XSS warning with sanitised url identical to original

Ask for help about NoScript, no registration needed to post
Post Reply
greg42
Posts: 1
Joined: Thu Dec 08, 2011 4:26 pm

XSS warning with sanitised url identical to original

Post by greg42 »

We encode some of our url parameters and are getting weird XSS warnings.
I tried to find the culprit by removing one encoded character at a time.

Calling the following webpages should result in an XSS error:
http://www.google.com/?foobar=%2522%25c0%25e7
http://stackoverflow.com/?foobar=%2522%25c0%25e7

Values such as %2522%25c0 or %25c0%25e7 do not cause errors though.

The console message shows that the sanitized url is identical to the original.
[NoScript XSS] Sanitised suspicious request. Original URL [http://www.golem.de/?foobar=%2522%25c0%25e7] requested from [chrome://browser/content/browser.xul]. Sanitised URL: [http://www.golem.de/?foobar=%2522%25c0%25e7].

The url will be rewritten as http://www.golem.de/?foobar=%20%C3%80%C ... 1230682698

So why is %2522%25c0%25e7 occasionally seen as an XSS attack?

Using Firefox 8.0 and NoScript 2.2.3
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0
Top
Post Reply

Return to “NoScript Support”