1
Ubuntu Linux 18.04 LTS, codename bionic
Last edited by juozas on Thu Jul 19, 2018 8:21 pm, edited 4 times in total.
Сделано в СССР
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0
skriptimaahinen
Master Bug Buster
Posts: 244
Joined: Wed Jan 10, 2018 7:37 am

Re: 10.1.8.2 Noscript tag Quoted Meta Refresh url Redirect b

Post by skriptimaahinen »

Can confirm. Needs sanitation of single quotes out of the url if present.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: 10.1.8.2 Noscript tag Quoted Meta Refresh url Redirect b

Post by Giorgio Maone »

Fix here (not released yet), thank you.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
User avatar
therube
Ambassador
Posts: 7924
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: 10.1.8.2 Noscript tag Quoted Meta Refresh url Redirect b

Post by therube »

Will there be a similar fix for NoScript 5.x ?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0 SeaMonkey/2.49.4
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: 10.1.8.2 Noscript tag Quoted Meta Refresh url Redirect b

Post by Giorgio Maone »

therube wrote:Will there be a similar fix for NoScript 5.x ?
Is NoScript 5 affected? As far as I can see there's already code there to handle quoted URLs...
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
User avatar
therube
Ambassador
Posts: 7924
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: 10.1.8.2 Noscript tag Quoted Meta Refresh url Redirect b

Post by therube »

Oops, you're right.

Been using different computers & different settings.
When I looked the other day, all seemed OK - as I remembered.
Looking again today, to confirm, it looped over to 'PageSpeed=noscript'.
But... I forgot to enable, 'Forbid META redirections inside <NOSCRIPT> elements.

Set correctly, all is well.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 5.1; rv:52.0) Gecko/20100101 SeaMonkey/2.49.3
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: 10.1.8.2 Noscript tag Quoted Meta Refresh url Redirect b

Post by Giorgio Maone »

Fixed in latest development build, thanks.
v 10.1.8.3rc11
=============================================================
x [XSS] Fixed InjectionChecker choking at some big JSON
payloads sents as POST form data
x Fixed meta-refresh emulation confused by quoted URLs
x Fixed regression - popup first row not showing the active
preset initially
x [ESR60] Fixed some edge cases still breaking feeds
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
User avatar
juozas
Junior Member
Posts: 22
Joined: Sat Nov 25, 2017 8:44 am
Location: Lithuania
Contact:

Re: 10.1.8.2 Noscript tag Meta Refresh Quoted url Redirect b

Post by juozas »

This still happens in AMO version 10.1.8.4, the latest update from AMO didn't solve the thing. Still redirecting to wrong page when scripting on the site is turned off and meta redirect in noscript element has an url with quotes before and after it like posted above :\
Сделано в СССР
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0
User avatar
therube
Ambassador
Posts: 7924
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: 10.1.8.2 Noscript tag Meta Refresh Quoted url Redirect b

Post by therube »

Is that a typo? There is no 10.1.8.4 (currently).

(And theoretically, there should be no difference between 10.1.8.3 release & 10.1.8.3rc11 - except the update channel.)

(Don't remember offhand if I ever tested the testcase against 10.1.8.3rc11 ?)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 5.1; rv:52.0) Gecko/20100101 SeaMonkey/2.49.3
User avatar
juozas
Junior Member
Posts: 22
Joined: Sat Nov 25, 2017 8:44 am
Location: Lithuania
Contact:

Re: 10.1.8.2 Noscript tag Meta Refresh Quoted url Redirect b

Post by juozas »

Yes. 10.1.8.4 is posted in amo, as version in screenshot shows. Dunno what got messed up in the amo though :\
Image
Image
Also in actual amo page shows 10.1.8.4 not anything else, last screenshot taken 2018-07-16 18:05:07 (GMT+2, Summer time, Date time in the file name).
Last edited by juozas on Mon Jul 16, 2018 3:08 pm, edited 1 time in total.
Сделано в СССР
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: 10.1.8.2 Noscript tag Meta Refresh Quoted url Redirect b

Post by Giorgio Maone »

juozas wrote:This still happens in AMO version 10.1.8.4, the latest update from AMO didn't solve the thing. Still redirecting to wrong page when scripting on the site is turned off and meta redirect in noscript element has an url with quotes before and after it like posted above :\
Ops, you're right, the fix was partial. Will go in next release, sorry.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
User avatar
juozas
Junior Member
Posts: 22
Joined: Sat Nov 25, 2017 8:44 am
Location: Lithuania
Contact:

Re: 10.1.8.2 Noscript tag Meta Refresh Quoted url Redirect b

Post by juozas »

So I'll have to "downgrade" to 10.1.8.3 when it gets fixed :D it appears that 10.1.8.3 was already out in amo before, so no need to downgrade to previous version, the right choice is to opgrade
Last edited by juozas on Mon Jul 16, 2018 7:11 pm, edited 2 times in total.
Сделано в СССР
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: 10.1.8.2 Noscript tag Meta Refresh Quoted url Redirect b

Post by Giorgio Maone »

juozas wrote:So I'll have to "downgrade" to 10.1.8.3 when it gets fixed :D
No, you actually need to upgrade to 10.1.8.5 ;)
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
User avatar
therube
Ambassador
Posts: 7924
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: [Fixed] Noscript tag Meta Refresh Quoted url Redirect bu

Post by therube »

10.1.8.3rc11
http://www.numeris.info/869860104
rolls to
http://www.numeris.info/'http://www.numeris.info/869860104?PageSpeed=noscript%27

10.1.8.7
http://www.numeris.info/869860104
"rolls to"
http://www.numeris.info/869860104?PageSpeed=noscript


Which I guess is OK?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0 SeaMonkey/2.49.4
User avatar
juozas
Junior Member
Posts: 22
Joined: Sat Nov 25, 2017 8:44 am
Location: Lithuania
Contact:

Re: [Fixed] Noscript tag Meta Refresh Quoted url Redirect bu

Post by juozas »

The second one is correct. The script that redirects when no scripting is enabled is in the most of pages on the domain, not just the number pages such as shown in the example, also other language mirrors are located on the top right location of the pages.
Сделано в СССР
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0
Post Reply