eBay URL Problems

Oeconomist · Post by **Oeconomist** » Wed Apr 13, 2016 11:53 am

I run PaleMoon and Firefox on Fedora Core 22 Linux on a 64-bit Atom CPU.

When I try to perform eBay searches with slightly complicated strings, recent versions of NoScript cause the browser to choke on the URL. Here is an example of a URL that does not work with NoScript enabled, but works fine with NoScript disabled:

http://www.ebay.com/dsc/i.html?&_osacat ... itleDesc=1

Post by **therube** » Wed Apr 13, 2016 2:17 pm

Does this apply, [RESOLVED] ATTENTION: Latest version is broken on Palemoon?

Oeconomist · Post by **Oeconomist** » Thu Apr 14, 2016 5:57 am

It does not seem to apply. I have not observed a problem with NoScript failing to install; the bug manifests itself both in PaleMoon and in Firefox; NoScript seems to work as expected in other contexts. eBay searches that have simpler URLs work fine.

Indeed, I was surprised that the bug is one of NoScript. It was only by a process of elimination that I associated the problem with NoScript. It is as if NoScript parses the URL incorrectly and does not see that the domain is whitelisted when the portion of the URL used to pass paramaters is a bit involved, even though none of those parameters looks like a domain-name.

Oeconomist · Post by **Oeconomist** » Sun Apr 24, 2016 6:33 am

Ah, the crickets! They chirp!

Post by **barbaz** » Sun Apr 24, 2016 11:51 am

[img[/img]
Funny how that account doesn't check out as same user as the guest poster...

@ Oeconomist Guest (if you're not the same person):
When this issue occurs, do you see anything related in the Browser Console? (Ctrl-Shift-J)
(if you don't know what's related, turn off CSS warnings and post everything else you see)

Post by **therube** » Sun Apr 24, 2016 1:42 pm

Code: Select all

[NoScript InjectionChecker] JavaScript Injection in ///dsc/i.html?&_osacat=1&_nkw=leroy (keuffel,kueffel,keufel,kuefel,keufell,kuefell,keuffell,kueffell) (esser,eser,esserr)&_sacat=0&LH_TitleDesc=1
(function anonymous() {
leroy (keuffel,kueffel,keufel,kuefel,keufell,kuefell,keuffell,kueffell) (esser,eser,esserr) /* COMMENT_TERMINATOR */
DUMMY_EXPR
})

Code: Select all

[NoScript XSS] Sanitized suspicious request. Original URL [http://www.ebay.com/dsc/i.html?&_osacat=1&_nkw=leroy+%28keuffel%2Ckueffel%2Ckeufel%2Ckuefel%2Ckeufell%2Ckuefell%2Ckeuffell%2Ckueffell%29+%28esser%2Ceser%2Cesserr%29&_sacat=0&LH_TitleDesc=1] requested from [chrome://browser/content/browser.xul]. Sanitized URL: [http://www.ebay.com/dsc/i.html?&_osacat=1&_nkw=leroy+%20keuffel%2Ckueffel%2Ckeufel%2Ckuefel%2Ckeufell%2Ckuefell%2Ckeuffell%2Ckueffell%20+%20esser%2Ceser%2Cesserr%20&_sacat=0&LH_TitleDesc=1#4158468393455419684].

Code: Select all

[NoScript InjectionChecker] JavaScript Injection in ///dsc/i.html?&_osacat=1&_nkw=leroy (keuffel,kueffel,keufel,kuefel,keufell,kuefell,keuffell,kueffell) (esser,eser,esserr)&_sacat=0&LH_TitleDesc=1
(function anonymous() {
leroy (keuffel,kueffel,keufel,kuefel,keufell,kuefell,keuffell,kueffell) (esser,eser,esserr) /* COMMENT_TERMINATOR */
DUMMY_EXPR
})

Code: Select all

[NoScript XSS] Sanitized suspicious request. Original URL [http://www.ebay.com/dsc/i.html?&_osacat=1&_nkw=leroy+%28keuffel%2Ckueffel%2Ckeufel%2Ckuefel%2Ckeufell%2Ckuefell%2Ckeuffell%2Ckueffell%29+%28esser%2Ceser%2Cesserr%29&_sacat=0&LH_TitleDesc=1] requested from [chrome://navigator/content/navigator.xul]. Sanitized URL: [http://www.ebay.com/dsc/i.html?&_osacat=1&_nkw=leroy+%20keuffel%2Ckueffel%2Ckeufel%2Ckuefel%2Ckeufell%2Ckuefell%2Ckeuffell%2Ckueffell%20+%20esser%2Ceser%2Cesserr%20&_sacat=0&LH_TitleDesc=1#8702105985253366310].

Post by **barbaz** » Sun Apr 24, 2016 2:31 pm

If you trust eBay not to be vulnerable to XSS, can try adding this XSS exception (documented in FAQ 4.4, though the exception in that FAQ is outdated now):

Code: Select all

^https?://www\.ebay\.com/dsc/i\.html

Or (better), if you only do searches from a searchplugin, see viewtopic.php?f=7&t=20851

Better yet, additionally secure eBay with ABE rule, so that not just any site can even try to XSS eBay.

Oeconomist · Post by **Oeconomist** » Mon Apr 25, 2016 12:48 pm

barbaz wrote:Funny how that account doesn't check out as same user as the guest poster...

After twice posting as a guest, I figured that I might as well register. (I mostly wanted to avoid some troll coming-along and turning discussion into chaos.)

barbaz wrote:When this issue occurs, do you see anything related in the Browser Console? (Ctrl-Shift-J)

I don't get a browser console (nor other source of diagnostics) in PaleMoon, though I believe that one can be installed. The console for Firefox declares suspicious XSS (as indicated by therube above).

barbaz wrote:If you trust eBay not to be vulnerable to XSS, can try adding this XSS exception (documented in FAQ 4.4, though the exception in that FAQ is outdated now):
Code: Select all
^https?://www\.ebay\.com/dsc/i\.html

Now, that did the trick very nicely; thank you! (I will investigate your other suggestions later!)

Post by **barbaz** » Mon Apr 25, 2016 1:11 pm

You're welcome, glad it's working!

Let us know if you would like help with the other suggestions.

Post by **barbaz** » Mon Apr 25, 2016 1:20 pm

Oeconomist wrote:After twice posting as a guest, I figured that I might as well register. (I mostly wanted to avoid some troll coming-along and turning discussion into chaos.)

I only checked the second Guest post but not the first, sorry about that. The first Guest post does check out as yours so it's under your account now. If you correctly PM me the IP address or ISP used for the second Guest post, it too will be yours.

InformAction Forums

eBay URL Problems

eBay URL Problems

Re: eBay URL Problems

Re: eBay URL Problems

Re: eBay URL Problems

Re: eBay URL Problems

Re: eBay URL Problems

Re: eBay URL Problems

Re: eBay URL Problems

Re: eBay URL Problems

Re: eBay URL Problems