Anti-XSS filter causing problems on valid site
Posted: Sun Feb 21, 2010 4:48 pm
Hi!
The Anti-XSS filter in noscript 1.9.9.47 is causing me major headaches with paying my internet connection bill online!
I'm connected via cable from Cox communications, and login to their site is via their secure login server at https://idm.east.cox.net - once logged in, this redirects to https://service.cox.com or https://ww2.cox.com or any number of other combinations depending on the service selected from the menu ... the only common factor between these addresses is "cox" somewhere after the "https://"
While I can put in an exception filter for this, it is wide open to abuse, and I'm not that familiar with regex that I can tighten it down further. The problem is further compounded by the fact that the yellow line at the top reporting the error, disappears a split second after it appears so that the options button is unavailable. (the target webpage detects the block and redirects back to the source webpage as a login error)
The regex string I'm using doesn't seem to work as intended - I didn't want to use "https://*.cox.*" since that would also match https://fubar.cox.hacker.org !! The current string is ^https://*\.cox\.(net|com)/ the intention being to ensure that the responding site can only be cox.net/ or cox.com/ however it is still open to hacker.org/a.cox.net/ - I end up having to disable anti-xss entirely once each month to pay my bill, and then have to remember to re-enable it afterward.
Is there an easier way of doing this? Regex is a great idea for those familiar with it, but "^http://[a-z]+\.wikipedia\.org/wiki/[^"<>\?%]+$" is a little on the cryptic side for the average end-user. As the FAQ says: If you're a bit of the "geek" type, you know regular expressions and you're very confident the target web page is immune to XSS vulnerabilities ... what if you're not a bit of the "geek" type, but still need to access sites of the type described above?
The Anti-XSS filter in noscript 1.9.9.47 is causing me major headaches with paying my internet connection bill online!
I'm connected via cable from Cox communications, and login to their site is via their secure login server at https://idm.east.cox.net - once logged in, this redirects to https://service.cox.com or https://ww2.cox.com or any number of other combinations depending on the service selected from the menu ... the only common factor between these addresses is "cox" somewhere after the "https://"
While I can put in an exception filter for this, it is wide open to abuse, and I'm not that familiar with regex that I can tighten it down further. The problem is further compounded by the fact that the yellow line at the top reporting the error, disappears a split second after it appears so that the options button is unavailable. (the target webpage detects the block and redirects back to the source webpage as a login error)
The regex string I'm using doesn't seem to work as intended - I didn't want to use "https://*.cox.*" since that would also match https://fubar.cox.hacker.org !! The current string is ^https://*\.cox\.(net|com)/ the intention being to ensure that the responding site can only be cox.net/ or cox.com/ however it is still open to hacker.org/a.cox.net/ - I end up having to disable anti-xss entirely once each month to pay my bill, and then have to remember to re-enable it afterward.
Is there an easier way of doing this? Regex is a great idea for those familiar with it, but "^http://[a-z]+\.wikipedia\.org/wiki/[^"<>\?%]+$" is a little on the cryptic side for the average end-user. As the FAQ says: If you're a bit of the "geek" type, you know regular expressions and you're very confident the target web page is immune to XSS vulnerabilities ... what if you're not a bit of the "geek" type, but still need to access sites of the type described above?