XSS warning on en.wikipedia.com

Ask for help about NoScript, no registration needed to post
Rollo
Junior Member
Posts: 26
Joined: Wed Dec 17, 2014 11:59 am

XSS warning on en.wikipedia.com

Post by Rollo »

Step to reproduce:

1) Go to https://en.wikipedia.org/wiki/File:EE_C ... 60883).jpg
2) Click OR Middle Click OR Ctrl Click on the picture or any link for other resolutions
Image
3) Get an XSS warning.
Image
Image

Console output:

Code: Select all

[NoScript] [InjectionChecker]  JavaScript Injection in ///wikipedia/commons/0/08/EE_Canberra_instument_panel,_Midland_Air_Museum._(12780760883).jpg
(function anonymous(
) {
wikipedia/commons/0/08/EE_Canberra_instument_panel,_Midland_Air_Museum._(12780760883).jpg /* COMMENT_TERMINATOR */
DUMMY_EXPR
})
Firefox 60.1.0esr on Debian GNU/Linux x86_64 (Mozilla binary tarball, not from distro repo) in a new clean profile, NoScript 10.1.8.17rc2 default configuration.
Same result for Firefox 61.0.2 release and Firefox 52.9.0esr/NoScript Classic 5.1.8.7rc3.

With Firefox 52.9 I didn't bother to test with a new clean profile...
Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: XSS warning on en.wikipedia.com

Post by barbaz »

I see it too.

Console messages from NoScript Classic -

Code: Select all

[NoScript InjectionChecker] JavaScript Injection in ///wikipedia/commons/0/08/EE_Canberra_instument_panel,_Midland_Air_Museum._(12780760883).jpg
(function anonymous(
) {
wikipedia/commons/0/08/EE_Canberra_instument_panel,_Midland_Air_Museum._(12780760883).jpg /* COMMENT_TERMINATOR */
DUMMY_EXPR
})
[NoScript XSS] Sanitized suspicious request. Original URL [https://upload.wikimedia.org/wikipedia/commons/0/08/EE_Canberra_instument_panel%2C_Midland_Air_Museum._%2812780760883%29.jpg] requested from [https://en.wikipedia.org/wiki/File:EE_Canberra_instument_panel,_Midland_Air_Museum._(12780760883).jpg]. Sanitized URL: [https://upload.wikimedia.org/wikipedia/commons/0/08/EE_Canberra_instument_panel,_Midland_Air_Museum._%2012780760883%20.jpg#256610889607651775].
I think this is a false positive.
*Always* check the changelogs BEFORE updating that important software!
-
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: XSS warning on en.wikipedia.com

Post by Giorgio Maone »

barbaz wrote: I think this is a false positive.
It is. It is syntactically valid JavaScript, but just by chance.
Anyway, whitelisting cross-site requests from wikimedia.org to wikipedia.org should be fairly safe.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: XSS warning on en.wikipedia.com

Post by barbaz »

Giorgio Maone wrote:It is. It is syntactically valid JavaScript, but just by chance.
Anyway, whitelisting cross-site requests from wikimedia.org to wikipedia.org should be fairly safe.
Thanks Giorgio. I added an XSS exception and it works.

I noticed that NoScript Classic already has a default XSS exception for Wikimedia -

Code: Select all

^https://secure\.wikimedia\.org/wikipedia/[a-z]+/wiki/[^"<>\?%]+$
So will another default XSS exception be added for this new Wikimedia case?
*Always* check the changelogs BEFORE updating that important software!
-
Post Reply