barbaz wrote:Could you please post here the NoScript XSS message from the Browser Console? (Ctrl-Shift-J)
Code: Select all
[NoScript ClearClick] Swallowed event mousedown on http://jsfiddle.net/ (rapid fire from http://fiddle.jshell.net in 400ms)
[NoScript ClearClick] Swallowed event mouseup on http://jsfiddle.net/ (rapid fire from http://fiddle.jshell.net in 400ms)
[NoScript ClearClick] Swallowed event click on http://jsfiddle.net/ (rapid fire from http://fiddle.jshell.net in 400ms)
[NoScript InjectionChecker] HTML injection:
<img
matches <[^\w<>]*(?:[^<>"'\s]*:)?[^\w<>]*(?:\W*s\W*c\W*r\W*i\W*p\W*t|\W*f\W*o\W*r\W*m|\W*s\W*t\W*y\W*l\W*e|\W*s\W*v\W*g|\W*m\W*a\W*r\W*q\W*u\W*e\W*e|(?:\W*l\W*i\W*n\W*k|\W*o\W*b\W*j\W*e\W*c\W*t|\W*e\W*m\W*b\W*e\W*d|\W*a\W*p\W*p\W*l\W*e\W*t|\W*p\W*a\W*r\W*a\W*m|\W*i?\W*f\W*r\W*a\W*m\W*e|\W*b\W*a\W*s\W*e|\W*b\W*o\W*d\W*y|\W*m\W*e\W*t\W*a|\W*i\W*m\W*a?\W*g\W*e?|\W*v\W*i\W*d\W*e\W*o|\W*a\W*u\W*d\W*i\W*o|\W*b\W*i\W*n\W*d\W*i\W*n\W*g\W*s|\W*s\W*e\W*t|\W*i\W*s\W*i\W*n\W*d\W*e\W*x|\W*a\W*n\W*i\W*m\W*a\W*t\W*e)[^>\w])|(?:<\w[\s\S]*[\s\0\/]|['"])(?:formaction|style|background|src|lowsrc|ping|on(?:d(?:e(?:vice(?:(?:orienta|mo)tion|proximity|found|light)|livery(?:success|error)|activate)|r(?:ag(?:e(?:n(?:ter|d)|xit)|(?:gestur|leav)e|start|drop|over)?|op)|i(?:s(?:c(?:hargingtimechange|onnect(?:ing|ed))|abled)|aling)|ata(?:setc(?:omplete|hanged)|(?:availabl|chang)e|error)|urationchange|ownloading|blclick)|Moz(?:M(?:agnifyGesture(?:Update|Start)?|ouse(?:PixelScroll|Hittest))|S(?:wipeGesture(?:Update|Start|End)?|crolledAreaChanged)|(?:(?:Press)?TapGestur|BeforeResiz)e|EdgeUI(?:C(?:omplet|ancel)|Start)ed|RotateGesture(?:Update|Start)?|A(?:udioAvailable|fterPaint))|c(?:o(?:m(?:p(?:osition(?:update|start|end)|lete)|mand(?:update)?)|n(?:t(?:rolselect|extmenu)|nect(?:ing|ed))|py)|a(?:(?:llschang|ch)ed|nplay(?:through)?|rdstatechange)|h(?:(?:arging(?:time)?ch)?ange|ecking)|(?:fstate|ell)change|u(?:echange|t)|l(?:ick|ose))|m(?:o(?:z(?:pointerlock(?:change|error)|(?:orientation|time)change|fullscreen(?:change|error)|network(?:down|up)load)|use(?:(?:lea|mo)ve|o(?:ver|ut)|enter|wheel|down|up)|ve(?:start|end)?)|essage|ark)|s(?:t(?:a(?:t(?:uschanged|echange)|lled|rt)|k(?:sessione|comma)nd|op)|e(?:ek(?:complete|ing|ed)|(?:lec(?:tstar)?)?t|n(?:ding|t))|u(?:ccess|spend|bmit)|peech(?:start|end)|ound(?:start|end)|croll|how)|b(?:e(?:for(?:e(?:(?:scriptexecu|activa)te|u(?:nload|pdate)|p(?:aste|rint)|c(?:opy|ut)|editfocus)|deactivate)|gin(?:Event)?)|oun(?:dary|ce)|l(?:ocked|ur)|roadcast|usy)|a(?:n(?:imation(?:iteration|start|end)|tennastatechange)|fter(?:(?:scriptexecu|upda)te|print)|udio(?:process|start|end)|d(?:apteradded|dtrack)|ctivate|lerting|bort)|DOM(?:Node(?:Inserted(?:IntoDocument)?|Removed(?:FromDocument)?)|(?:CharacterData|Subtree)Modified|A(?:ttrModified|ctivate)|Focus(?:Out|In)|MouseScroll)|r(?:e(?:s(?:u(?:m(?:ing|e)|lt)|ize|et)|adystatechange|pea(?:tEven)?t|movetrack|trieving|ceived)|ow(?:s(?:inserted|delete)|e(?:nter|xit))|atechange)|p(?:op(?:up(?:hid(?:den|ing)|show(?:ing|n))|state)|a(?:ge(?:hide|show)|(?:st|us)e|int)|ro(?:pertychange|gress)|lay(?:ing)?)|t(?:ouch(?:(?:lea|mo)ve|en(?:ter|d)|cancel|start)|ime(?:update|out)|ransitionend|ext)|u(?:s(?:erproximity|sdreceived)|p(?:gradeneeded|dateready)|n(?:derflow|load))|f(?:o(?:rm(?:change|input)|cus(?:out|in)?)|i(?:lterchange|nish)|ailed)|l(?:o(?:ad(?:e(?:d(?:meta)?data|nd)|start)?|secapture)|evelchange|y)|g(?:amepad(?:(?:dis)?connected|button(?:down|up)|axismove)|et)|e(?:n(?:d(?:Event|ed)?|abled|ter)|rror(?:update)?|mptied|xit)|i(?:cc(?:cardlockerror|infochange)|n(?:coming|valid|put))|o(?:(?:(?:ff|n)lin|bsolet)e|verflow(?:changed)?|pen)|SVG(?:(?:Unl|L)oad|Resize|Scroll|Abort|Error|Zoom)|h(?:e(?:adphoneschange|l[dp])|ashchange|olding)|v(?:o(?:lum|ic)e|ersion)change|w(?:a(?:it|rn)ing|heel)|key(?:press|down|up)|(?:AppComman|Loa)d|no(?:update|match)|Request|zoom))[\s\0]*=
[NoScript XSS] Sanitized suspicious upload to [http://fiddle.jshell.net/_display/###DATA###PGltZyBzcmM9Imh0dHA6Ly9sLnlpbWcuY29tL3VzLnlpbWcuY29tL2kvbWVzZy9lbW90aWNvbnM3LzEuZ2lmIiBhbHQ9ImhhcHB5Ij4KCjxpbWcgc3JjPSJodHRwOi8vbC55aW1nLmNvbS91cy55aW1nLmNvbS9pL21lc2cvZW1vdGljb25zNy8yLmdpZiIgYWx0PSJzYWQiPgoKPGltZyBzcmM9Imh0dHA6Ly9sLnlpbWcuY29tL3VzLnlpbWcuY29tL2kvbWVzZy9lbW90aWNvbnM3LzMuZ2lmIiBhbHQ9IndpbmtpbmciPgoKPGltZyBzcmM9Imh0dHA6Ly9sLnlpbWcuY29tL3VzLnlpbWcuY29tL2kvbWVzZy9lbW90aWNvbnM3LzQuZ2lmIiBhbHQ9ImJpZyBncmluIj4KCjxpbWcgc3JjPSJodHRwOi8vbC55aW1nLmNvbS91cy55aW1nLmNvbS9pL21lc2cvZW1vdGljb25zNy81LmdpZiIgYWx0PSJiYXR0aW5nIGV5ZWxhc2hlcyI%2BCgo8aW1nIHNyYz0iaHR0cDovL2wueWltZy5jb20vdXMueWltZy5jb20vaS9tZXNnL2Vtb3RpY29uczcvNi5naWYiIGFsdD0iYmlnIGh1ZyI%2B] from [http://jsfiddle.net/]: transformed into a download-only GET request.
The character encoding of the plain text document was not declared. The document will render with garbled text in some browser configurations if the document contains characters from outside the US-ASCII range. The character encoding of the file needs to be declared in the transfer protocol or file needs to use a byte order mark as an encoding signature. _display
Code: Select all
^@http://jsfiddle\.net/.*$Code: Select all
^https?://fiddle\.jshell\.net/_display/Because passing HTML fragments as part of cross-site requests is screaming potential XSS vulnerability.erosman wrote:The point is NOT to add exceptions. The point is why it is blocking it in the first place.