InformAction Forums

Hi! I searched on the forums for this question and in the faqs but couldn't find a thread on it so am posting here.

In the XSS tab shows that 'Sanitize cross site suspicious requests' and 'Turn cross site post requests into data-less get requests' are both checked and the following is in the exceptions:

^https?://([a-z]+)\.google\.(?:[a-z]{1,3}\.)?[a-z]+/(?:search|custom|\1)\?
^https?://([a-z]*)\.?search\.yahoo\.com/search(?:\?|/\1\b)
^https?://[a-z]+\.wikipedia\.org/wiki/[^"<>\?%]+$
^https?://translate\.google\.com/translate_t[^"'<>\?%]+$
^https://secure\.wikimedia\.org/wikipedia/[a-z]+/wiki/[^"<>\?%]+$

I don't know how they are added but I didn't add any. I am having redirect problems via google and other links on sites, and some pages just show either nothing or an error code. I would think it's totally unrelated to the exceptions as I don't see posts here in the forums regarding redirects.

I understand somewhat what xss is, but when I read in the XSS tab that 'destinations matching .. will not be protected against xss' I was wondering if these expressions could be a problem and wondering if I should remove them and if so, how do I remove them.

Thanks for your help!

thankfulfornoscript wrote:how do I remove them.

Simply edit the text box, e.g. click in the line you want to delete, press home, hold down shift and press end, then press del.

thankfulfornoscript wrote:but when I read in the XSS tab that 'destinations matching .. will not be protected against xss' I was wondering if these expressions could be a problem and wondering if I should remove them and if so,

The exceptions are there for a reason, for example if you remove the Google line and then do a Google search for "foo(bar)" then the XSS alarm will go off. The exceptions are not very broad so the security loss should be negligible.

Hi!

Thank you for your reply and telling me how to delete any if needed. I take it noscript adds them, and from what you wrote sounds like they need to be there. Thank you!