Page 1 of 1
NYTimes TimesPeople Vs. XSS
Posted: Mon Jul 06, 2009 4:04 pm
by Jim Too
If I enable TimesPeople on my NYTimes.com account and follow someone, I get a large "[NoScript XSS]: sanitized window.name" entry in the error console when I am on the nytimes.com pages except when I am on "
http://timespeople.nytimes.com/". I am not sure how to write an anti-xss exception rule. Note: if you don't follow anyone there isn't a problem. This should be reproducible but I can PM you the entire noscript xss entry from the error console if needed.
NoScript 1.9.5.6
Re: NYTimes TimesPeople Vs. XSS
Posted: Mon Jul 06, 2009 4:08 pm
by Giorgio Maone
Beside the console entry, have you got any other problem?
window.name sanitization is logged on the console for troubleshooting purposes, but it doesn't get notified because it usually cause no inconvenience to users.
Re: NYTimes TimesPeople Vs. XSS
Posted: Mon Jul 06, 2009 4:12 pm
by Jim Too
The feature doesn't work at all when XSS is enabled. The list of articles never appears (in fact the entire timespeople bar across the top of the page never fills). I looked at the error console to see if the reason it wasn't working was something being blocked which is when I found the noscript entry. When I disable XSS then feature works.
Re: NYTimes TimesPeople Vs. XSS
Posted: Mon Jul 06, 2009 4:17 pm
by Giorgio Maone
OK, could you please show me the whole message?
Re: NYTimes TimesPeople Vs. XSS
Posted: Mon Jul 06, 2009 4:20 pm
by Jim Too
Error Console message sent via PM.
Re: NYTimes TimesPeople Vs. XSS
Posted: Mon Jul 06, 2009 4:25 pm
by Giorgio Maone
OK, they're clearly crazy.
They're stuffing a lot of JSON data in window.name. I bet it's extremely vulnerable to XSS.
However I'll try to put a reasonable work-around in next dev build, stay tuned.
Re: NYTimes TimesPeople Vs. XSS
Posted: Mon Jul 06, 2009 4:28 pm
by Jim Too
Thank you.
Jim