Page 1 of 1
potential cross-site scripting error
Posted: Sun Dec 20, 2009 4:12 am
by NanoGeek
The following works OK:
http://finance.yahoo.com/q?s=BKP.AX,AUD ... to+qcc&d=s
But if "qcc" is changed to "QCC", Noscript (last tried using 1.9.9.27) converts it to:
http://finance.yahoo.com/q?s=BKP.AX,AUD ... 6678466147
Just an annoyance for me, but thttp://finance.yahoo.com/q?s=BKP.AX,AUDUSD=X,CADUSD=X%2CAQN.to%2CALA-UN.to%2CCLL.to%2CDMM.to+dmmif.pk%2CDVT.to+dvtif.pk%2CFNV.to+FNnVf.pk%2CNBD.to+nbrxf.pk%2COPC.to+opcdf.pk%2CPEY-UN.to+peyuf.pk%2CPRT-UN.to+pfsrf.pk%2CWTE-UN.to+wtshf.pk%2CELD.to+EGO%2Circ.to+ROY%2Civn.to+IVN%2CKXM.v+KXM%2Cpve-un.to+PVX%2CQC.to+Q20&d=s#090714086678466147T
There appears to be a length of string issue. If the "BKP.AX," is removed, problem does not manifest.
Re: potential cross-site scripting error
Posted: Mon Dec 21, 2009 6:05 am
by Tom T.
I can't produce any XSS message at any of those sites, including fixing the third link. Searching for Quest Capital in either upper or lower case makes no difference. I allowed scripting for finance.yahoo.com, but not for the parent,
http://www.yahoo.com. Even tried allowing streamapis.yahoo.com.
RequestPolicy allows requests to yimg.com. I tried temp-allowing *all* requests from yahoo.com. No XSS.
Eventually, placeholder shows up for ad from ad.wsod.com, and shows in blocked-scripts and blocked-objects menu, but still no XSS.
Can you be more specific about what you entered as a search (or is this a saved portfolio page for you?) and where you are getting either a cross-site scripting message, or the potential for one? Everything appears normal to me. Thanks.