XSS bug when accessing Google from WWWJDIC
Posted: Mon Aug 24, 2009 3:03 am
Note: WWWJDIC is widely used Japanese-English dictionary made available by Monash University. You may need to have Japanese text support enabled in order to read this bug report properly.
If you search for the word "胸像" at http://www.csse.monash.edu.au/~jwb/cgi-bin/wwwjdic.cgi and then click on either the [G] or [GI] links (which perform Google and Google Image searches, respectively), you will see that NoScript says that it has "filtered a potential cross-site scripting (XSS) attempt from [http://www.csse.monash.edu.au]", and that it has "sanitized" the URLs, resulting in undesired Google hits for the word "胸" instead of the original search term "胸像"--NoScript has mistakenly removed the final character, "像".
The problem here is definitely with NoScript. This can be confirmed easily because the links work properly on Firefox when NoScript is disabled. The console messages are shown below.
The [A] link to alc.co.jp is problematic in a different way. In this case, NoScript seems to delete the search term entirely.
The link to goo.ne.jp is also problematic in a different way. In this case, NoScript does not trigger a XSS warning/sanitation, but it still messes up the search term, replacing "胸像" with "胸<".
The [W] link to Japanese Wikipedia and the [JW] link to Japanese Wordnet work properly.
Note that none of these things are problems for other words in the dictionary. This is the only word of about ten that I checked that resulted in an XSS warning/sanitation. It seems to be specific to this word; even other words that begin with "胸" or end in "像" do not have this problem.
If you search for the word "胸像" at http://www.csse.monash.edu.au/~jwb/cgi-bin/wwwjdic.cgi and then click on either the [G] or [GI] links (which perform Google and Google Image searches, respectively), you will see that NoScript says that it has "filtered a potential cross-site scripting (XSS) attempt from [http://www.csse.monash.edu.au]", and that it has "sanitized" the URLs, resulting in undesired Google hits for the word "胸" instead of the original search term "胸像"--NoScript has mistakenly removed the final character, "像".
The problem here is definitely with NoScript. This can be confirmed easily because the links work properly on Firefox when NoScript is disabled. The console messages are shown below.
Code: Select all
[NoScript XSS] Sanitized suspicious request. Original URL [http://www.google.com/search?q="胸像"&hl=en&lr=lang_ja& ie=euc-jp] requested from [http://www.csse.monash.edu.au/~jwb/cgi-bin/wwwjdic.cgi?1E]. Sanitized URL: [http://www.google.com/search?q= 胸 &hl=en&lr=lang_ja&ie=euc-jp#18723719206980682291].
[NoScript XSS] Sanitized suspicious request. Original URL [http://images.google.com/images?q="胸像"&hl=en&ie=euc-jp] requested from [http://www.csse.monash.edu.au/~jwb/cgi-bin/wwwjdic.cgi?1E]. Sanitized URL: [http://images.google.com/images?q= 胸 &hl=en&ie=euc-jp#9620423950367644196].
Code: Select all
[NoScript XSS] Sanitized suspicious request. Original URL [http://eow.alc.co.jp/%B6%BB%C1%FC/EUC-JP/] requested from [http://www.csse.monash.edu.au/~jwb/cgi-bin/wwwjdic.cgi?1E]. Sanitized URL: [http://eow.alc.co.jp/#49875865245852047393].
The [W] link to Japanese Wikipedia and the [JW] link to Japanese Wordnet work properly.
Note that none of these things are problems for other words in the dictionary. This is the only word of about ten that I checked that resulted in an XSS warning/sanitation. It seems to be specific to this word; even other words that begin with "胸" or end in "像" do not have this problem.