Trust URLs entered to address bar for XSS

Bug reports and enhancement requests
Post Reply
jtojnar
Posts: 1
Joined: Thu Aug 10, 2017 3:44 am

Trust URLs entered to address bar for XSS

Post by jtojnar » Mon Jan 07, 2019 5:52 am

When I enter the following URL into the address bar and press Enter, the dialogue below pops up:

Code: Select all

http://git.savannah.gnu.org/gitweb/?p=autoconf-archive.git;a=blob_plain;f=m4/ax_python_devel.m4
NoScript XSS Warning

NoScript detected a potential Cross-Site Scripting attack

from [...] to http://git.savannah.gnu.org.

Suspicious data:

(URL) http://git.savannah.gnu.org/gitweb/?p=autoconf-archive.git;a=blob_plain;f=m4/ax_python_devel.m4
Would it be possible to trust URLs entered through address bar and/or not block semicolons in URLs? I think some Perl apps use semicolons instead of ampersands for query strings and to support them is actually recommended by W3C.

NS: 10.2.2rc2
FF: 64.0

barbaz
Senior Member
Posts: 8908
Joined: Sat Aug 03, 2013 5:45 pm

Re: Trust URLs entered to address bar for XSS

Post by barbaz » Mon Jan 07, 2019 3:39 pm

jtojnar wrote:
Mon Jan 07, 2019 5:52 am
Would it be possible to trust URLs entered through address bar
If this is done, it needs to be an option, disabled by default. It would increase the attack surface, making it possible for haxxor to completely bypass NoScript's XSS filter through social engineering and/or giving the malicious link outside of the browser.
jtojnar wrote:
Mon Jan 07, 2019 5:52 am
not block semicolons in URLs?
The issue here is not just the use of semicolon. It is that the portion of the URL after the ? is syntactically valid JavaScript. Allowing things that look like that would allow real XSS.

-1
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (X11; Linux x86_64; rv:56.0; Waterfox) Gecko/20100101 Firefox/56.2.6

Post Reply