InformAction Forums

At:

http://js-kit.com/api/static/pop_commen ... &label=Add New Comment&title=Mish's Global Economic Trend Analysis: Bill Gross Ponders %22Deep Demographic Doo-Doo%22&adminBgColor=#DDDDDD

I tried to reply to a comment there. When I clicked submit, I got a yellow bar at the top of the browser with the messgae:

NoScript filtered a potential cross-site scripting (XSS) attempt from [about:blank]. Technical details have been logged to the Console.

When I have encountered this in the past, for sites I trust, I just click the "Unsafe reload" under the options and that has generally worked in the past. On this site, sometimes I had to do a complete resubmit option.

But now the clicking "unsafe reload" wipes out the post I wanted to make. It is gone. Poof! I tired this 3 times and each time the post disappeared.

Is this a bug or do I need to add something to one of the NS options panels?

No one knows what this problem is?

Why am I not being allowed to execute an "unsafe reload" if I so choose?

I created an account and tried to reproduce, but with no luck (managed to post two test comments, now waiting for moderation).
Can I see the [NoScript XSS] message (white/blue) lines you should get in Tools|Error Console when this happens?
(You'd better filter out "Errors" and "Warnings" by pushing only the "Messages" button).

JS-Kit is an awful system! I tried the post again and this is the error msgs I got:

[NoScript XSS] Sanitized suspicious upload to [http://js-kit.com/comment.put§DATA§%3 ... class.html] from [about:blank]: transformed into a download-only GET request.
----------
Warning: Error in parsing value for 'filter'. Declaration dropped.
Source file: http://js-kit.com/api/static/pop_commen ... =%23DDDDDD
Line: 1
----------
Warning: Unknown property 'zoom'. Declaration dropped.
Source file: http://js-kit.com/api/static/pop_commen ... =%23DDDDDD
Line: 1
----------
Error: Component is not available
Source file: file:///D:/Documents%20and%20Settings/XXXXX/Application%20Data/Mozilla/Firefox/Profiles/5m9whfmt.default/gm_scripts/antidisabler.user.js
Line: 52

May I ask you whether the problem persists if you disable all your extensions (especially GreaseMonkey)?
If it does, as a work-around you can paste the following line at the bottom of your NoScript Options|Advanced|XSS|Exceptions box: Good luck and let me know.

Disabling all my extensions is a real pain. If I remember correctly, last time I did this, I had to reenable each one individually (that's around 50 of them). FF does not make it easy to trouble shoot individual extensions.

What would be the downside of just adding that piece of code you specify and then trying the operation again?

Or is there a special exception I can put in place for this particular site?

Jojo999 wrote:Disabling all my extensions is a real pain. If I remember correctly, last time I did this, I had to reenable each one individually (that's around 50 of them). FF does not make it easy to trouble shoot individual extensions.

Standard Diagnostic.
However, at least knowing whether is conflict-caused would be great (and my suspect are for some GreaseMonkey user scripts, anyway).

Jojo999 wrote:What would be the downside of just adding that piece of code you specify and then trying the operation again?

Almost none (assuming that js-kit is not vulnerable to XSS), but we wouldn't discover whether everybody else need this work-around as well.

I tried the post again on newer variations of the same forum (each new blog post generates a new independent forum in JS-Kit. Sheese).

This particular post was the only one causing a problem for me. I normally post some excert from an article and a URL to the remainder of the article in these forums.

So I went to the URL I was posting to see if there was anything to see there. I discovered that the article I was pointing to was now restricted view and they wanted payment to view the whole thing.

This was the URL to the article:
http://www.newscientist.com/article/mg2 ... class.html

Maybe if you use this URL, you can figure out what they are doing that is causing the XSS problem.

So problem #1 is why is this URL causing the XSS error.

And problem #2 is that IF I choose to do an "unsafe reload", then I need to be allowed to do so.

I could disable greasemonkey but I am not going to disable all my extensions and then try and reenable them one by one. That would take weeks to do and would impact my ability to work normally.

Jojo999 wrote:I could disable greasemonkey but I am not going to disable all my extensions and then try and reenable them one by one.

Thanks for checking GreaseMonkey, but please notice that you don't needed to "reenable them one by one": as the Standard Diagnostic article I linked suggests, you can use a "binary search" algorithm, which is considerably faster.

I've argued about extensions too often with the FF fanboys on their forum. FF just does not make it easy to troubleshoot extensions.

They don't give you any memory monitoring for individual extensions. They don't give you any checkboxes to turn on/off selected extensions. They don't have hot enable/disable functionality.

You have to disable them all at once and then you have to go to each extension and enable it. You have to shutdown and restart FF to flip their active status (enabled or disabled). That binary half scheme might work or it might not. What if the problem involves more than one extension and one of them is in the first half and the other is in the second half?

And there are all kinds of other possibilities. For instance, plug-in's instead of extensions. Or the fact that FF never cleans up/out old PREFS.

Normal users don't have the time, fortitude nor expertise to debug tens of extensions with such limited support from FF! FF fanboys in the support forums know this, which is why they are always recommending this action. They know that 99% of the users will say screw it and go away so they can work on simple problems.

I'll work with you on reasonable debugging efforts but I draw the line at where extensions have to be enabled/disabled.

Also note that I wasn't having any problems until you moved to the 2.0 release, inn case some change made there might be at the root.

Jojo999 wrote:Also note that I wasn't having any problems until you moved to the 2.0 release, inn case some change made there might be at the root.

That would be very easy to check.

Giorgio Maone wrote:May I ask you whether the problem persists if you disable all your extensions (especially GreaseMonkey)?
If it does, as a work-around you can paste the following line at the bottom of your NoScript Options|Advanced|XSS|Exceptions box:

Code: Select all

^http://js-kit\.com/comment\.put

Good luck and let me know.

I have kept getting a few posts that get disintegrated when posting to the JS-Kit driven forum. Strangely enough, the problem occurs not only in FF but also in IE8???

So I put the code exception line in as noted above.

This seems to have solved the problem and a post I was having problems with immediately started working. No need to restart FF either.

Thanks!

Jojo999 wrote:Strangely enough, the problem occurs not only in FF but also in IE8???

IE8 has also its XSS filter.