XSS filter blocks hangouts on gmail

[n0-0ne]

Hangout being blocked from gmail (it only started today until now it worked with no issues).
I'm using firefox 47.0 and NoScript 2.9.0.11
and I'm getting the following error in the console -

Code: Select all

[NoScript XSS] Sanitized suspicious request. Original URL [https://hangouts.google.com/webchat/u/0/load...

I'm not sure if this is some issue with NoScript or some how my mail account got compromised.

[barbaz]

Can't help you there without having the full XSS message as well as the associated InjectionChecker message.

Feel free to PM it to me if you don't want it posted publicly

[n0-0ne]

is this the InjectionChecker message ?

Code: Select all

[NoScript InjectionChecker] HTML injection:
<"(sETê
matches <[^\w<>]*(?:[^<>"'\s]*:)?[^\w<>]*(?:\W*(?:\/[*/][\s\S]*)?s\W*(?:\/[*/][\s\S]*)?c\W*(?:\/[*/][\s\S]*)?r\W*(?:\/[*/][\s\S]*)?i\W*(?:\/[*/][\s\S]*)?p\W*(?:\/[*/][\s\S]*)?t|\W*(?:\/[*/][\s\S]*)?f\W*(?:\/[*/][\s\S]*)?o\W*(?:\/[*/][\s\S]*)?r\W*(?:\/[*/][\s\S]*)?m|\W*(?:\/[*/][\s\S]*)?s\W*(?:\/[*/][\s\S]*)?t\W*(?:\/[*/][\s\S]*)?y\W*(?:\/[*/][\s\S]*)?l\W*(?:\/[*/][\s\S]*)?e|\W*(?:\/[*/][\s\S]*)?s\W*(?:\/[*/][\s\S]*)?v\W*(?:\/[*/][\s\S]*)?g|\W*(?:\/[*/][\s\S]*)?m\W*(?:\/[*/][\s\S]*)?a\W*(?:\/[*/][\s\S]*)?r\W*(?:\/[*/][\s\S]*)?q\W*(?:\/[*/][\s\S]*)?u\W*(?:\/[*/][\s\S]*)?e\W*(?:\/[*/][\s\S]*)?e|(?:\W*(?:\/[*/][\s\S]*)?l\W*(?:\/[*/][\s\S]*)?i\W*(?:\/[*/][\s\S]*)?n\W*(?:\/[*/][\s\S]*)?k|\W*(?:\/[*/][\s\S]*)?o\W*(?:\/[*/][\s\S]*)?b\W*(?:\/[*/][\s\S]*)?j\W*(?:\/[*/][\s\S]*)?e\W*(?:\/[*/][\s\S]*)?c\W*(?:\/[*/][\s\S]*)?t|\W*(?:\/[*/][\s\S]*)?e\W*(?:\/[*/][\s\S]*)?m\W*(?:\/[*/][\s\S]*)?b\W*(?:\/[*/][\s\S]*)?e\W*(?:\/[*/][\s\S]*)?d|\W*(?:\/[*/][\s\S]*)?a\W*(?:\/[*/][\s\S]*)?p\W*(?:\/[*/][\s\S]*)?p\W*(?:\/[*/][\s\S]*)?l\W*(?:\/[*/][\s\S]*)?e\W*(?:\/[*/][\s\S]*)?t|\W*(?:\/[*/][\s\S]*)?p\W*(?:\/[*/][\s\S]*)?a\W*(?:\/[*/][\s\S]*)?r\W*(?:\/[*/][\s\S]*)?a\W*(?:\/[*/][\s\S]*)?m|\W*(?:\/[*/][\s\S]*)?i?\W*(?:\/[*/][\s\S]*)?f\W*(?:\/[*/][\s\S]*)?r\W*(?:\/[*/][\s\S]*)?a\W*(?:\/[*/][\s\S]*)?m\W*(?:\/[*/][\s\S]*)?e|\W*(?:\/[*/][\s\S]*)?b\W*(?:\/[*/][\s\S]*)?a\W*(?:\/[*/][\s\S]*)?s\W*(?:\/[*/][\s\S]*)?e|\W*(?:\/[*/][\s\S]*)?b\W*(?:\/[*/][\s\S]*)?o\W*(?:\/[*/][\s\S]*)?d\W*(?:\/[*/][\s\S]*)?y|\W*(?:\/[*/][\s\S]*)?m\W*(?:\/[*/][\s\S]*)?e\W*(?:\/[*/][\s\S]*)?t\W*(?:\/[*/][\s\S]*)?a|\W*(?:\/[*/][\s\S]*)?i\W*(?:\/[*/][\s\S]*)?m\W*(?:\/[*/][\s\S]*)?a?\W*(?:\/[*/][\s\S]*)?g\W*(?:\/[*/][\s\S]*)?e?|\W*(?:\/[*/][\s\S]*)?v\W*(?:\/[*/][\s\S]*)?i\W*(?:\/[*/][\s\S]*)?d\W*(?:\/[*/][\s\S]*)?e\W*(?:\/[*/][\s\S]*)?o|\W*(?:\/[*/][\s\S]*)?a\W*(?:\/[*/][\s\S]*)?u\W*(?:\/[*/][\s\S]*)?d\W*(?:\/[*/][\s\S]*)?i\W*(?:\/[*/][\s\S]*)?o|\W*(?:\/[*/][\s\S]*)?b\W*(?:\/[*/][\s\S]*)?i\W*(?:\/[*/][\s\S]*)?n\W*(?:\/[*/][\s\S]*)?d\W*(?:\/[*/][\s\S]*)?i\W*(?:\/[*/][\s\S]*)?n\W*(?:\/[*/][\s\S]*)?g\W*(?:\/[*/][\s\S]*)?s|\W*(?:\/[*/][\s\S]*)?s\W*(?:\/[*/][\s\S]*)?e\W*(?:\/[*/][\s\S]*)?t|\W*(?:\/[*/][\s\S]*)?i\W*(?:\/[*/][\s\S]*)?s\W*(?:\/[*/][\s\S]*)?i\W*(?:\/[*/][\s\S]*)?n\W*(?:\/[*/][\s\S]*)?d\W*(?:\/[*/][\s\S]*)?e\W*(?:\/[*/][\s\S]*)?x|\W*(?:\/[*/][\s\S]*)?a\W*(?:\/[*/][\s\S]*)?n\W*(?:\/[*/][\s\S]*)?i\W*(?:\/[*/][\s\S]*)?m\W*(?:\/[*/][\s\S]*)?a\W*(?:\/[*/][\s\S]*)?t\W*(?:\/[*/][\s\S]*)?e)[^>\w])|['"\s\0/](?:formaction|style|background|src|lowsrc|ping|on(?:c(?:o(?:n(?:nect(?:i(?:on(?:statechanged|available)|ng)|ed)?|t(?:rol(?:lerchange|select)|extmenu)|figurationchange)|m(?:p(?:osition(?:update|start|end)|lete)|mand(?:update)?)|py)|h(?:a(?:r(?:ging(?:time)?change|acteristicchanged)|nge)|ecking)|a(?:n(?:play(?:through)?|cel)|(?:llschang|ch)ed|rdstatechange)|u(?:rrent(?:channel|source)changed|echange|t)|l(?:i(?:rmodechange|ck)|ose)|(?:fstate|ell)change)|p(?:o(?:inter(?:(?:lea|mo)ve|o(?:ver|ut)|cancel|enter|down|up)|p(?:up(?:hid(?:den|ing)|show(?:ing|n))|state)|ster)|a(?:i(?:ring(?:con(?:firmation|sent)req|aborted)|nt)|ge(?:hide|show)|(?:st|us)e)|u(?:ll(?:vcard(?:listing|entry)|phonebook)req|sh(?:subscriptionchange)?)|r(?:o(?:pertychange|gress)|eviewstatechange)|(?:(?:ending|ty|s)chang|ic(?:hang|tur))e|lay(?:ing)?|hoto)|m(?:o(?:z(?:browser(?:beforekey(?:down|up)|afterkey(?:down|up))|pointerlock(?:change|error)|(?:orientation|time)change|fullscreen(?:change|error)|interrupt(?:begin|end)|network(?:down|up)load)|use(?:(?:lea|mo)ve|o(?:ver|ut)|enter|wheel|down|up)|ve(?:start|end)?)|a(?:p(?:se(?:tmessagestatus|ndmessage)|message(?:slisting|update)|folderlisting|getmessage)req|rk)|essage)|d(?:e(?:vice(?:p(?:roximity|aired)|(?:orienta|mo)tion|(?:unpaire|foun)d|light)|l(?:ivery(?:success|error)|eted)|activate)|i(?:s(?:c(?:hargingtimechange|onnect(?:ing|ed)?)|playpasskeyreq|abled)|aling)|r(?:a(?:g(?:e(?:n(?:ter|d)|xit)|(?:gestur|leav)e|start|drop|over)?|in)|op)|ata(?:setc(?:omplete|hanged)|(?:availabl|chang)e|error)?|urationchange|ownloading|blclick)|r(?:e(?:s(?:ourcetimingbufferfull|u(?:m(?:ing|e)|lt)|ize|et)|ad(?:y(?:statechange)?|success|error)|mo(?:te(?:resume|hel)d|vetrack)|c(?:orderstatechange|eived)|questmediaplaystatus|pea(?:tEven)?t|loadpage|trieving)|ow(?:s(?:inserted|delete)|e(?:nter|xit))|(?:(?:adiost)?ate|t)change|ds(?:dis|en)abled)|s(?:t(?:a(?:t(?:uschanged|echange)|lled|rt)|o(?:rage(?:areachanged)?|p)|k(?:sessione|comma)nd)|e(?:lect(?:ionchange|start)?|ek(?:ing|ed)|n(?:ding|t)|t)|c(?:(?:anningstate|ostatus)changed|roll)|pe(?:akerforcedchange|ech(?:start|end))|u(?:ccess|spend|bmit)|ound(?:start|end)|h(?:utter|ow))|a(?:n(?:imation(?:iteration|start|end)|tennaavailablechange)|ttribute(?:(?:write|read)req|changed)|fter(?:(?:scriptexecu|upda)te|print)|b(?:solutedeviceorientation|ort)|d(?:apter(?:remov|add)ed|dtrack)|ctiv(?:estatechanged|ate)|udio(?:process|start|end)|2dpstatuschanged|lerting)|Moz(?:S(?:wipeGesture(?:(?:May)?Start|Update|End)?|crolledAreaChanged)|M(?:agnifyGesture(?:Update|Start)?|ouse(?:PixelScroll|Hittest))|EdgeUI(?:C(?:omplet|ancel)|Start)ed|RotateGesture(?:Update|Start)?|(?:Press)?TapGesture|AfterPaint)|b(?:e(?:for(?:e(?:(?:scriptexecu|activa)te|e(?:ditfocus|victed)|u(?:nload|pdate)|p(?:aste|rint)|c(?:opy|ut))|deactivate)|gin(?:Event)?)|u(?:fferedamountlow|sy)|oun(?:dary|ce)|l(?:ocked|ur)|roadcast)|DOM(?:Node(?:Inserted(?:IntoDocument)?|Removed(?:FromDocument)?)|(?:CharacterData|Subtree)Modified|A(?:ttrModified|ctivate)|Focus(?:Out|In)|MouseScroll)|e(?:n(?:ter(?:pincodereq)?|(?:crypt|abl)ed|d(?:Event|ed)?)|m(?:ergencycbmodechange|ptied)|(?:itbroadcas|vic)ted|rror(?:update)?|xit)|f(?:o(?:rm(?:change|input)|cus(?:out|in)?)|ullscreen(?:change|error)|i(?:lterchange|nish)|a(?:cesdetect|il)ed|requencychange|etch)|l(?:o(?:ad(?:e(?:d(?:meta)?data|nd)|ing(?:error|done)?|start)?|s(?:tpointer|e)capture)|(?:anguage|evel)change|y)|o(?:(?:(?:rientation|tastatus)chang|(?:ff|n)lin)e|b(?:expasswordreq|solete)|verflow(?:changed)?|pen)|g(?:amepad(?:(?:dis)?connected|button(?:down|up)|axismove)|(?:otpointercaptur|roupchang)e|et)|t(?:o(?:uch(?:cancel|start|move|end)|ggle)|ime(?:update|out)|ransitionend|ypechange|ext)|u(?:p(?:date(?:found|ready)|gradeneeded)|s(?:erproximity|sdreceived)|n(?:derflow|load))|w(?:ebkit(?:Animation(?:Iteration|Start|End)|TransitionEnd)|a(?:it|rn)ing|heel)|h(?:e(?:adphoneschange|l[dp])|(?:fp|id)statuschanged|ashchange|olding)|i(?:cc(?:(?:info)?change|(?:un)?detected)|n(?:coming|stall|valid|put))|v(?:o(?:ice(?:schanged|change)|lumechange)|ersionchange)|n(?:o(?:tificationclick|update|match)|ewrdsgroup)|SVG(?:(?:Unl|L)oad|Resize|Scroll|Zoom)|key(?:press|down|up)|(?:AppComman|Loa)d|Request|zoom))[\s\0]*=

If not I'm not sure what you mean.
I can send you the full URL in PM but I'm not sure how much help that would be (or if you can even load since I assume it has some data that will require the same login).
I just thought that if this is a NoScript/Gmail issue. it would have happened to other people by now

[barbaz]

Yes that's the InjectionChecker message. I've never seen something like that fragment in the InjectionChecker message in NoScript XSS issues, not sure what to make of it just from that?

The full NoScript XSS message would be a lot of help determining if it's safe (we don't need to actually load the original URL, we just need to look at it and what the XSS filter did to it).

[n0-0ne]

Ok I sent you a PM.

I also tried logging in with another gmail account and I didn't get the xss issue so I guess it something specific to my account / hangout messages

[barbaz]

That XSS message that you sent me in PM looks to me like a false positive, I'm not really sure why it's tripping. So at least for now, I'd say you can try adding a XSS exception to work around it.
NoScript Options > Advanced > XSS, add this to XSS Exceptions

Code: Select all

^https://hangouts\.google\.com/webchat/u/0/load\?

See the sticky for more information on XSS exceptions.

Do you mind if I post your PM in the forum-staff-only section in case Giorgio needs to tweak the XSS filter or others can say more?

[n0-0ne]

Thanks barbaz.

I haven't had a chance to add the exception, but today everything seems to be working.
I guess what ever triggered the XSS issue was in the main contact list / message history
since that's what the link is trying to load, and whatever caused the issue is no longer showing there (The same URL is now loading but it has different token).

You can pass the link to NoScript staff if you think it might be useful.

[barbaz]

You're welcome