Page 1 of 1
Possible bug in XSS filter
Posted: Wed Jan 05, 2011 3:57 am
by PassingThrough
It seems that the XSS filter replaces all brackets "(" and ")" with %20 instead of %28 and %29. Is this an intended/necessary switch?
Sample console output:
[NoScript XSS] Sanitized suspicious request.
Original URL [
http://msdn.microsoft.com/query/dev10.q ... P)&rd=true] requested from [chrome://browser/content/browser.xul].
Sanitized URL: [
http://msdn.microsoft.com/query/dev10.q ... 9468807261].
Re: Possible bug in XSS filter
Posted: Wed Jan 05, 2011 9:30 am
by Giorgio Maone
No, not all the brackets.
Just those which occurs in URLs which contain syntactically valid JavaScript fragments and are requested cross-site (or 1st request).
Notice that a "syntactically valid" JavaScript fragment doesn't necessarily executes as JavaScript, but it does compile as such and it's the best you can check to say "this is JavaScript" without actually executing.
Your request, unfortunately, passes the test.
Re: Possible bug in XSS filter
Posted: Wed Jan 05, 2011 11:31 am
by PassingThrough
Just to get this straight. NoScript checks cross-site URLs for valid JavaScript fragments. It then disables URLs which meet the criteria by replacing all brackets in them with spaces. Is that accurate?
Re: Possible bug in XSS filter
Posted: Wed Jan 05, 2011 11:56 am
by Giorgio Maone
PassingThrough wrote:Just to get this straight. NoScript checks cross-site URLs for valid JavaScript fragments.
And for "dangerous" HTML fragments as well.
PassingThrough wrote:It then disables URLs which meet the criteria by replacing all brackets in them with spaces.
It performs some replacements to neutralize the payload, including the one you described.