XSS errors throw me
Posted: Wed Mar 24, 2010 11:40 am
Hi
I'm quite a long term satisfied user of NoScript but I'm afraid the XSS functionality is defeating me and I think it will others too. I'm in IT but not a geek so am not completely clueless. But I really don't have the time to do all the research and fiddling about that it seems that XSS errors need. Hopefully the below experience will illustrate this and hopefully others more knowledeable than me can suggest areas that could be improved upon (for me and NS!).
An example:
I was using http://www.consumerdirect.gov.uk/contact#sendemail and filled out a web form. Along the way it said that it needed javascript so I made an exception in NoScript. I filled out the form and after submitting it, an XSS error popped up saying that it had logged the details to the console. First of all I don't know what console this is or where it is. Secondly all the form data I'd filled out seemed to have been dumped.
The XSS error had two choices, none of which I understood or can recall now). So I ended up firing up IE and filling out the form - not really the desired end-result I'm sure you'd agree. 
Later on when I had some time, I looked into it a little more. I then discovered the existence of the Firefox Error Console and had to really hunt down the XSS error (there's no date/time logging or search apparent). The console is filled with all sorts and I eventually found some relevant entries:
Warning: Unknown property 'align-text'. Declaration dropped.
Source File: http://www.consumerdirect.gov.uk/contac ... n=complain
Line: 0
Warning: Error in parsing value for 'min-width'. Declaration dropped.
Source File: http://www.consumerdirect.gov.uk/sitepa ... les/cn.css
Line: 1066
Warning: Expected colour but found 'hidden'. Error in parsing value for 'outline'. Declaration dropped.
Source File: http://www.consumerdirect.gov.uk/sitepa ... s/main.css
Line: 486
[NoScript XSS] Sanitised suspicious upload to [http://www.consumerdirect.gov.uk/contac ... n=complain] from [https://ssl.datamotion.com/(S(t1zhoh45tt0gdjqtyimgnjay))/form.aspx?co=894&frm=complainform&ri=WM&to=advice]: transformed into a download-only GET request.
Hopefully these will mean something to someone, but what I really wanted at the time of the XSS error was:
- a way to retrieve my lost form data
- an intelligible error mesage to pop-up that I could make some sense of and then send to the webmaster
- to temporarily mark the site safe for XSS (just like for javascript) so I can resubmit my form
Or is there another way to cope with these XSS errors (which I find are pretty few and far between)?
I'm quite a long term satisfied user of NoScript but I'm afraid the XSS functionality is defeating me and I think it will others too. I'm in IT but not a geek so am not completely clueless. But I really don't have the time to do all the research and fiddling about that it seems that XSS errors need. Hopefully the below experience will illustrate this and hopefully others more knowledeable than me can suggest areas that could be improved upon (for me and NS!).
An example:
I was using http://www.consumerdirect.gov.uk/contact#sendemail and filled out a web form. Along the way it said that it needed javascript so I made an exception in NoScript. I filled out the form and after submitting it, an XSS error popped up saying that it had logged the details to the console. First of all I don't know what console this is or where it is. Secondly all the form data I'd filled out seemed to have been dumped.
The XSS error had two choices, none of which I understood or can recall now). So I ended up firing up IE and filling out the form - not really the desired end-result I'm sure you'd agree. Later on when I had some time, I looked into it a little more. I then discovered the existence of the Firefox Error Console and had to really hunt down the XSS error (there's no date/time logging or search apparent). The console is filled with all sorts and I eventually found some relevant entries:
Warning: Unknown property 'align-text'. Declaration dropped.
Source File: http://www.consumerdirect.gov.uk/contac ... n=complain
Line: 0
Warning: Error in parsing value for 'min-width'. Declaration dropped.
Source File: http://www.consumerdirect.gov.uk/sitepa ... les/cn.css
Line: 1066
Warning: Expected colour but found 'hidden'. Error in parsing value for 'outline'. Declaration dropped.
Source File: http://www.consumerdirect.gov.uk/sitepa ... s/main.css
Line: 486
[NoScript XSS] Sanitised suspicious upload to [http://www.consumerdirect.gov.uk/contac ... n=complain] from [https://ssl.datamotion.com/(S(t1zhoh45tt0gdjqtyimgnjay))/form.aspx?co=894&frm=complainform&ri=WM&to=advice]: transformed into a download-only GET request.
Hopefully these will mean something to someone, but what I really wanted at the time of the XSS error was:
- a way to retrieve my lost form data
- an intelligible error mesage to pop-up that I could make some sense of and then send to the webmaster
- to temporarily mark the site safe for XSS (just like for javascript) so I can resubmit my form
Or is there another way to cope with these XSS errors (which I find are pretty few and far between)?