NoScripts forbirds to use link to static HTML as it XSS

[cy6erGn0m]

I tried to make link to http://download.oracle.com/javase/6/doc ... ring%28%29 This link just has reference to anchor. Unfortunately NoScript blocks this link as it XSS-attack. I guess Java Official documentation is popular and it's very strange that I can't link to it at all.

This behavior has been introduced recently.

[Giorgio Maone]

This behavior has been introduced recently.

No, it hasn't. http://download.oracle.com/javase/6/doc ... lone%28%29 works as expected.
toString() is blacklisted because, as JavaScript, it can be used to evaluate code dynamically under some circumstance.

[cy6erGn0m]

I dont' know why, but it's blocked for me by default. Also, "toString()" is just a anchor name. I never heard somebody executes javascript from URL (HTTP URL, not javascript:) so it's strange that toString is blocked in such context.

[Giorgio Maone]

I dont' know why, but it's blocked for me by default.

Do you mean "clone()" is blocked as well for you? Did you actually check my link?

Also, "toString()" is just a anchor name. I never heard somebody executes javascript from URL (HTTP URL, not javascript:) so it's strange that toString is blocked in such context.

You don't know how many sites carelessly output their URL (or part of) in any context, causing them to be interpreted as JavaScript.
It's called "reflective XSS".

[cy6erGn0m]

No, with "clone" it works as expected. But why the only "toString" is blocked?