XSS protection - max nr of characters or html tags?

[matthias-g]

Hello forum,

in the FAQ for the Anti-XSS feature, it says:

Cross-site requests from a trusted site to a different trusted site are checked through the InjectionChecker engine, which is more accurate and sanitizes only requests which contain conspicuous fragments of HTML or syntactically valid JavaScript.

https://noscript.net/faq#qa4_2

What exactly determines if a string is conspicous or not? Is there a certain threshold for number of characters and/or number of html tags? Any chance that spaces play a role?
Because I have a string consisting of alphanumeric characters, spaces and html elements (<br />, <b>, and <i>) and when I do a POST request from Site A to Site B where this string is sent, NoScript's XSS protection steps in:

[NoScript InjectionChecker] JavaScript Injection in ##[[My string...]]

[NoScript XSS] Ein verdächtiger Upload zu [[Site B...]] von [[Site A...]] wurde bereinigt und in eine GET-Anfrage (nur Download) umgewandelt.

I woul like to know how I should tweak the string so that it passes. I tried using less charachters and less html elements, but without luck.

I use NoScript 2.9.0.11.

Any help would be appreciated, thanks.

[matthias-g]

To elaborate:

Here's the original part of the string that caused the problem:

"<br /><br />
Some words with spaces between them."

I changed this part of the string, with varying results.

"abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz"

--> works, so it can't be just the number of characters which causes the problem

"<br /><br />
abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz"

--> works, so it's not just the two <br />-Tags

"<br /><br />
abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz."

--> works, so it's not just the dot at the end.

"<br /><br />
abc defghijklmnopqrstuvwxyz."

--> doesn't work. It's far less characters than the above example, so it can't be the number of characters. However, there is now a space. Is this causing the problem?

[barbaz]

It is unwise to pass HTML fragments around through the user's browser, that's just an invitation to be XSSed. Can you change your site to use something safer for formatting, e.g. BBCode?

[matthias-g]

Thanks for your reply.

Currently, I don't have the option of using something other than HTML for this string, but I may be able to so in the future, so thanks for the suggestion.

You say that passing HTML is unwise - true enough, but evidently NoScript's XSS protection lets through at least some amount of HTML elements without blocking the request. Can somebody explain why the different strings I tried (see above posts) work or don't work, respectively?

[barbaz]

(just guessing...)
Well you might look at about:config > noscript.filterXGetRx see if that's anything to do with it?

IIRC NoScript is designed to let some "known innocuous" HTML through the XSS filter, but no idea what exactly.

As a test, can you submit the form using GET and check the Browser Console (Ctrl-Shift-J) see how NoScript sanitises the URL?