questions on the anti-xss protection exceptions

[thankfulfornoscript]

Hi! I searched on the forums for this question and in the faqs but couldn't find a thread on it so am posting here.

In the XSS tab shows that 'Sanitize cross site suspicious requests' and 'Turn cross site post requests into data-less get requests' are both checked and the following is in the exceptions:

^https?://([a-z]+)\.google\.(?:[a-z]{1,3}\.)?[a-z]+/(?:search|custom|\1)\?
^https?://([a-z]*)\.?search\.yahoo\.com/search(?:\?|/\1\b)
^https?://[a-z]+\.wikipedia\.org/wiki/[^"<>\?%]+$
^https?://translate\.google\.com/translate_t[^"'<>\?%]+$
^https://secure\.wikimedia\.org/wikipedia/[a-z]+/wiki/[^"<>\?%]+$

I don't know how they are added but I didn't add any. I am having redirect problems via google and other links on sites, and some pages just show either nothing or an error code. I would think it's totally unrelated to the exceptions as I don't see posts here in the forums regarding redirects.

I understand somewhat what xss is, but when I read in the XSS tab that 'destinations matching .. will not be protected against xss' I was wondering if these expressions could be a problem and wondering if I should remove them and if so, how do I remove them.

Thanks for your help!

[dhouwn]

how do I remove them.

Simply edit the text box, e.g. click in the line you want to delete, press home, hold down shift and press end, then press del.

but when I read in the XSS tab that 'destinations matching .. will not be protected against xss' I was wondering if these expressions could be a problem and wondering if I should remove them and if so,

The exceptions are there for a reason, for example if you remove the Google line and then do a Google search for "foo(bar)" then the XSS alarm will go off. The exceptions are not very broad so the security loss should be negligible.

[Guest]

Hi!

Thank you for your reply and telling me how to delete any if needed. I take it noscript adds them, and from what you wrote sounds like they need to be there. Thank you!