Page 1 of 1
[RESOLVED] XSS Filtering blocks comments on huffingtonpost
Posted: Wed Jul 12, 2017 10:23 pm
by Guest
As of recently (past week or so) the articles on the site (huffingtonpost.com) are perfectly viewable but clicking the button which should bring up a comments frame on the right hand side just brings up an empty frame showing the title "Comments" but no content. Allowing all permissions temporarily for the site did not fix the issue but disabling the add-on entirely did. When I viewed the console there was an error indicating an XSS link was blocked.
Code: Select all
[NoScript InjectionChecker] JavaScript Injection in ///plugins/comments.php?api_key=&channel_url=http://staticxx.facebook.com/connect/xd_arbiter/r/XBwzv5Yrm_1.js?version=42#cb=f2c501c15eb1bba&domain=www.huffingtonpost.com&origin=http://www.huffingtonpost.com/f306cefcd80d418&relation=parent.parent&colorscheme=light&href=http://www.huffingtonpost.com/entry/new-amelia-earhart-photo-bs_us_59664c48e4b005b0fdca6dae&locale=en_US&numposts=10&sdk=joey&skin=light&version=v2.4&width=100%
(function anonymous(
) {
www.huffingtonpost.com/f306cefcd80d418&relation==parent.parent&colorscheme==light
})
[NoScript XSS] Sanitized suspicious request. Original URL [https://www.facebook.com/plugins/comments.php?api_key=&channel_url=http%3A%2F%2Fstaticxx.facebook.com%2Fconnect%2Fxd_arbiter%2Fr%2FXBwzv5Yrm_1.js%3Fversion%3D42%23cb%3Df2c501c15eb1bba%26domain%3Dwww.huffingtonpost.com%26origin%3Dhttp%253A%252F%252Fwww.huffingtonpost.com%252Ff306cefcd80d418%26relation%3Dparent.parent&colorscheme=light&href=http%3A%2F%2Fwww.huffingtonpost.com%2Fentry%2Fnew-amelia-earhart-photo-bs_us_59664c48e4b005b0fdca6dae&locale=en_US&numposts=10&sdk=joey&skin=light&version=v2.4&width=100%25] requested from [http://www.huffingtonpost.com/entry/new-amelia-earhart-photo-bs_us_59664c48e4b005b0fdca6dae?ncid=inblnkushpmg00000009]. Sanitized URL: [https://www.facebook.com/plugins/comments.php?api_key=&channel_url=http%3A%2F%2Fstaticxx.facebook.com%2Fconnect%2Fxd_arbiter%2Fr%2FXBwzv5Yrm_1.js%3Fversion%3D42%23cb%2520f2c501c15eb1bba%2526domain%2520www.huffingtonpost.com%2526origin%2520http%253A%252F%252Fwww.huffingtonpost.com%252Ff306cefcd80d418%2526relation%2520parent.parent&colorscheme=light&href=http%3A%2F%2Fwww.huffingtonpost.com%2Fentry%2Fnew-amelia-earhart-photo-bs_us_59664c48e4b005b0fdca6dae&locale=en_US&numposts=10&sdk=joey&skin=light&version=v2.4&width=100%25].
SyntaxError: JSON.parse: end of data while reading object contents at line 1 column 2 of the JSON data[Learn More] desktop-694c9ce9b2ee44f1ede5afd1bd6e5b17309d457a3e699b0dfd829818914f6982.js:5:10302
I tried adding manual exceptions in the xss section under Advanced settings options in NoScript but I'm not sure I had the correct site and/or syntax to allow the comments to display.
Re: XSS Filtering blocks comments on huffingtonpost.com
Posted: Wed Jul 12, 2017 10:26 pm
by barbaz
Does the issue occur with NoScript
latest development build 5.0.7rc1?
Re: XSS Filtering blocks comments on huffingtonpost.com
Posted: Wed Jul 12, 2017 10:40 pm
by Guest
Didn't help
Re: XSS Filtering blocks comments on huffingtonpost.com
Posted: Wed Jul 12, 2017 11:18 pm
by barbaz
Does this XSS exception help? -
Code: Select all
^https://www\.facebook\.com/plugins/comments\.php\?
Re: XSS Filtering blocks comments on huffingtonpost.com
Posted: Wed Jul 12, 2017 11:24 pm
by Guest
Still the same problem
Re: XSS Filtering blocks comments on huffingtonpost.com
Posted: Thu Jul 13, 2017 1:24 am
by barbaz
With the exception in place, please post the new console messages.
Re: XSS Filtering blocks comments on huffingtonpost.com
Posted: Thu Jul 13, 2017 12:33 pm
by Guest
Code: Select all
[NoScript InjectionChecker] JavaScript Injection in ///plugins/feedback.php?api_key&channel_url=http://staticxx.facebook.com/connect/xd_arbiter/r/XBwzv5Yrm_1.js?version=42#cb=f549ea67fd7c2&domain=www.huffingtonpost.com&origin=http://www.huffingtonpost.com/f157b236c58939c&relation=parent.parent&colorscheme=light&href=http://www.huffingtonpost.com/entry/sherman-impeach-trump-article-obstruction_us_59666d71e4b0a0c6f1e5517f&locale=en_US&numposts=10&sdk=joey&skin=light&version=v2.4&width=100%
(function anonymous(
) {
www.huffingtonpost.com/f157b236c58939c&relation==parent.parent&colorscheme==light
})
[NoScript XSS] Sanitized suspicious request. Original URL [https://www.facebook.com/plugins/feedback.php?api_key&channel_url=http%3A%2F%2Fstaticxx.facebook.com%2Fconnect%2Fxd_arbiter%2Fr%2FXBwzv5Yrm_1.js%3Fversion%3D42%23cb%3Df549ea67fd7c2%26domain%3Dwww.huffingtonpost.com%26origin%3Dhttp%253A%252F%252Fwww.huffingtonpost.com%252Ff157b236c58939c%26relation%3Dparent.parent&colorscheme=light&href=http%3A%2F%2Fwww.huffingtonpost.com%2Fentry%2Fsherman-impeach-trump-article-obstruction_us_59666d71e4b0a0c6f1e5517f&locale=en_US&numposts=10&sdk=joey&skin=light&version=v2.4&width=100%25] requested from [http://www.huffingtonpost.com/entry/sherman-impeach-trump-article-obstruction_us_59666d71e4b0a0c6f1e5517f?4b&ncid=inblnkushpmg00000009]. Sanitized URL: [https://www.facebook.com/plugins/feedback.php?api_key&channel_url=http%3A%2F%2Fstaticxx.facebook.com%2Fconnect%2Fxd_arbiter%2Fr%2FXBwzv5Yrm_1.js%3Fversion%3D42%23cb%2520f549ea67fd7c2%2526domain%2520www.huffingtonpost.com%2526origin%2520http%253A%252F%252Fwww.huffingtonpost.com%252Ff157b236c58939c%2526relation%2520parent.parent&colorscheme=light&href=http%3A%2F%2Fwww.huffingtonpost.com%2Fentry%2Fsherman-impeach-trump-article-obstruction_us_59666d71e4b0a0c6f1e5517f&locale=en_US&numposts=10&sdk=joey&skin=light&version=v2.4&width=100%25].
Re: XSS Filtering blocks comments on huffingtonpost.com
Posted: Thu Jul 13, 2017 12:35 pm
by Guest
I just got it working with a second exception to
Code: Select all
^https://www\.facebook\.com/plugins/feedback\.php\?
Thanks for the help though
Re: XSS Filtering blocks comments on huffingtonpost.com
Posted: Thu Jul 13, 2017 1:35 pm
by barbaz
You're welcome.
