XSS warning with sanitised url identical to original
Posted: Thu Dec 08, 2011 5:06 pm
We encode some of our url parameters and are getting weird XSS warnings.
I tried to find the culprit by removing one encoded character at a time.
Calling the following webpages should result in an XSS error:
http://www.google.com/?foobar=%2522%25c0%25e7
http://stackoverflow.com/?foobar=%2522%25c0%25e7
Values such as %2522%25c0 or %25c0%25e7 do not cause errors though.
The console message shows that the sanitized url is identical to the original.
[NoScript XSS] Sanitised suspicious request. Original URL [http://www.golem.de/?foobar=%2522%25c0%25e7] requested from [chrome://browser/content/browser.xul]. Sanitised URL: [http://www.golem.de/?foobar=%2522%25c0%25e7].
The url will be rewritten as http://www.golem.de/?foobar=%20%C3%80%C ... 1230682698
So why is %2522%25c0%25e7 occasionally seen as an XSS attack?
Using Firefox 8.0 and NoScript 2.2.3
I tried to find the culprit by removing one encoded character at a time.
Calling the following webpages should result in an XSS error:
http://www.google.com/?foobar=%2522%25c0%25e7
http://stackoverflow.com/?foobar=%2522%25c0%25e7
Values such as %2522%25c0 or %25c0%25e7 do not cause errors though.
The console message shows that the sanitized url is identical to the original.
[NoScript XSS] Sanitised suspicious request. Original URL [http://www.golem.de/?foobar=%2522%25c0%25e7] requested from [chrome://browser/content/browser.xul]. Sanitised URL: [http://www.golem.de/?foobar=%2522%25c0%25e7].
The url will be rewritten as http://www.golem.de/?foobar=%20%C3%80%C ... 1230682698
So why is %2522%25c0%25e7 occasionally seen as an XSS attack?
Using Firefox 8.0 and NoScript 2.2.3