InformAction Forums

Posted: **Thu Apr 16, 2009 9:32 am**

http://msdn.microsoft.com/en-us/library ... band).aspx

For some reason, NoScript seems not to appreciate the parens in the URL:

[NoScript XSS] Sanitized suspicious request. Original URL [http://msdn.microsoft.com/en-us/library ... band).aspx] requested from [chrome://browser/content/browser.xul]. Sanitized URL: [http://msdn.microsoft.com/en-us/library ... 6001087289].

Except with other filters e.g. http://msdn.microsoft.com/en-us/library ... S.85).aspx or using loband in a compound filter http://msdn.microsoft.com/en-us/library ... band).aspx (or switching them around http://msdn.microsoft.com/en-us/library ... S.85).aspx) the page loads fine.

The page's code doesn't seem to do anything special (or anything at all, really) and only the URL seems to have an impact on the behavior, which would point to a bug/false positive in some URL filter in NoScript.

Posted: **Thu Apr 16, 2009 10:17 am**

Code: Select all

system.object(loband).aspx

Is syntactically valid JavaScript, and complex enough to be harmful (semantics aside, but no checker could check semantics without the context of the whole document and before all the scripts are executed -- and at that point it would be too late to block).

Neither

Code: Select all

system.object(VS.85).aspx

nor

Code: Select all

system.object(VS.85,loband).aspx

nor

Code: Select all

system.object(loband,VS.85).aspx

are syntactically valid JavaScript, instead.

Posted: **Fri Oct 29, 2010 8:37 pm**

I have a somewhat similar problem. Whenever I am in Visual Studio 2010 and ask for help on something, I get an XSS warning from NoScript. Here is a typical example:

[NoScript XSS] Sanitized suspicious request. Original URL [http://msdn.microsoft.com/query/dev10.q ... 2)&rd=true] requested from [chrome://browser/content/browser.xul]. Sanitized URL: [http://msdn.microsoft.com/query/dev10.q ... 9058295266].

I have entered an exception for:

^http://msdn.microsoft.com/query/dev10.query[^"'<>\?%]+$

However, I still get the errors. What exception do I need to avoid having these URLs flagged for XSS?

Thanks,

Mark

Posted: **Fri Oct 29, 2010 9:46 pm**

m60freeeman wrote: I have entered an exception for:
^http://msdn.microsoft.com/query/dev10.query[^"'<>\?%]+$
However, I still get the errors. What exception do I need to avoid having these URLs flagged for XSS?

That won't work because the target URIs do contain question marks and percent sign, which you're explicitly excluding.
Try

Code: Select all

^http://msdn\.microsoft\.com/query/dev10\.query\?[^"'<>]+$

Posted: **Mon Nov 01, 2010 2:04 pm**

^http://msdn\.microsoft\.com/query/dev10\.query\?[^"'<>]+$

That doesn't work either. I still get the XSS warning. This is the console message:

[NoScript XSS] Sanitized suspicious request. Original URL [http://msdn.microsoft.com/query/dev10.q ... P)&rd=true] requested from [chrome://browser/content/browser.xul]. Sanitized URL: [http://msdn.microsoft.com/query/dev10.q ... 0494491255].

Posted: **Mon Nov 01, 2010 2:21 pm**

m60freeman wrote:That doesn't work either.

That's weird, since

Code: Select all

javascript:alert(/^http:\/\/msdn\.microsoft\.com\/query\/dev10\.query\?[^"'<>]+$/.test(
"http://msdn.microsoft.com/query/dev10.query?appId=Dev10IDEF1&l=EN-US&k=k(MICROSOFT.SQLSERVER.MANAGEMENT.COMMON.SERVERCONNECTION);k(SERVERCONNECTION);k(TargetFrameworkMoniker-%22.NETFRAMEWORK%2cVERSION%3dV4.0%22);k(DevLang-CSHARP)&rd=true"))

says "true".
Did you use copy & paste?
Is the text in the exception box red (that would mean there's a syntax error)?

Posted: **Mon Nov 01, 2010 4:01 pm**

This is what I have in the NoScript Options Dialog:

Code: Select all

^https?://([a-z]+)\.google\.(?:[a-z]{1,3}\.)?[a-z]+/(?:search|custom|\1)\?
^https?://([a-z]*)\.?search\.yahoo\.com/search(?:\?|/\1\b)
^https?://[a-z]+\.wikipedia\.org/wiki/[^"<>\?%]+$
^https?://translate\.google\.com/translate_t[^"'<>\?%]+$
^http://msdn\.microsoft\.com/query/dev10\.query\?[^"'<>]+$

I don't see anything in red. When the MSDN page displays, I get the XSS message at the top and have to do an "Unsafe Reload" to display the page and see this in the console as an information message:

Code: Select all

[NoScript XSS] Sanitized suspicious request. Original URL [http://msdn.microsoft.com/query/dev10.query?appId=Dev10IDEF1&l=EN-US&k=k(SYSTEM.WINDOWS.FORMS.MESSAGEBOX);k(MESSAGEBOX);k(TargetFrameworkMoniker-%22.NETFRAMEWORK%2cVERSION%3dV4.0%22);k(DevLang-CSHARP)&rd=true] requested from [chrome://browser/content/browser.xul]. Sanitized URL: [http://msdn.microsoft.com/query/dev10.query?appId=Dev10IDEF1&l=EN-US&k=k%20SYSTEM.WINDOWS.FORMS.MESSAGEBOX%20%3Bk%20MESSAGEBOX%20%3Bk%20TargetFrameworkMoniker-%20.NETFRAMEWORK%2CVERSION%20V4.0%20%20%3Bk%20DevLang-CSHARP%20&rd=true#03343241566010924190].

Posted: **Mon Nov 01, 2010 4:07 pm**

Confirmed. Something weird going on (a bug?). Investigating, thanks.
[EDIT]
Nothing weird, nor a bug: there are double quotes in those JavaScript-like strings which trigger the filter.
Change the exception into:

Code: Select all

^http://msdn\.microsoft\.com/query/dev10\.query\?[^'<>]+$

and you'll be set.

Posted: **Mon Nov 01, 2010 4:16 pm**

That works perfectly. Thanks!

InformAction Forums

NoScript issuing XSS warning/block on the loband MSDN

NoScript issuing XSS warning/block on the loband MSDN

Re: NoScript issuing XSS warning/block on the loband MSDN

Re: NoScript issuing XSS warning/block on the loband MSDN

Re: NoScript issuing XSS warning/block on the loband MSDN

Re: NoScript issuing XSS warning/block on the loband MSDN

Re: NoScript issuing XSS warning/block on the loband MSDN

Re: NoScript issuing XSS warning/block on the loband MSDN

Re: NoScript issuing XSS warning/block on the loband MSDN

Re: NoScript issuing XSS warning/block on the loband MSDN