InformAction Forums

NoScript 2.6.9.34's XSS protection currently breaks OpenID login on stackexchange (and sister sites including stackoverflow.com).

I'm testing with a launchpad.net OpenID. The browser console shows several "[NoScript XSS] Sanitized suspicious request" messages, a yellow banner says "NoScript filtered a potential cross-site scripting (XSS) attempt from [https://gaming.stackexchange.com], and the launchpad OpenID endpoint produces a 404 error.

Could you please PM or email me the exact [NoScript XSS] and [InjectionChecker] messages you get in the browser console?
Thanks!

Giorgio Maone wrote:Could you please PM or email me the exact [NoScript XSS] and [InjectionChecker] messages you get in the browser console?
Thanks!

Done.

FYI, I don't remember this being a problem when I logged in to stackexchange yesterday. Unless my memory is failing me, it's probably related to a new login system that they apparently patched today.

Just to confirm that this is now repeating... unable to log in today, even using Unsafely Reload, without disabling: Options | Advanced | XSS | 'Sanitise...' and 'Turn Cross Site...'

When I've disabled these, I'm able to log in fine. I can pm you Console details... How much do you want?

Jackalus wrote:I can pm you Console details... How much do you want?

The full InjectionChecker and/or XSS mesages would be great, thanks.

Actually does latest development build 2.9.0.5rc3 still have this problem?

Some stackexchange users have reported working around the problem by adding a regex like this to NoScript's Anti-XSS Protection Exceptions:

barbaz wrote:Actually does latest development build 2.9.0.5rc3 still have this problem?

The just-released 2.9.0.5 still has this problem.