Page 1 of 1
Don't Say No - XSS Warning?
Posted: Wed Sep 10, 2025 5:01 pm
by therube
Don't Say No - XSS Warning?
NoScript .903, Win7 x64, FF 115 ESR
Search Engine is set to:
https://www.startpage.com/
Search, dr. no
First hit, Dr. No (film) - Wikipedia ->
https://en.wikipedia.org/wiki/Dr._No_(film)
by default (in Startpage), I have left-click set to open link in new tab
clicking (or center-clicking) the wikipedia page link to,
https://en.wikipedia.org/wiki/Dr._No_(film)
generates XSS warning?
Code: Select all
NoScript detected a potential Cross-Site Scripting attack
from https://www.startpage.com to https://en.wikipedia.org.
Suspicious data:
(URL) https://en.wikipedia.org/wiki/Dr._No_(film)
If I paste, '
https://en.wikipedia.org/wiki/Dr._No_(film)' into a new tab & hit return, I get the same (sort of) warning?
Code: Select all
NoScript detected a potential Cross-Site Scripting attack
from [...] to https://en.wikipedia.org.
Suspicious data:
(URL) https://en.wikipedia.org/wiki/Dr._No_(film)
?
(The same does not occur in NoScript 5.1.9
.)
Re: Don't Say No - XSS Warning?
Posted: Wed Sep 10, 2025 5:46 pm
by barbaz
Can confirm that URL trips the XSS filter in NoScript 13.0.8.903. Relevant Browser Console messages:
Code: Select all
[NoScript] [InjectionChecker]
wiki/Dr._No_(film) /**/
DUMMY_EXPR
has been flagged as dangerous JS (_() log.js:34:15
[NoScript] [InjectionChecker] JavaScript Injection in ///wiki/Dr._No_(film)
function anonymous(
) {
wiki/Dr._No_(film) /* COMMENT_TERMINATOR */
DUMMY_EXPR
}
Looks like a false positive, should be safe to allow.
Re: Don't Say No - XSS Warning?
Posted: Sun Dec 28, 2025 10:16 am
by amloessb
I am also encountering this issue, even when inputting the URL directly into the navigation bar.
In my case, this is triggered by the Wikipedia page
USS William D. Porter (DD-579)
I was going to suggest that presence of a period/full stop & parentheses in the URL was tripping the XSS detection somehow, but then
USS John F. Kennedy (CV-67) doesn't trigger the spurious warning.
(NoScript 13.5.5, Firefox 146.0.1, tested on a fresh profile with only NoScript installed)
Re: Don't Say No - XSS Warning?
Posted: Sun Dec 28, 2025 5:15 pm
by barbaz
Browser Console messages:
Code: Select all
[NoScript] [InjectionChecker]
wiki/USS_William_D._Porter_(DD-579) /**/
DUMMY_EXPR
has been flagged as dangerous JS (_()
[NoScript] [InjectionChecker] JavaScript Injection in ///wiki/USS_William_D._Porter_(DD-579)
function anonymous(
) {
wiki/USS_William_D._Porter_(DD-579) /* COMMENT_TERMINATOR */
DUMMY_EXPR
}
amloessb wrote: ↑Sun Dec 28, 2025 10:16 am
I was going to suggest that presence of a period/full stop & parentheses in the URL was tripping the XSS detection somehow, but then
USS John F. Kennedy (CV-67) doesn't trigger the spurious warning.
It does for me:
Code: Select all
[NoScript] [InjectionChecker]
wiki/USS_John_F._Kennedy_(CV-67) /**/
DUMMY_EXPR
has been flagged as dangerous JS (_()
[NoScript] [InjectionChecker] JavaScript Injection in ///wiki/USS_John_F._Kennedy_(CV-67)
function anonymous(
) {
wiki/USS_John_F._Kennedy_(CV-67) /* COMMENT_TERMINATOR */
DUMMY_EXPR
}
Quick testing your suggestion, these do not trigger XSS warning:
Code: Select all
http://localhost/foo(aaa)
http://localhost/foo_(aaa)
http://localhost/foo.(aaa)
But these do:
Code: Select all
http://localhost/foo._(aaa)
http://localhost/foo.a(bcd)
The triggering pattern seems to be if it looks like valid Javascript code of the form
Not sure if this can be "globally fixed" without weakening the XSS filter?