InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

Don't Say No - XSS Warning?

https://forums.informaction.com/viewtopic.php?t=27331

Page 1 of 1

Don't Say No - XSS Warning?

Posted: Wed Sep 10, 2025 5:01 pm
by therube
Don't Say No - XSS Warning?

NoScript .903, Win7 x64, FF 115 ESR

Search Engine is set to: https://www.startpage.com/

Search, dr. no
First hit, Dr. No (film) - Wikipedia -> https://en.wikipedia.org/wiki/Dr._No_(film)

by default (in Startpage), I have left-click set to open link in new tab

clicking (or center-clicking) the wikipedia page link to, https://en.wikipedia.org/wiki/Dr._No_(film)
generates XSS warning?

Code: Select all

NoScript detected a potential Cross-Site Scripting attack

from https://www.startpage.com to https://en.wikipedia.org.

Suspicious data:

(URL) https://en.wikipedia.org/wiki/Dr._No_(film)


If I paste, 'https://en.wikipedia.org/wiki/Dr._No_(film)' into a new tab & hit return, I get the same (sort of) warning?

Code: Select all

NoScript detected a potential Cross-Site Scripting attack

from [...] to https://en.wikipedia.org.

Suspicious data:

(URL) https://en.wikipedia.org/wiki/Dr._No_(film)

?

(The same does not occur in NoScript 5.1.9 ;-).)

Re: Don't Say No - XSS Warning?

Posted: Wed Sep 10, 2025 5:46 pm
by barbaz
Can confirm that URL trips the XSS filter in NoScript 13.0.8.903. Relevant Browser Console messages:

Code: Select all

[NoScript] [InjectionChecker]  
wiki/Dr._No_(film) /**/
DUMMY_EXPR
 has been flagged as dangerous JS (_() log.js:34:15

[NoScript] [InjectionChecker]  JavaScript Injection in ///wiki/Dr._No_(film)
function anonymous(
) {
wiki/Dr._No_(film) /* COMMENT_TERMINATOR */
DUMMY_EXPR
}
Looks like a false positive, should be safe to allow.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited