[Resolved] XSS false positive?

Post by **barbaz** » Mon Jun 26, 2023 3:42 am

Firefox 114.0.2
NoScript 11.4.23rc4
new profile

This DuckDuckGo search from the Firefox address bar or search bar

St Ego - You’re Over Me (Larson (AR) Remix)

produces the following XSS warning -

Code: Select all


NoScript detected a potential Cross-Site Scripting attack

from [...] to https://duckduckgo.com.

Suspicious data:

(URL) https://duckduckgo.com/?t=ffab&q=St+Ego+-+Youâre+Over+Me+(Larson+(AR)+Remix)

Not seeing what looks like XSS here, but apparently it's something about the apostrophe that got mangled? Deleting that and typing a new apostrophe in its place no longer results in the XSS warning.

Post by **barbaz** » Thu Jun 29, 2023 1:47 pm

Console messages -

Code: Select all

[NoScript] [InjectionChecker]  
St+Ego+-+Youâ??re+Over+Me+(Larson+(AR)+Remix) /**/
DUMMY_EXPR
 has been flagged as dangerous JS ((Larson+(AR)+Remix) /**/
DUMMY_EXPR
))
[NoScript] [InjectionChecker]  JavaScript Injection in ///?t=ffab&q=St+Ego+-+Youâ??re+Over+Me+(Larson+(AR)+Remix)
function anonymous(
) {
St+Ego+-+Youâ??re+Over+Me+(Larson+(AR)+Remix) /* COMMENT_TERMINATOR */
DUMMY_EXPR
}

Post by **barbaz** » Wed Jul 19, 2023 11:25 pm

No longer occurring in NoScript 11.4.26rc2

InformAction Forums

[Resolved] XSS false positive?

[Resolved] XSS false positive?

Re: XSS false positive?

Re: XSS false positive?