XSS question
Posted: Sun Jul 26, 2015 6:43 pm
barbaz,
I have a question about an XSS problem.
What was the XSS problem?
Is it that culuredfoodlive.com sent the name/email to aweber.com?
When I go to this web site:
http://www.culturedfoodlife.com/
There is a email request (free ebook) on the top right.
When I put in my name and email, and then submit, it has an error:
The connection was reset
This is because NS is blocking an XSS.
Here is console:
I have the following selected:
Turn cross site POST requests into GET requests
So I added the following to the XSS exceptions:
^http://www.aweber.com/scripts/addlead.pl
and NS no longer has an XSS error.
thanks
gordon
I have a question about an XSS problem.
What was the XSS problem?
Is it that culuredfoodlive.com sent the name/email to aweber.com?
When I go to this web site:
http://www.culturedfoodlife.com/
There is a email request (free ebook) on the top right.
When I put in my name and email, and then submit, it has an error:
The connection was reset
This is because NS is blocking an XSS.
Here is console:
Code: Select all
[NoScript InjectionChecker] JavaScript Injection in ##name (awf_first),name (awf_last),email
(function anonymous() {
name (awf_first),name (awf_last),email /* COMMENT_TERMINATOR */
DUMMY_EXPR
})
[NoScript XSS] Sanitized suspicious upload to [http://www.aweber.com/scripts/addlead.pl###DATA###name+%28awf_first%29%2Cname+%28awf_last%29%2Cemail] from [http://www.culturedfoodlife.com/]: transformed into a download-only GET request.
JavaScript 1.6's for-each-in loops are deprecated; consider using ES6 for-of instead ScriptSurrogate.js:344:1634
Turn cross site POST requests into GET requests
So I added the following to the XSS exceptions:
^http://www.aweber.com/scripts/addlead.pl
and NS no longer has an XSS error.
thanks
gordon