XSS Injection Checker google ads

[dfriedmann]

Hi Support,
I'm wondering why I get an XSS injection warning on one of my favourite sites: www.frag-einen-anwalt.de
When visiting this url for example: http://www.frag-einen-anwalt.de/Grundst ... 86219.html
I get the following messages in the console:

Code: Select all

[NoScript InjectionChecker] JavaScript Injection in ///Grundstueckskauf-Verpflichtet-ein-abgegebener-Preisvorschlag-bereits-zum-Kauf---f286219.html
(function anonymous() {
Grundstueckskauf-Verpflichtet-ein-abgegebener-Preisvorschlag-bereits-zum-Kauf---f286219.html /* COMMENT_TERMINATOR */
DUMMY_EXPR
})

Code: Select all

[NoScript XSS] Sanitized suspicious request. Original URL [http://www.frag-einen-anwalt.de/Grundstueckskauf-Verpflichtet-ein-abgegebener-Preisvorschlag-bereits-zum-Kauf---f286219.html] requested from [chrome://browser/content/browser.xul]. Sanitized URL: [http://www.frag-einen-anwalt.de/Grundstueckskauf-Verpflichtet-ein-abgegebener-Preisvorschlag-bereits-zum-Kauf-f286219.html#31038140703915984191].

as well as these

Code: Select all

[NoScript XSS] Sanitized suspicious request referer. URL [https://www.google.com/ads/user-lists/1070875731/?label=kK2CCMv76wEQ04jR_gM&fmt=1&num=1&cv=8&frm=0&url=http%3A//www.frag-einen-anwalt.de/Grundstueckskauf-Verpflichtet-ein-abgegebener-Preisvorschlag-bereits-zum-Kauf---f286219.html&ref=http%3A//www.frag-einen-anwalt.de/&random=2932988384 (REF: http://www.frag-einen-anwalt.de/Grundstueckskauf-Verpflichtet-ein-abgegebener-Preisvorschlag-bereits-zum-Kauf---f286219.html)] requested from [http://www.frag-einen-anwalt.de/Grundstueckskauf-Verpflichtet-ein-abgegebener-Preisvorschlag-bereits-zum-Kauf---f286219.html]. Sanitized Referrer: [http://www.frag-einen-anwalt.de/Grundstueckskauf-Verpflichtet-ein-abgegebener-Preisvorschlag-bereits-zum-Kauf-f286219.html].

Code: Select all

[NoScript XSS] Sanitized suspicious request. Original URL [https://www.google.com/ads/user-lists/1070875731/?label=kK2CCMv76wEQ04jR_gM&fmt=1&num=1&cv=8&frm=0&url=http%3A//www.frag-einen-anwalt.de/Grundstueckskauf-Verpflichtet-ein-abgegebener-Preisvorschlag-bereits-zum-Kauf---f286219.html&ref=http%3A//www.frag-einen-anwalt.de/&random=2932988384] requested from [http://www.frag-einen-anwalt.de/Grundstueckskauf-Verpflichtet-ein-abgegebener-Preisvorschlag-bereits-zum-Kauf---f286219.html]. Sanitized URL: [https://www.google.com/ads/user-lists/1070875731/?label=kK2CCMv76wEQ20jR_gM&fmt=1&num=1&cv=8&frm=0&url=http%3A%2F%2Fwww.frag-einen-anwalt.de%2FGrundstueckskauf-Verpflichtet-ein-abgegebener-Preisvorschlag-bereits-zum-Kauf-f286219.html%234184986094559880520&ref=http%3A//www.frag-einen-anwalt.de/&random=2932988384#875650864509592116].

I don't get an XSS Injection warning on other sites using google ads, so I doubt that this is the culprit.
Is having the tripe dash "---" in the url the problem?
The sanitized url only contains single dashes, which leads me to believe that this is the case.

I would appreciate if you can confirm this or help me see the problem here.

Thanks!

[barbaz]

No XSS there, I'd say false positive. Thanks for the report

I don't know any German, so I'd just be guessing, but since the URL it's seemingly static html page it's probably not vulnerable to XSS, try this workaround:
NoScript Options > Advanced > XSS, add this line to exceptions list:

Code: Select all

^https?://www\.frag-einen-anwalt\.de/[^?]+---[^?]+\.html$

[dfriedmann]

Thanks for that tip.
But how can the original site avoid these false positives??
I'm affiliated with that site - and we've had a number of users (who use noscript) complain about these warnings.
What is the reason that they are appearing? How can it be avoided?

[barbaz]

Well, you could change URLs to not use 3 consecutive dashes and see if that stops the XSS filter complaining...
(I've done some testing, and it seems with any number of consecutive dashes other than 3 the XSS filter is OK with it. Go figure.
I've updated the above XSS exception to reflect that finding.)