Whitelisted scripts still being blocked. Code shows on page.

[Dr_Morbius]

On many websites Noscript will break a script even if it's whitelisted and show the actual script code on the website. This happens even if I allow scripts globally and the only way to stop it is to disable noscript. it's really annoying because it clutters the page with Javascript code. Anyone know how to stop this?

[barbaz]

URL where this occurs? (wrap in url tags so the board doesn't break your link, like this: )

Code: Select all

[url]link here[/url]

When this happens, do you see anything related in the Browser Console? (Ctrl-Shift-J)
(if you don't know what's related, turn off CSS warnings and post everything else you see)

[Dr_Morbius]

I brought up the browser console, turned off CSS errors and this is what's left:
It's happening right now on AV Club.

http://www.avclub.com

Code: Select all

lpmanuallogins.length is 0
nsIJSON.decode is deprecated.  Please use JSON.parse instead. noscriptService.js:3142:0
[NoScript InjectionChecker] Obfuscated string literal
[NoScript XSS]: sanitized window.name, "1-0-2;20423;<!doctype html><html><head></head><body leftMargin="0" topMargin="0" marginwidth="0" marginheight="0"><script>(function(){var g=this,l=function(a,b){var c=a.split("."),d=g;c[0]in d||!d.execScript||d.execScript("var "+c[0]);for(var e;c.length&&(e=c.shift());)c.length||void 0===b?d=d[e]?d[e]:d[e]={}:d[e]=b},m=function(a,b,c){return a.call.apply(a.bind,arguments)},n=function(a,b,c){if(!a)throw Error();if(2<arguments.length){var d=Array.prototype.slice.call(arguments,2);return function(){var c=Array.prototype.slice.call(arguments);Array.prototype.unshift.apply(c,d);return a.apply(b,c)}}return function(){return a.apply(b,arguments)}},p=function(a,b,c){p=Function.prototype.bind&&-1!=Function.prototype.bind.toString().indexOf("native code")?m:n;return p.apply(null,arguments)},q=Date.now||function(){return+new Date};var r=document,s=window;var t=function(a,b){for(var c in a)Object.prototype.hasOwnProperty.call(a,c)&&b.call(null,a[c],c,a)},w=f
http://tpc.googlesyndication.com/safefr ... avclub.com
about:blank
nsIJSON.decode is deprecated.  Please use JSON.parse instead. noscriptService.js:3142:0
[NoScript InjectionChecker] HTML injection:
<body 
matches <[^\w<>]*(?:[^<>"'\s]*:)?[^\w<>]*(?:\W*s\W*c\W*r\W*i\W*p\W*t|\W*f\W*o\W*r\W*m|\W*s\W*t\W*y\W*l\W*e|\W*s\W*v\W*g|\W*m\W*a\W*r\W*q\W*u\W*e\W*e|(?:\W*l\W*i\W*n\W*k|\W*o\W*b\W*j\W*e\W*c\W*t|\W*e\W*m\W*b\W*e\W*d|\W*a\W*p\W*p\W*l\W*e\W*t|\W*p\W*a\W*r\W*a\W*m|\W*i?\W*f\W*r\W*a\W*m\W*e|\W*b\W*a\W*s\W*e|\W*b\W*o\W*d\W*y|\W*m\W*e\W*t\W*a|\W*i\W*m\W*a?\W*g\W*e?|\W*v\W*i\W*d\W*e\W*o|\W*a\W*u\W*d\W*i\W*o|\W*b\W*i\W*n\W*d\W*i\W*n\W*g\W*s|\W*s\W*e\W*t|\W*i\W*s\W*i\W*n\W*d\W*e\W*x|\W*a\W*n\W*i\W*m\W*a\W*t\W*e)[^>\w])|['"\s\0\/](?:formaction|style|background|src|lowsrc|ping|on(?:d(?:e(?:vice(?:(?:orienta|mo)tion|proximity|found|light)|livery(?:success|error)|activate)|i(?:s(?:c(?:o(?:verystatechanged|nnect(?:ing|ed))|hargingtimechange)|abled)|aling)|r(?:ag(?:e(?:n(?:ter|d)|xit)|(?:gestur|leav)e|start|drop|over)?|op)|ata(?:setc(?:omplete|hanged)|(?:availabl|chang)e|error)|urationchange|ownloading|blclick)|c(?:o(?:m(?:p(?:osition(?:update|start|end)|lete)|mand(?:update)?)|n(?:t(?:rol(?:lerchange|select)|extmenu)|nect(?:ing|ed)?)|py)|a(?:(?:llschang|ch)ed|nplay(?:through)?|rdstatechange)|h(?:(?:arging(?:time)?ch)?ange|ecking)|l(?:i(?:rmodechange|ck)|ose)|(?:fstate|ell)change|u(?:echange|t))|r(?:e(?:s(?:ourcetimingbufferfull|u(?:m(?:ing|e)|lt)|ize|et)|ad(?:ystatechange|success|error)|mo(?:te(?:resume|hel)d|vetrack)|questmediaplaystatus|pea(?:tEven)?t|loadpage|trieving|ceived)|ow(?:s(?:inserted|delete)|e(?:nter|xit))|(?:adiost)?atechange)|s(?:t(?:a(?:t(?:uschanged|echange)|lled|rt)|k(?:sessione|comma)nd|op)|e(?:(?:lec(?:tstar)?)?t|ek(?:ing|ed)|n(?:ding|t))|pe(?:akerforcedchange|ech(?:start|end))|c(?:ostatuschanged|roll)|u(?:ccess|spend|bmit)|ound(?:start|end)|how)|Moz(?:M(?:agnifyGesture(?:Update|Start)?|ouse(?:PixelScroll|Hittest))|S(?:wipeGesture(?:Update|Start|End)?|crolledAreaChanged)|EdgeUI(?:C(?:omplet|ancel)|Start)ed|RotateGesture(?:Update|Start)?|(?:Press)?TapGesture|AfterPaint)|p(?:o(?:inter(?:(?:lea|mo)ve|o(?:ver|ut)|cancel|enter|down|up)|p(?:up(?:hid(?:den|ing)|show(?:ing|n))|state))|a(?:i(?:redstatuschanged|nt)|ge(?:hide|show)|(?:st|us)e)|ro(?:pertychange|gress)|endingchange|lay(?:ing)?)|m(?:o(?:z(?:pointerlock(?:change|error)|(?:orientation|time)change|fullscreen(?:change|error)|network(?:down|up)load|interruptbegin)|use(?:(?:lea|mo)ve|o(?:ver|ut)|enter|wheel|down|up)|ve(?:start|end)?)|essage|ark)|a(?:n(?:imation(?:iteration|start|end)|tennaavailablechange)|fter(?:(?:scriptexecu|upda)te|print)|d(?:apter(?:remov|add)ed|dtrack)|(?:2dpstatus|ttribute)changed|udio(?:process|start|end)|ctivate|lerting|bort)|b(?:e(?:for(?:e(?:(?:scriptexecu|activa)te|e(?:ditfocus|victed)|u(?:nload|pdate)|p(?:aste|rint)|c(?:opy|ut))|deactivate)|gin(?:Event)?)|oun(?:dary|ce)|l(?:ocked|ur)|roadcast|usy)|DOM(?:Node(?:Inserted(?:IntoDocument)?|Removed(?:FromDocument)?)|(?:CharacterData|Subtree)Modified|A(?:ttrModified|ctivate)|Focus(?:Out|In)|MouseScroll)|t(?:ouch(?:(?:lea|mo)ve|en(?:ter|d)|cancel|start)|ime(?:update|out)|ransitionend|ypechange|ext)|g(?:amepad(?:(?:dis)?connected|button(?:down|up)|axismove)|(?:otpointercaptur|roupchang)e|et)|l(?:o(?:ad(?:e(?:d(?:meta)?data|nd)|start)?|s(?:tpointer|e)capture)|(?:anguage|evel)change|y)|e(?:m(?:ergencycbmodechange|ptied)|n(?:d(?:Event|ed)?|abled|ter)|rror(?:update)?|victed|xit)|f(?:o(?:rm(?:change|input)|cus(?:out|in)?)|i(?:lterchange|nish)|requencychange|ailed|etch)|u(?:p(?:date(?:found|ready)|gradeneeded)|s(?:erproximity|sdreceived)|n(?:derflow|load))|i(?:cc(?:(?:info)?change|(?:un)?detected)|n(?:coming|stall|valid|put))|o(?:(?:tastatuschang|(?:ff|n)lin|bsolet)e|verflow(?:changed)?|pen)|h(?:e(?:adphoneschange|l[dp])|fpstatuschanged|ashchange|olding)|SVG(?:(?:Unl|L)oad|Resize|Scroll|Zoom)|v(?:o(?:lum|ic)e|ersion)change|n(?:o(?:update|match)|eedkey)|w(?:a(?:it|rn)ing|heel)|key(?:press|down|up)|(?:AppComman|Loa)d|Request|zoom))[\s\0]*=
[NoScript XSS]: sanitized window.name, "1-0-2;20765;<!doctype html><html><head></head><body leftMargin="0" topMargin="0" marginwidth="0" marginheight="0"><script>(function(){var g=this,l=function(a,b){var c=a.split("."),d=g;c[0]in d||!d.execScript||d.execScript("var "+c[0]);for(var e;c.length&&(e=c.shift());)c.length||void 0===b?d=d[e]?d[e]:d[e]={}:d[e]=b},m=function(a,b,c){return a.call.apply(a.bind,arguments)},n=function(a,b,c){if(!a)throw Error();if(2<arguments.length){var d=Array.prototype.slice.call(arguments,2);return function(){var c=Array.prototype.slice.call(arguments);Array.prototype.unshift.apply(c,d);return a.apply(b,c)}}return function(){return a.apply(b,arguments)}},p=function(a,b,c){p=Function.prototype.bind&&-1!=Function.prototype.bind.toString().indexOf("native code")?m:n;return p.apply(null,arguments)},q=Date.now||function(){return+new Date};var r=document,s=window;var t=function(a,b){for(var c in a)Object.prototype.hasOwnProperty.call(a,c)&&b.call(null,a[c],c,a)},w=f
http://tpc.googlesyndication.com/safefr ... avclub.com
about:blank
nsIJSON.decode is deprecated.  Please use JSON.parse instead. noscriptService.js:3142:0
[NoScript InjectionChecker] Obfuscated string literal
[NoScript XSS]: sanitized window.name, "1-0-2;24846;<!doctype html><html><head></head><body leftMargin="0" topMargin="0" marginwidth="0" marginheight="0"><script>(function(){var g=this,l=function(a,b){var c=a.split("."),d=g;c[0]in d||!d.execScript||d.execScript("var "+c[0]);for(var e;c.length&&(e=c.shift());)c.length||void 0===b?d=d[e]?d[e]:d[e]={}:d[e]=b},m=function(a,b,c){return a.call.apply(a.bind,arguments)},n=function(a,b,c){if(!a)throw Error();if(2<arguments.length){var d=Array.prototype.slice.call(arguments,2);return function(){var c=Array.prototype.slice.call(arguments);Array.prototype.unshift.apply(c,d);return a.apply(b,c)}}return function(){return a.apply(b,arguments)}},p=function(a,b,c){p=Function.prototype.bind&&-1!=Function.prototype.bind.toString().indexOf("native code")?m:n;return p.apply(null,arguments)},q=Date.now||function(){return+new Date};var r=document,s=window;var t=function(a,b){for(var c in a)Object.prototype.hasOwnProperty.call(a,c)&&b.call(null,a[c],c,a)},w=f
http://tpc.googlesyndication.com/safefr ... avclub.com
about:blank
nsIJSON.decode is deprecated.  Please use JSON.parse instead. noscriptService.js:3142:0
[NoScript InjectionChecker] HTML injection:
<body 
matches <[^\w<>]*(?:[^<>"'\s]*:)?[^\w<>]*(?:\W*s\W*c\W*r\W*i\W*p\W*t|\W*f\W*o\W*r\W*m|\W*s\W*t\W*y\W*l\W*e|\W*s\W*v\W*g|\W*m\W*a\W*r\W*q\W*u\W*e\W*e|(?:\W*l\W*i\W*n\W*k|\W*o\W*b\W*j\W*e\W*c\W*t|\W*e\W*m\W*b\W*e\W*d|\W*a\W*p\W*p\W*l\W*e\W*t|\W*p\W*a\W*r\W*a\W*m|\W*i?\W*f\W*r\W*a\W*m\W*e|\W*b\W*a\W*s\W*e|\W*b\W*o\W*d\W*y|\W*m\W*e\W*t\W*a|\W*i\W*m\W*a?\W*g\W*e?|\W*v\W*i\W*d\W*e\W*o|\W*a\W*u\W*d\W*i\W*o|\W*b\W*i\W*n\W*d\W*i\W*n\W*g\W*s|\W*s\W*e\W*t|\W*i\W*s\W*i\W*n\W*d\W*e\W*x|\W*a\W*n\W*i\W*m\W*a\W*t\W*e)[^>\w])|['"\s\0\/](?:formaction|style|background|src|lowsrc|ping|on(?:d(?:e(?:vice(?:(?:orienta|mo)tion|proximity|found|light)|livery(?:success|error)|activate)|i(?:s(?:c(?:o(?:verystatechanged|nnect(?:ing|ed))|hargingtimechange)|abled)|aling)|r(?:ag(?:e(?:n(?:ter|d)|xit)|(?:gestur|leav)e|start|drop|over)?|op)|ata(?:setc(?:omplete|hanged)|(?:availabl|chang)e|error)|urationchange|ownloading|blclick)|c(?:o(?:m(?:p(?:osition(?:update|start|end)|lete)|mand(?:update)?)|n(?:t(?:rol(?:lerchange|select)|extmenu)|nect(?:ing|ed)?)|py)|a(?:(?:llschang|ch)ed|nplay(?:through)?|rdstatechange)|h(?:(?:arging(?:time)?ch)?ange|ecking)|l(?:i(?:rmodechange|ck)|ose)|(?:fstate|ell)change|u(?:echange|t))|r(?:e(?:s(?:ourcetimingbufferfull|u(?:m(?:ing|e)|lt)|ize|et)|ad(?:ystatechange|success|error)|mo(?:te(?:resume|hel)d|vetrack)|questmediaplaystatus|pea(?:tEven)?t|loadpage|trieving|ceived)|ow(?:s(?:inserted|delete)|e(?:nter|xit))|(?:adiost)?atechange)|s(?:t(?:a(?:t(?:uschanged|echange)|lled|rt)|k(?:sessione|comma)nd|op)|e(?:(?:lec(?:tstar)?)?t|ek(?:ing|ed)|n(?:ding|t))|pe(?:akerforcedchange|ech(?:start|end))|c(?:ostatuschanged|roll)|u(?:ccess|spend|bmit)|ound(?:start|end)|how)|Moz(?:M(?:agnifyGesture(?:Update|Start)?|ouse(?:PixelScroll|Hittest))|S(?:wipeGesture(?:Update|Start|End)?|crolledAreaChanged)|EdgeUI(?:C(?:omplet|ancel)|Start)ed|RotateGesture(?:Update|Start)?|(?:Press)?TapGesture|AfterPaint)|p(?:o(?:inter(?:(?:lea|mo)ve|o(?:ver|ut)|cancel|enter|down|up)|p(?:up(?:hid(?:den|ing)|show(?:ing|n))|state))|a(?:i(?:redstatuschanged|nt)|ge(?:hide|show)|(?:st|us)e)|ro(?:pertychange|gress)|endingchange|lay(?:ing)?)|m(?:o(?:z(?:pointerlock(?:change|error)|(?:orientation|time)change|fullscreen(?:change|error)|network(?:down|up)load|interruptbegin)|use(?:(?:lea|mo)ve|o(?:ver|ut)|enter|wheel|down|up)|ve(?:start|end)?)|essage|ark)|a(?:n(?:imation(?:iteration|start|end)|tennaavailablechange)|fter(?:(?:scriptexecu|upda)te|print)|d(?:apter(?:remov|add)ed|dtrack)|(?:2dpstatus|ttribute)changed|udio(?:process|start|end)|ctivate|lerting|bort)|b(?:e(?:for(?:e(?:(?:scriptexecu|activa)te|e(?:ditfocus|victed)|u(?:nload|pdate)|p(?:aste|rint)|c(?:opy|ut))|deactivate)|gin(?:Event)?)|oun(?:dary|ce)|l(?:ocked|ur)|roadcast|usy)|DOM(?:Node(?:Inserted(?:IntoDocument)?|Removed(?:FromDocument)?)|(?:CharacterData|Subtree)Modified|A(?:ttrModified|ctivate)|Focus(?:Out|In)|MouseScroll)|t(?:ouch(?:(?:lea|mo)ve|en(?:ter|d)|cancel|start)|ime(?:update|out)|ransitionend|ypechange|ext)|g(?:amepad(?:(?:dis)?connected|button(?:down|up)|axismove)|(?:otpointercaptur|roupchang)e|et)|l(?:o(?:ad(?:e(?:d(?:meta)?data|nd)|start)?|s(?:tpointer|e)capture)|(?:anguage|evel)change|y)|e(?:m(?:ergencycbmodechange|ptied)|n(?:d(?:Event|ed)?|abled|ter)|rror(?:update)?|victed|xit)|f(?:o(?:rm(?:change|input)|cus(?:out|in)?)|i(?:lterchange|nish)|requencychange|ailed|etch)|u(?:p(?:date(?:found|ready)|gradeneeded)|s(?:erproximity|sdreceived)|n(?:derflow|load))|i(?:cc(?:(?:info)?change|(?:un)?detected)|n(?:coming|stall|valid|put))|o(?:(?:tastatuschang|(?:ff|n)lin|bsolet)e|verflow(?:changed)?|pen)|h(?:e(?:adphoneschange|l[dp])|fpstatuschanged|ashchange|olding)|SVG(?:(?:Unl|L)oad|Resize|Scroll|Zoom)|v(?:o(?:lum|ic)e|ersion)change|n(?:o(?:update|match)|eedkey)|w(?:a(?:it|rn)ing|heel)|key(?:press|down|up)|(?:AppComman|Loa)d|Request|zoom))[\s\0]*=
[NoScript XSS]: sanitized window.name, "1-0-2;20764;<!doctype html><html><head></head><body leftMargin="0" topMargin="0" marginwidth="0" marginheight="0"><script>(function(){var g=this,l=function(a,b){var c=a.split("."),d=g;c[0]in d||!d.execScript||d.execScript("var "+c[0]);for(var e;c.length&&(e=c.shift());)c.length||void 0===b?d=d[e]?d[e]:d[e]={}:d[e]=b},m=function(a,b,c){return a.call.apply(a.bind,arguments)},n=function(a,b,c){if(!a)throw Error();if(2<arguments.length){var d=Array.prototype.slice.call(arguments,2);return function(){var c=Array.prototype.slice.call(arguments);Array.prototype.unshift.apply(c,d);return a.apply(b,c)}}return function(){return a.apply(b,arguments)}},p=function(a,b,c){p=Function.prototype.bind&&-1!=Function.prototype.bind.toString().indexOf("native code")?m:n;return p.apply(null,arguments)},q=Date.now||function(){return+new Date};var r=document,s=window;var t=function(a,b){for(var c in a)Object.prototype.hasOwnProperty.call(a,c)&&b.call(null,a[c],c,a)},w=f
http://tpc.googlesyndication.com/safefr ... avclub.com
about:blank
nsIJSON.decode is deprecated.  Please use JSON.parse instead. noscriptService.js:3142:0
[NoScript InjectionChecker] HTML injection:
<body 
matches <[^\w<>]*(?:[^<>"'\s]*:)?[^\w<>]*(?:\W*s\W*c\W*r\W*i\W*p\W*t|\W*f\W*o\W*r\W*m|\W*s\W*t\W*y\W*l\W*e|\W*s\W*v\W*g|\W*m\W*a\W*r\W*q\W*u\W*e\W*e|(?:\W*l\W*i\W*n\W*k|\W*o\W*b\W*j\W*e\W*c\W*t|\W*e\W*m\W*b\W*e\W*d|\W*a\W*p\W*p\W*l\W*e\W*t|\W*p\W*a\W*r\W*a\W*m|\W*i?\W*f\W*r\W*a\W*m\W*e|\W*b\W*a\W*s\W*e|\W*b\W*o\W*d\W*y|\W*m\W*e\W*t\W*a|\W*i\W*m\W*a?\W*g\W*e?|\W*v\W*i\W*d\W*e\W*o|\W*a\W*u\W*d\W*i\W*o|\W*b\W*i\W*n\W*d\W*i\W*n\W*g\W*s|\W*s\W*e\W*t|\W*i\W*s\W*i\W*n\W*d\W*e\W*x|\W*a\W*n\W*i\W*m\W*a\W*t\W*e)[^>\w])|['"\s\0\/](?:formaction|style|background|src|lowsrc|ping|on(?:d(?:e(?:vice(?:(?:orienta|mo)tion|proximity|found|light)|livery(?:success|error)|activate)|i(?:s(?:c(?:o(?:verystatechanged|nnect(?:ing|ed))|hargingtimechange)|abled)|aling)|r(?:ag(?:e(?:n(?:ter|d)|xit)|(?:gestur|leav)e|start|drop|over)?|op)|ata(?:setc(?:omplete|hanged)|(?:availabl|chang)e|error)|urationchange|ownloading|blclick)|c(?:o(?:m(?:p(?:osition(?:update|start|end)|lete)|mand(?:update)?)|n(?:t(?:rol(?:lerchange|select)|extmenu)|nect(?:ing|ed)?)|py)|a(?:(?:llschang|ch)ed|nplay(?:through)?|rdstatechange)|h(?:(?:arging(?:time)?ch)?ange|ecking)|l(?:i(?:rmodechange|ck)|ose)|(?:fstate|ell)change|u(?:echange|t))|r(?:e(?:s(?:ourcetimingbufferfull|u(?:m(?:ing|e)|lt)|ize|et)|ad(?:ystatechange|success|error)|mo(?:te(?:resume|hel)d|vetrack)|questmediaplaystatus|pea(?:tEven)?t|loadpage|trieving|ceived)|ow(?:s(?:inserted|delete)|e(?:nter|xit))|(?:adiost)?atechange)|s(?:t(?:a(?:t(?:uschanged|echange)|lled|rt)|k(?:sessione|comma)nd|op)|e(?:(?:lec(?:tstar)?)?t|ek(?:ing|ed)|n(?:ding|t))|pe(?:akerforcedchange|ech(?:start|end))|c(?:ostatuschanged|roll)|u(?:ccess|spend|bmit)|ound(?:start|end)|how)|Moz(?:M(?:agnifyGesture(?:Update|Start)?|ouse(?:PixelScroll|Hittest))|S(?:wipeGesture(?:Update|Start|End)?|crolledAreaChanged)|EdgeUI(?:C(?:omplet|ancel)|Start)ed|RotateGesture(?:Update|Start)?|(?:Press)?TapGesture|AfterPaint)|p(?:o(?:inter(?:(?:lea|mo)ve|o(?:ver|ut)|cancel|enter|down|up)|p(?:up(?:hid(?:den|ing)|show(?:ing|n))|state))|a(?:i(?:redstatuschanged|nt)|ge(?:hide|show)|(?:st|us)e)|ro(?:pertychange|gress)|endingchange|lay(?:ing)?)|m(?:o(?:z(?:pointerlock(?:change|error)|(?:orientation|time)change|fullscreen(?:change|error)|network(?:down|up)load|interruptbegin)|use(?:(?:lea|mo)ve|o(?:ver|ut)|enter|wheel|down|up)|ve(?:start|end)?)|essage|ark)|a(?:n(?:imation(?:iteration|start|end)|tennaavailablechange)|fter(?:(?:scriptexecu|upda)te|print)|d(?:apter(?:remov|add)ed|dtrack)|(?:2dpstatus|ttribute)changed|udio(?:process|start|end)|ctivate|lerting|bort)|b(?:e(?:for(?:e(?:(?:scriptexecu|activa)te|e(?:ditfocus|victed)|u(?:nload|pdate)|p(?:aste|rint)|c(?:opy|ut))|deactivate)|gin(?:Event)?)|oun(?:dary|ce)|l(?:ocked|ur)|roadcast|usy)|DOM(?:Node(?:Inserted(?:IntoDocument)?|Removed(?:FromDocument)?)|(?:CharacterData|Subtree)Modified|A(?:ttrModified|ctivate)|Focus(?:Out|In)|MouseScroll)|t(?:ouch(?:(?:lea|mo)ve|en(?:ter|d)|cancel|start)|ime(?:update|out)|ransitionend|ypechange|ext)|g(?:amepad(?:(?:dis)?connected|button(?:down|up)|axismove)|(?:otpointercaptur|roupchang)e|et)|l(?:o(?:ad(?:e(?:d(?:meta)?data|nd)|start)?|s(?:tpointer|e)capture)|(?:anguage|evel)change|y)|e(?:m(?:ergencycbmodechange|ptied)|n(?:d(?:Event|ed)?|abled|ter)|rror(?:update)?|victed|xit)|f(?:o(?:rm(?:change|input)|cus(?:out|in)?)|i(?:lterchange|nish)|requencychange|ailed|etch)|u(?:p(?:date(?:found|ready)|gradeneeded)|s(?:erproximity|sdreceived)|n(?:derflow|load))|i(?:cc(?:(?:info)?change|(?:un)?detected)|n(?:coming|stall|valid|put))|o(?:(?:tastatuschang|(?:ff|n)lin|bsolet)e|verflow(?:changed)?|pen)|h(?:e(?:adphoneschange|l[dp])|fpstatuschanged|ashchange|olding)|SVG(?:(?:Unl|L)oad|Resize|Scroll|Zoom)|v(?:o(?:lum|ic)e|ersion)change|n(?:o(?:update|match)|eedkey)|w(?:a(?:it|rn)ing|heel)|key(?:press|down|up)|(?:AppComman|Loa)d|Request|zoom))[\s\0]*=
[NoScript XSS]: sanitized window.name, "1-0-2;21117;<!doctype html><html><head></head><body leftMargin="0" topMargin="0" marginwidth="0" marginheight="0"><script>(function(){var g=this,l=function(a,b){var c=a.split("."),d=g;c[0]in d||!d.execScript||d.execScript("var "+c[0]);for(var e;c.length&&(e=c.shift());)c.length||void 0===b?d=d[e]?d[e]:d[e]={}:d[e]=b},m=function(a,b,c){return a.call.apply(a.bind,arguments)},n=function(a,b,c){if(!a)throw Error();if(2<arguments.length){var d=Array.prototype.slice.call(arguments,2);return function(){var c=Array.prototype.slice.call(arguments);Array.prototype.unshift.apply(c,d);return a.apply(b,c)}}return function(){return a.apply(b,arguments)}},p=function(a,b,c){p=Function.prototype.bind&&-1!=Function.prototype.bind.toString().indexOf("native code")?m:n;return p.apply(null,arguments)},q=Date.now||function(){return+new Date};var r=document,s=window;var t=function(a,b){for(var c in a)Object.prototype.hasOwnProperty.call(a,c)&&b.call(null,a[c],c,a)},w=f
http://tpc.googlesyndication.com/safefr ... avclub.com
about:blank
lpmanuallogins.length is 0
lpmanuallogins.length is 0
Use of getPreventDefault() is deprecated.  Use defaultPrevented instead.

[barbaz]

viewtopic.php?f=7&t=20358
That is really dangerous and the XSS filter is saving you. Whatever site is doing that is screaming to the entire Internet, "I'm vulnerable to XSS, so please XSS me, it would be much appreciated! Thanks!"

Nothing to be done there except try to block requests outright with ABE. See what the following does.
NoScript Options > Advanced > ABE > USER

Code: Select all

Site tpc.googlesyndication.com
Deny

EDIT I see you edited your post on me and the board broke the links in your error messages. In future, please post console messages inside code tags so that doesn't happen. Like this

Code: Select all

[code]paste here

[/code]

[Dr_Morbius]

Ok, that worked but how do I get rid of that ABE error message?

I can also just block googlesyndication too and not have to worry about ABE.

This started happening recently. Why does the XSS filtering show the code on the web page??

[barbaz]

The ABE notification is a known bug.

I can also just block googlesyndication too and not have to worry about ABE.

Not so sure.. script-blocking != completely blocking. Is script-blocking googlesyndication enough to stop this whole deal?

This started happening recently. Why does the XSS filtering show the code on the web page??

Probably just a byproduct of the way that site is designed.

[Thrawn]

The ABE notification is a known bug.

If it bothers you, then you could try blocking with the hosts file instead.

[barbaz]

Or use the workaround mentioned in that thread...

Code: Select all

Site tpc.googlesyndication.com
Deny INC
Deny

[kmarple1]

I'm having a similar problem but with very different code showing. If doubleclick.net is whitelisted (don't judge me), some (but not all) of their iframe ads will be replaced with code that appears to be from the linked HTML document.

The square ad on this page does it fairly often: http://myanimelist.net/anime/9062/Angel_Beats!_Specials

I also took a screenshot:


Finally, if I view the frame source, I get the following:

Code: Select all

<!DOCTYPE html>
<html>
  <head>
    <title>SafeFrame Container</title>
  </head>
  <body>
    <iframe id='google_pubads_beacon_iframe' name='google_pubads_beacon_iframe' style="display: none; width: 0px; height: 0px;"></iframe>
    <script>
      
(function(){var c=this,d=function(a){var b=typeof a;if("object"==b)if(a){if(a instanceof Array)return"array";if(a instanceof Object)return b;var e=Object.prototype.toString.call(a);if("[object Window]"==e)return"object";if("[object Array]"==e||"number"==typeof a.length&&"undefined"!=typeof a.splice&&"undefined"!=typeof a.propertyIsEnumerable&&!a.propertyIsEnumerable("splice"))return"array";if("[object Function]"==e||"undefined"!=typeof a.call&&"undefined"!=typeof a.propertyIsEnumerable&&!a.propertyIsEnumerable("call"))return"function"}else return"null";
else if("function"==b&&"undefined"==typeof a.call)return"object";return b};var f=String.prototype.trim?function(a){return a.trim()}:function(a){return a.replace(/^[\s\xa0]+|[\s\xa0]+$/g,"")},g=function(a,b){return a<b?-1:a>b?1:0};var h;r:{var m=c.navigator;if(m){var n=m.userAgent;if(n){h=n;break r}}h=""};var p=-1!=h.indexOf("Opera")||-1!=h.indexOf("OPR"),q=-1!=h.indexOf("Trident")||-1!=h.indexOf("MSIE"),t=-1!=h.indexOf("Gecko")&&-1==h.toLowerCase().indexOf("webkit")&&!(-1!=h.indexOf("Trident")||-1!=h.indexOf("MSIE")),u=-1!=h.toLowerCase().indexOf("webkit"),v=function(){var a=c.document;return a?a.documentMode:void 0},w=function(){var a="",b;if(p&&c.opera)return a=c.opera.version,"function"==d(a)?a():a;t?b=/rv\:([^\);]+)(\)|;)/:q?b=/\b(?:MSIE|rv)[: ]([^\);]+)(\)|;)/:u&&(b=/WebKit\/(\S+)/);b&&(a=(a=
b.exec(h))?a[1]:"");return q&&(b=v(),b>parseFloat(a))?String(b):a}(),x={},y=function(a){var b;if(!(b=x[a])){b=0;for(var e=f(String(w)).split("."),P=f(String(a)).split("."),X=Math.max(e.length,P.length),r=0;0==b&&r<X;r++){var Y=e[r]||"",Z=P[r]||"",aa=RegExp("(\\d*)(\\D*)","g"),ba=RegExp("(\\d*)(\\D*)","g");do{var k=aa.exec(Y)||["","",""],l=ba.exec(Z)||["","",""];if(0==k[0].length&&0==l[0].length)break;b=g(0==k[1].length?0:parseInt(k[1],10),0==l[1].length?0:parseInt(l[1],10))||g(0==k[2].length,0==l[2].length)||
g(k[2],l[2])}while(0==b)}b=x[a]=0<=b}return b},z=c.document,ca=z&&q?v()||("CSS1Compat"==z.compatMode?parseInt(w,10):5):void 0;var A;if(!(A=!t&&!q)){var B;if(B=q)B=q&&9<=ca;A=B}A||t&&y("1.9.1");q&&y("9");var da=t||u||q&&y(11);var C=!1,D=function(a){if(a=a.match(/[\d]+/g))a.length=3};
if(navigator.plugins&&navigator.plugins.length){var E=navigator.plugins["Shockwave Flash"];E&&(C=!0,E.description&&D(E.description));navigator.plugins["Shockwave Flash 2.0"]&&(C=!0)}else if(navigator.mimeTypes&&navigator.mimeTypes.length){var F=navigator.mimeTypes["application/x-shockwave-flash"];(C=F&&F.enabledPlugin)&&D(F.enabledPlugin.description)}else try{var G=new ActiveXObject("ShockwaveFlash.ShockwaveFlash.7"),C=!0;D(G.GetVariable("$version"))}catch(ea){try{G=new ActiveXObject("ShockwaveFlash.ShockwaveFlash.6"),
C=!0}catch(fa){try{G=new ActiveXObject("ShockwaveFlash.ShockwaveFlash"),C=!0,D(G.GetVariable("$version"))}catch(ga){}}};var ha=/^([^;]+);(\d+);([\s\S]*)$/;try{var H=ha.exec(window.name);if(null===H)throw Error("Cannot parse serialized data to extract content");var I=parseInt(H[2],10);if(I>H[3].length)throw Error("Cannot parse serialized data to extract content");var J=H[3].substr(0,I),K=window;if(da){var L=K.document;L.open("text/html","replace");L.write(J);L.close()}else{var M=J,N;if(N=q&&y(7)&&!y(10)){var O=navigator.userAgent.match(/Trident\/([0-9]+.[0-9]+)/);N=6>(O?parseFloat(O[1]):0)}var Q;if(Q=N)r:{for(var R=0;R<M.length;++R)if(127<M.charCodeAt(R)){Q=
!0;break r}Q=!1}if(Q){for(var S=unescape(encodeURIComponent(M)),T=Math.floor(S.length/2),U=[],V=0;V<T;++V)U[V]=String.fromCharCode(256*S.charCodeAt(2*V+1)+S.charCodeAt(2*V));1==S.length%2&&(U[T]=S.charAt(S.length-1));M=U.join("")}K.goog_content=M;K.location.replace("javascript:window.goog_content")}}catch(ia){}var W=document.getElementById("google_pubads_beacon_iframe");W&&W.parentNode.removeChild(W);})();
    </script>
  </body>
</html>

It's pretty clear that characters are being stripped. I'd expect this with URLs (FAQ 4.2), but not with the actual code of a page. There's also code visible on the page that doesn't seem to be in the source, but most of it seems to match up.

EDIT: Turning off both "Sanitize cross-site suspicious requests" and "Turn cross-site POST requests into data-less GET requests" under XSS options seems to "fix" the problem, but both need to be disabled to make a difference. For obvious reasons, I don't actually want to do this.

So, I suppose it boils down to this: is this intentional behavior (sanitizing code in addition to URLS), or a bug of some kind?

[barbaz]

It's intentional behavior. The website is passing that entire document into window.name which can be spoofed by attackers for XSS, so NoScript is saving you.

"SafeFrame Container"... LOL