Page 1 of 1

XSS issues

Posted: Mon Mar 11, 2013 3:43 am
by Trognar
In the most recent (or at least my most recent) update, the addition of XSS protection has lead to a large number of headaches. Most prominently, I can no longer use the advanced features of

Code: Select all

www dot wolframalpha dot com
Despite my best efforts, I cannot disable it as the FAQ has directed me to and my knowledge of computer languages is not sufficient to add it to the allowed XSS list. I do not wish to disable/remove this add-in, but it is getting to the point where I may have to if I cannot find an alternative. Therefore, I am kindly asking for some sort of foolproof method of either disabling XSS protection (temporarily or otherwise) or a method of properly adding this site to the XSS safe list.

Re: XSS issues

Posted: Mon Mar 11, 2013 5:08 am
by Tom T.
Please provide exact steps to reproduce an XSS error. (II couldn't.) Then open Firefox Error Console (Ctrl+Shift+J), click the blue "Messages" icon, and copy/paste here any messages relating to NoScript. Especially those that start with [XSS]. (Note: If the spam filter trips, try enclosing the messages in

Code: Select all

 tags.)

The FAQ describes how to disable XSS protection easily with a single checkbox. Unless you can show these error messages, there is a strong inference here that this is an attempt to spam for the web site in question. Thank you.

Re: XSS issues

Posted: Mon Mar 11, 2013 6:10 am
by Trognar
Yes, I realize there are instructions to disable the XSS protection and those are the exact instructions I followed in an attempt to disable them. It made no difference as NoScript continually told me it had "filtered a potential cross-site scripting (XSS) attempt from [http://www.wolframalpha.com]" and that "technical details have been logged into the console."
As for error messages, the only things I get are in the warnings tab of the Firefox Error Console. These are 3 that appear to loop with one another when attempting to use features such as "step-by-step solution" and "sign in" on the website in question:

Timestamp: 11/03/2013 12:06:43 AM
Warning: Error in parsing value for 'background'. Declaration dropped.
Source File: http://www.wolframalpha.com/compress/cs ... ed-min.css
Line: 1

Timestamp: 11/03/2013 12:06:43 AM
Warning: Expected colour but found 'top'. Error in parsing value for 'background'. Declaration dropped.
Source File: http://www.wolframalpha.com/compress/cs ... ed-min.css
Line: 1

Timestamp: 11/03/2013 12:06:43 AM
Warning: Error in parsing value for 'filter'. Declaration dropped.
Source File: http://www.wolframalpha.com/compress/cs ... ed-min.css
Line: 1

Any assistance you could provide based upon this would be appreciated.

Re: XSS issues

Posted: Mon Mar 11, 2013 6:13 am
by Thrawn
If you have disabled XSS protection, and it's still in effect, then please try a clean profile, as something is clearly going wrong with your old one.

Re: XSS issues

Posted: Mon Mar 11, 2013 10:53 pm
by Tom T.
Also, it would still be helpful to us if we could see this happening ourselves. As requested, please provide an exact set of steps to make the XSS message appear.

Navigate to what site?
Click what link(s)?
Fill in what blanks with what?
Et cetera -- until the XSS message shows.

Then we can do exactly what you did, and see what happens. Thank you.