InformAction Forums

A frustrating discovery: NoScript generates a false-positive XSS error when a bookmark's URL contains parentheses "(" or ")", or the sanitized %28 or %29. It thinks there's JavaScript code embedded in the URL. This happened to me with a bookmarked Craigslist search for "(rider|riding)+(lawn|mower)+(bagging|bagger)" which ends up looking like "http://rochester.craigslist.org/search/ ... ng|bagger)".

I tried allowing the "requested from" of the XSS per the console—chrome://browser/content/browser.xul—but that didn't work. I didn't think it would be wise to whitelist Craigslist search ... basically it would be gambling that a potential exploit (admittedly as unlikely as it would be) would not happen.

You might want to check if the site is actually vulnerable to XSS before making exception for it.
If you choose to do that, disable the XSS filter (un-check everything in NoScript Options > Advanced > XSS), search for something like and see what happens?
(If you don't get an alert thrown in your face, but just a search, you're probably fine.)
Make sure to re-enable XSS filtering afterwards!

Anyway, if you're comfortable with it, try this XSS exception?
NoScript Options > Advanced > XSS This allows any craigslist search with parenthesis in the query to be exempt from XSS checking.

(I'm not sure if those parentheses at the end need to be escaped - if so it'd be \(\) instead of () . If what I posted doesn't work verbatim try that?)

Or.. see the sticky for how to whitelist origin of request, it'd look like this: offtopic: I find your website interesting

Thanks all! Both techniques worked but I went with barbaz's.

You're welcome.
(I actually posted both replies. Sometimes I space on some possibilities and don't realize it until a lot later or it's pointed out.)