Page 1 of 1
NoScripts forbirds to use link to static HTML as it XSS
Posted: Mon Jun 27, 2011 9:20 pm
by cy6erGn0m
I tried to make link to
http://download.oracle.com/javase/6/doc ... ring%28%29 This link just has reference to anchor. Unfortunately NoScript blocks this link as it XSS-attack. I guess Java Official documentation is popular and it's very strange that I can't link to it at all.
This behavior has been introduced recently.
Re: NoScripts forbirds to use link to static HTML as it XSS
Posted: Mon Jun 27, 2011 9:33 pm
by Giorgio Maone
cy6erGn0m wrote:This behavior has been introduced recently.
No, it hasn't.
http://download.oracle.com/javase/6/doc ... lone%28%29 works as expected.
toString() is blacklisted because, as JavaScript, it can be used to evaluate code dynamically under some circumstance.
Re: NoScripts forbirds to use link to static HTML as it XSS
Posted: Tue Jun 28, 2011 7:20 am
by cy6erGn0m
I dont' know why, but it's blocked for me by default. Also, "toString()" is just a anchor name. I never heard somebody executes javascript from URL (HTTP URL, not javascript:) so it's strange that toString is blocked in such context.
Re: NoScripts forbirds to use link to static HTML as it XSS
Posted: Tue Jun 28, 2011 9:10 am
by Giorgio Maone
cy6erGn0m wrote:I dont' know why, but it's blocked for me by default.
Do you mean "clone()" is blocked as well for you? Did you actually check my link?
cy6erGn0m wrote:
Also, "toString()" is just a anchor name. I never heard somebody executes javascript from URL (HTTP URL, not javascript:) so it's strange that toString is blocked in such context.
You don't know how many sites carelessly output their URL (or part of) in any context, causing them to be interpreted as JavaScript.
It's called "reflective XSS".
Re: NoScripts forbirds to use link to static HTML as it XSS
Posted: Tue Jun 28, 2011 7:27 pm
by cy6erGn0m
No, with "clone" it works as expected. But why the only "toString" is blocked?