NoScript vs. PrintWhatYouLike
Posted: Fri Aug 13, 2010 3:48 pm
PrintWhatYouLike is a great bookmarklet to improve print quality of Web pages. More, PWYL let you save web page as a PDF file and/or HTML file.
Unfortunately there's some kind of conflict between "Save as PDF"/"Save as HTML" functions of PWYL and NoScript. Every time I try to use those specific functions I get an XSS Warning and the operation get aborted.
Here you are the Error Console log.
I'm using NoScript 2.0.1 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8.
NOTE - All other PWYL functions do work correctly in conjunction with NoScript.
Thanks for the attention.
Unfortunately there's some kind of conflict between "Save as PDF"/"Save as HTML" functions of PWYL and NoScript. Every time I try to use those specific functions I get an XSS Warning and the operation get aborted.
Here you are the Error Console log.
Code: Select all
[NoScript XSS] Sanitized suspicious upload to [http://www.printwhatyoulike.com/html_to_pdf§DATA§<html><head><meta http-equiv="Content-Type" content="text/html;charset=UTF-8"><base target="_blank" href="http://noscript.net/"><title>NoScript - JavaScript/Java/Flash blocker for a safer Firefox experience! - what is it? - InformAction </title><link rel="stylesheet" type="text/css" href="http://software.informaction.com/data/oss.css"><style type="text/css">
.maconly { display: none; }
</style><link href="http://www.printwhatyoulike.com/editor/css/toolbar_all.css" id="ppw_css_all" media="all" type="text/css" rel="stylesheet"></head><body style="cursor: auto;"><div style="margin: 0.3in;" id="ppw_spacer"><div class="ppw_isolate" id="ppw_isolate_0"><div style="background-image: url("http://software.informaction.com/data/content-bg.jpg"); background-position: 100% 0%; background-repeat: no-repeat; border-color: rgb(51, 68, 68); color: rgb(51, 68, 68); empty-cells: show; font-family: trebuchet ms,verdana,arial,helvetica,sans-serif; font-size: 12px; line-height: 18px; margin-left: 0px; padding: 8px; text-align: left; -moz-column-gap: 12px; -moz-column-rule-color: rgb(51, 68, 68); background-color: rgb(255, 255, 255);" class="content">
<!-- SUMMARY_START -->
<div style="float: right; padding: 16px; clear: right;">
<img src="http://software.informaction.com/data/noscript/ss0.png" alt="The NoScript status bar menu" style="border: 1px solid rgb(68, 68, 68); padding: 1px; background-color: rgb(221, 221, 221);">
<br>
<div style="width: 280px;">
<div id="donation2"><div style="float: left; padding: 0pt 8px;">
<iframe allowtransparency="true" marginwidth="0" marginheight="0" border="0" src="http://api.flattr.com/button/view/?uid=0&url=http%3A%2F%2Fnoscript.net&language=&hidden=0&title=&category=&tags=&description=" scrolling="no" frameborder="0" height="60" width="50"></iframe>
<style type="text/css">.flattr_noscript{display:none}</style>
<span class="flattr_noscript">
<a href="http://flattr.com/thing/42724/NoScript" target="_blank">
<img src="http://api.flattr.com/button/button-static-50x60.png" alt="Flattr this" title="Flattr NoScript!" border="0"></a>
</span>
</div><strong>NoScript</strong> is <a href="http://www.gnu.org/copyleft/gpl.html" target="_blank" rel="nofollow external">Free Software</a>, but if you like it, you can support its progress :)<form class="donation" action="https://www.paypal.com/cgi-bin/webscr" method="get" target="_blank">
<input name="cmd" value="_donations" type="hidden">
<input name="item_name" value="NoScript development support donation" type="hidden">
<input name="item_number" value="freenoscript" type="hidden">
<input name="page_style" value="NoScript" type="hidden">
<input name="no_shipping" value="1" type="hidden">
<input name="no_note" value="1" type="hidden">
<input name="cn" value="Comments" type="hidden">
<input name="currency_code" value="USD" type="hidden">
<input name="tax" value="0" type="hidden">
<input name="bn" value="PP-DonationsBF" type="hidden">
<input name="lc" value="US" type="hidden">
<input src="http://software.informaction.com/data/donate2.gif" name="submit" alt="make a donation" title="Donate with PayPal - it's fast, free and secure!" type="image">
<input name="business" value="g.maone@informaction.com" type="hidden">
<!--
<input type="hidden" name="return" value="http://software.informaction.com/donate/ok.php" />
<input type="hidden" name="cancel_return" value="http://software.informaction.com/ko.php" />
-->
</form>
</div></div>
</div>
<a href="http://pcworld.com/reviews/article/0,aid,125706,00.asp" target="_blank" rel="nofollow external"><img style="float: left; padding: 16px; border: medium none;" src="http://software.informaction.com/data/wc06.jpg" alt="2006 PC World World Class"></a>
<h1 class="quote">There's a browser <strong>safer than Firefox</strong>...
<br>...it is Firefox, <strong>with NoScript</strong>!</h1>
<div style="width: 200px; float: right;" class="yell">
<div style="margin: 8px;">
<h4><a href="http://hackademix.net/2008/10/08/hello-clearclick-goodbye-clickjacking/" target="_blank">Fight CLICKJACKING Now!</a></h4>
</div>
</div>
<p>
The <b>NoScript Firefox extension</b> provides extra protection for Firefox, Flock, Seamonkey and other mozilla-based browsers:
this free, open source add-on allows <strong><a href="http://en.wikipedia.org/wiki/JavaScript" target="_blank" rel="nofollow external">JavaScript</a>,
<a href="http://en.wikipedia.org/wiki/Java" target="_blank" rel="nofollow external">Java</a> and
<a href="http://en.wikipedia.org/wiki/Adobe_Flash" target="_blank" rel="nofollow external">Flash</a> and other
<a href="http://hackademix.net/2009/02/07/browser-plugins-add-ons-and-security-advisers/">plugins</a></strong>
to be executed only by <strong>trusted web sites of your choice</strong> (e.g. your online bank),
and provides <strong>the most powerful <a href="/features#xss">Anti-XSS protection</a></strong> available in a browser.
</p>
<p>
NoScript's unique <strong>whitelist based pre-emptive script blocking</strong> approach
prevents exploitation of <strong>security vulnerabilities</strong> (known and <strong>even not known yet</strong>!)
with no loss of functionality...
</p>
<p>
You can enable JavaScript, Java and plugin execution for sites you trust with a simple left-click
on the <a href="http://noscript.net/features"><strong>NoScript status bar icon</strong></a> (look at the picture), or
using the contextual menu, for easier operation in popup statusbar-less windows.<br>
<a href="http://www.youtube.com/watch?v=GzBqnLgOzwM" target="_blank" rel="nofollow external">Watch the "Block scripts in Firefox" video</a>
by <strong>cnet</strong>.
</p>
<p>
<strong>Staying safe has never been so easy!</strong><br>
<span style="font-size: 125%;">Experts will agree: <strong class="loud">Firefox is really safer with NoScript</strong>!</span>
</p>
<p>
<style type="text/css">#hz0ep a { background: transparent
url("data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABsAAAAYCAYAAAALQIb7AAAAAXNSR0IArs4c6QAAAAZiS0dEAP8A/wD/oL2nkwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAAd0SU1FB9gLHBAeHIPALTQAAAKWSURBVEjH1ZTLS9RRGIaf89O5CGMijukgDAxaixJShtRAyYVluYo2QYkhhLWpwJ0iiu2GoIVCIP4BSX+C0dLLwjYVg7mQREXMgTS8gOB5W5wmrcbR0IE6cDhXvud8H+974B9v7cA6cCvXoErP46PPhzyPKSCaK1Ae0B+LoZ4ebCyGgKfG4OUCdsnz2HnyBEno8WPkeXwFzuUCNl5VhZaXsZIbKysRMHbaoHv5+Wh4GKVSaGQEu7rq1j4fAm6cFigIfInH0coKtrkZAbp8GS0tYWtrEfD5tGAvAU1PY5NJB0r3ZBJNTv5cPzspKA5sdXQ4UczOYiMRF7ysDM3Ouv32dvTDe7ETiaK4GJtKuaALCyged7DqajQ/7/bX1lBREXvA62zBsnnkAXAlkcCUlLiNQAAiETc/e9atAcJhSCTwgGvA7b9KxxiiwFRTE/r2zUldQuvrqKvLZXbnjlNm+mxjAzU2IuCN5xE+dmYS942hYWAAQqEDsgxmzgygsBD19wNw1VruHhcWBzofPYL6emQMJn0QCEB5uZuXloLf/0s1TEMDdHXhAzqN4cJRFQwBQ9EompraL9HBPj6OiovR2Fjm84kJVFGBgAHAnw3WBNi+vsyBrEW7u2hzE21vo729jPdsby8CNoDaw0BngLfxOJqbw0pYa38NtLWFBgedQNra0MrKn49J+7GmBgGvgIJMsM6CAjQ05NT3O0hCi4uorm7/B3n3LnP2EnrxAgWDCLj5O6jMGNauX3dlyFRCyZVtdBRdvIgePnRWOOyutdiWFmQMH9KQ/B/jc7+fcGMjmpnB7Owc6j+iUejudkZ+/z7L7x3EtLaiiQmq0/HSsv4EnA+FUF7evtSzmB7p6M/BWrS5iZGOjvl/t+8u7cPXdW0sgAAAAABJRU5ErkJggg==")
no-repeat center left;
padding: 8px 8px 8px 32px;
display: block;
text-decoration: none;
font-size: 120%; }</style></p><div><div><div><div><div id="hz0ep"><div><div><u></u><u></u><u></u><a href="/ep/hz/otkssohqbrnm73HGIYep" target="_blank"><strong>Tip: </strong><span style="text-decoration: underline;">Click here to scan for System Errors and Optimize PC Performance</span></a><u></u><u></u><u></u><u></u><u></u><u></u><u></u></div></div></div></div></div></div></div>
<div style="margin: 4px 8px; clear: both;">
<h5 style="font-weight: normal; margin: 0px;">sponsored links</h5>
<div class="sponsored">
<ul class="tls">
<li><span> <a href="http://www.carloan4u.co.uk">Car Loans</a> </span></li>
<li><span> <a href="http://www.zenreviews.com">Software Reviews</a> </span></li>
<li><span>download <a href="http://www.iambigbrother.org">iambigbrother</a> software</span></li>
<li><span> <a href="http://www.identityguard.com">Identity Theft</a> </span></li>
<li><span> <a href="http://www.officesupplyoutfitters.com/lasprinsup.html">toner cartridges</a> </span></li>
<li><span>Free Norton <a href="http://www.freeantivirushelp.com">Free Antivirus Download</a> here</span></li>
<li><span>Download <a href="http://www.nortonantiviruscenter.com/">Norton AntiVirus</a> Coupon, Rebate</span></li>
<li><span> <a href="http://www.patentfish.com/web-browser">web browser patents</a> </span></li>
</ul></div>
</div>
<div class="section yell" style="float: right; width: 45%; clear: right; padding-left: 8px;">
<h4 id="fgannouncement" style="margin-top: 0px;">V. 2.0.1 - Browse Safer, Browse Smart!</h4>
<p><strong>If you find any bug or you'd like an enhancement, please report <a href="/forum">here</a> or
<a href="http://maone.net">here</a></strong>. Many thanks!
</p>
<div id="news" style="padding: 4px 8px 16px 16px; margin-top: 0px;">
<h5>Main good news</h5>
<ul>
<li>More administrators-friendly <strong><a href="http://hackademix.net/2010/07/28/abe-patrols-the-routes-to-your-routers/" target="_blank">protection against
DNS-rebinding attacks targeted to routers</a></strong>: device fingerprinting can be turned off by sending a "X-ABE-Fingerprint: Off" HTTP header,
and fingerprinting requests (sent every 15 minutes instead of 5 now) are identified by a "Mozilla/5.0 (ABE, http://noscript.net/abe/wan)" User-Agent header.
Furthermore, custom local subnets or IPs can be configured as a space-separated list in the
<strong>noscript.abe.localExtras</strong> <em>about:config</em> preference.
</li>
<li>Restored compatibility with latest SeaMonkey and Firefox trunk builds.</li>
<li>Better <a href="/faq#clearclick">ClearClick</a> accuracy on very tiny iframes.</li>
<li>Faster and more compatible <a href="/features#xss">anti-XSS protection</a>.</li>
<li>Several new
<a href="http://hackademix.net/2010/01/06/noscript-against-pop-unders/" target="_blank">Anti-anti-adblocker Surrogate Scripts</a>
to prevent pages from breaking when ads are disabled.</li>
<li><strong>NoScript 1.10.x is the last serie supporting Firefox 2.0 and older browsers.</strong>
It will be updated only if affected by serious security vulnerabilities (very unlikely).
This will allow the upcoming NoScript 2.x series to be developed faster and better,
by removing legacy compatibility code and fully leveraging the latest APIs and language features.</li>
<li>Built-in <a href="http://noscript.net/abe" target="_blank">ABE</a> ruleset editor.</li>
<li>Better <a href="http://hackademix.net/2009/01/25/surrogate-scripts-vs-google-analytics/" target="_blank">Surrogate Scripts</a> error management
and new built-in surrogates to <strong>securify AMO add-ons installation against MITM attacks</strong> and improve Google search
experience when scripts are disabled.</li>
<li>Full <strong>protection against Aviv Raff's scriptless
<a href="http://krebsonsecurity.com/2010/05/devious-new-phishing-tactic-targets-tabs/" target="_blank" rel="nofollow external">tabnagging</a>
variant</strong>, by blocking refreshes triggered on unfocused untrusted tabs. See the <a href="changelog#v1.9.9.82">changelog</a> for more details.</li>
<li>Important <a href="http://noscript.net/abe">ABE</a> enhancements: same domain origin matching (SELF+), same base domain origin matching (SELF++)
and INCLUSION pseudo-method for fine-grained subrequests matching, see the <a href="http://noscript.net/abe/abe_rules.pdf">updated ABE rules specification</a> for details.</li>
<li>Experimental <strong>external filters for plugin content</strong> (e.g.
<a href="http://blitzableiter.recurity.com" target="_blank" rel="nofollow external">Blitzableiter</a> to sanitize Flash applets).
It requires Firefox 3.5 and above, and it can be configured from the new <em>NoScript Options|Advanced|External Filters</em> panel.
To activate the built-in Blitzableiter support you need to enable filters, download Blitzableiter binaries and tell NoScript where the executable is.
<em>Please notice that Blitzableiter is in its early development stages, and it breaks a lot of Flash content.</em>
</li>
<li>Improved and updated <a href="http://www.mozilla.com/it/mobile/">Firefox Mobile</a> (Fennec) support:
NoScript's UI has been moved inside the location bar, and options have been simplified down to 4 preset configurations
(you can still perform fine-grained cofiguration in <em>about:config</em> or via Weave Sync).</li>
<li>The long awaited pluggable <strong>site info page</strong>, can be opened
by middle-clicking or shift+clicking on any site entry in
NoScript's menus.</li>
<li>Enhanced usability of <a href="/features#contentblocking">universal Flash blocking</a>.</li>
<li>Improved <a href="http://noscript.net/faq#https">HTTPS enforcing</a>.</li>
<li><a href="http://hackademix.net/2009/09/23/strict-transport-security-in-noscript/" target="_blank">Strict Transport Security</a> support.</li>
<li>New <a href="/faq#qa2_4">Import/Export buttons</a> in the <em>NoScript Options</em> dialog, backup the whole NoScript configuration in a single JSON file, as a disconnected alternative to the
<a href="http://hackademix.net/2009/05/13/synchronizing-noscript-configuration-using-weave-or-xmarks/" target="_blank" rel="external">Weave/XMark synchronization functionality</a> <em>(Fx 3 and above)</em>.</li>
</ul>
More in the <a href="changelog">changelog</a>...
</div>
</div>
<h4>Experts do agree...</h4>
<p>08/06/2008, "<cite>I'd love to see it in there.</cite>" (<a href="http://en.wikipedia.org/wiki/Window_Snyder" target="_blank" rel="nofollow external">Window Snyder</a>, "Chief Security Something-or-Other" at Mozilla Corp.,
<a href="http://blogs.zdnet.com/security/?p=1659" target="_blank" rel="nofollow external">interviewed by ZDNet</a> about "adding NoScript functionality into the core browser").</p>
<p>03/18/2008, "<cite>Consider switching to the Firefox Web browser with the NoScript plug-in.
NoScript selectively, and non-intrusively, blocks all scripts, plug-ins,
and other code on Web pages that could be used to attack your system during visits</cite>"
(Rich Mogull on TidBITS,
<a href="http://db.tidbits.com/article/9511" rel="nofollow external" target="_blank">Should Mac Users Run Antivirus Software?</a>).
</p>
<p>
11/06/2007, <a href="http://www.crockford.com/" target="_blank" rel="nofollow external">Douglas Crockford</a>,
world-famous JavaScript advocate and developer of JSON (one of the building blocks of Web 2.0),
<a href="http://blog.360.yahoo.com/blog-TBPekxc1dLNy5DOloPfzVvFIVOWMB0li?p=715" rel="nofollow external">recommends using NoScript</a>.
</p>
<p>
03/16/2007, <strong><a href="http://isc.sans.org/diary.html?storyid=2460" target="_blank" rel="nofollow external">SANS Internet Storm Center</a></strong>, the authoritative source
of computer security related wisdom, runs a front-page
<a href="http://isc.sans.org/diary.html?storyid=2460" target="_blank" rel="nofollow external">Ongoing interest in Javascript issues</a>
diary entry by <a target="_blank" href="http://www.stearns.org" rel="nofollow external">William Stearns</a> just to say "Please, use NoScript" :)
<br>Actually, NoScript has been recommended several times by SANS,
but it's nice to see it mentioned in a dedicated issue,
rather than as a work-around for specific exploits in the wild.
Many thanks, SANS!
</p>
<p>
05/31/2006, <span style="font-size: 120%;">
<strong>PC World's
<a href="http://pcworld.com/reviews/article/0,aid,125706,00.asp" target="_blank" rel="nofollow external">The 100 Best Products of the Year</a></strong> list
features NoScript at #52!</span>
</p>
<p>
Many thanks to PC World, of course, for grokking NoScript so much, and to IceDogg who kindly
<a href="http://forums.mozillazine.org/viewtopic.php?p=2292740#2292740" target="_blank" rel="nofollow external">reported</a> these news...
</p>
<h4>In the press...</h4>
<ul>
<li>
<a href="http://news.cnet.com/8301-13880_3-10190436-68.html" target="_blank" rel="nofollow external"><b>CNET News</b></a>:
"<cite>Giorgio Maone's NoScript script-blocking plug-in is the one-and-only Firefox add-on I consider mandatory.</cite>"
(March 9, 2009, Dennis O'Reilly, <i>Get a new PC ready for everyday use</i>)
</li>
<li>
<a href="http://www.forbes.com/2008/12/11/virus-filter-avira-tech-security-cx_ag_1211virus.html" target="_blank" rel="nofollow external"><b>Forbes</b></a>:
"<cite>The real key to defeating malware isn't antivirus but approaches like Firefox's NoScript plug-in, which blocks Web pages from running potentially malicious programs</cite>"
(Dec 11, 2008, Andy Greenberg, <i>Filter The Virus Filters</i>).
</li>
<li>
<b>PC World</b>: <a href="http://www.pcworld.com/article/id,128536/article.html" target="_blank" rel="nofollow external"><cite>Internet Explorer 7 Still Not Safe Enough</cite></a>
because it doesn't act like "<cite>NoScript [...] an elegant solution to the problem of malicious scripting</cite>"
(<a class="deepquote" href="%20http://pages.citebite.com/i8s7h8d7ourg" title="Jump to the cite bite highlight for this article" rel="nofollow external">cite bite</a>)
</li>
<li>
<a target="_blank" href="http://www.nytimes.com/2007/01/07/technology/07tips.html" rel="nofollow external"><b>New York Times</b></a>:
"<cite>[...] NoScript, a plug-in utility, can limit the ability of remote programs to run potentially damaging programs on your PC</cite>",
(Jan 7, 2007, John Markoff, <i>Tips for Protecting the Home Computer</i>).
</li>
<li>
<b>PC World</b>'s <a target="_blank" href="http://www.pcworld.com/howto/article/0,aid,122500,00.asp" rel="nofollow external"><i>Ten Steps Security</i></a>
features using NoScript as step #6.
(<a class="deepquote" href="http://pages.citebite.com/u9a0s6xadys" title="Jump to the cite bite highlight for this article" rel="nofollow external">cite bite</a>)
</li>
<li>The
<a target="_blank" href="http://blog.washingtonpost.com/securityfix/2005/11/incomplete_advice_from_uncle_s.html" rel="nofollow external"><b>Washington Post</b> security blog</a>
compares MSIE "advanced" security features (like so called "Zones") to Firefox ones and recommends NoScript adoption as the safest and most usable approach.
(<a class="deepquote" href="http://pages.citebite.com/g9k0f4hckql" title="Jump to the cite bite highlight for this article" rel="nofollow external">cite bite</a>)
</li>
</ul>
<div class="signature">
<a href="http://maone.net">Giorgio Maone</a>
</div>
<!-- SUMMARY_END --><div class="details-bar"><a href="http://noscript.net/whats">what is it?</a> <a href="http://noscript.net/features">features</a> <a href="http://noscript.net/changelog">changelog</a> <a href="http://noscript.net/screenshots">screenshots</a> <a href="http://noscript.net/forum">forum</a> <a href="http://noscript.net/faq">faq</a> <a href="http://noscript.net/getit">get it!</a> <a href="http://www.informaction.com/?page=privacy">privacy</a> </div></div></div></div></body></html>
] from [http://noscript.net/]: transformed into a download-only GET request.NOTE - All other PWYL functions do work correctly in conjunction with NoScript.
Thanks for the attention.
.)