InformAction Forums

Hi...

Since the latest update of NS a few days ago, I am getting a NS error telling me that there is a potential cross-site scripting problem when I click MANY(but not all) links in my.yahoo.com. I tried to add "my.yahoo.com" to the white list but when I type in the final "m" in "com", the Allow button grays out. Any idea (1) why all of a sudden I'm getting the error message (been using FF since version 1) and (2) how do I put my.yahoo.com in the white list.

Thanks for your help...

wjk

> potential cross-site scripting problem

Any of these noted in your Error Console?


> when I type in the final "m" in "com", the Allow button grays out.

That is because you already have "yahoo.com" on your whitelist.


What version of NoScript are you running?

Unfortunately, I don't know what I am looking for in the console. I see a lot of entries and just about every one starts with "roboform" (which I've been using for years!). I also see one or two entries regarding Yahoo such as the one below. I'm not sure if this is what you are looking for...


Warning: Use of attributes' nodeName attribute is deprecated. Use name instead.
Source File: http://us.lrd.yahoo.com/_ylt%20AowsFbMy ... 1074509945
Line: 0isibleFields":false}



Thanks for your help...
wjk

In reading a number of news items in my MyYahoo setup about 5 of those news items received the 404 error
and the cross-site-scripting XSS message. So, as the OP is asking/concerned about ... so am I.

Anyway, I cleared out my console, visited on of the problem links and these are the two Messages found in the console.

Thank you.


[NoScript XSS] Sanitized suspicious request. Original URL [http://us.lrd.yahoo.com/_ylt=AsRIIHRMuQ ... Rj9wU3sXg-] requested from [http://my.yahoo.com/p/2.html]. Sanitized URL: [http://us.lrd.yahoo.com/_ylt%20AsRIIHRM ... 9659037934].

What version of NoScript are you running?

The latest (#dev's ?) have changes related to XSS.
Try it, development build.


(Not sure what #dev version corresponds to #release? Hint, hint, @G.)

therube wrote:

What version of NoScript are you running?

The latest (#dev's ?) have changes related to XSS.
Try it, development build.


(Not sure what #dev version corresponds to #release? Hint, hint, @G.)

Sorry... lost my mind for a second... I should have posted that... Is that what you need?

version 2.3.2

EDIT...
OK... installed the dev. build into my Test profile and still received some 404 errors. But, then I went back to my default profile (with ver. 2.3.2) and some of the links now worked... so, I did some perusing of other news and click on one... same error BUT about 1 minute after I had clicked on that link it worked!! It's almost as if Yahoo was changing stuff second by second.

So, in order to get a clean link to post (by the time it gets to the error page the link is all messed up with stuff...) I opened up IE for one of the bad ones that I got in Firefox... visited the page and got a clean link... came back to FF and pasted it into the loc. bar and the site opened up OK... went back to the line/link presented within my MyYahoo news... clicked on it and got the error.... I suppose that it may have grabbed it from cache somewhere with that test.

I'm going to continue playing with this stuff.
BTW... one link that is still messing up is...
http://video.nytimes.com/video/2012/02/ ... -2012.html

So, I wouldn't stop the train for this ... I'll keep testing for a pattern.

Just tried the development build...problem remains.

Seems to me that the problem lies with the latest versions of NoScript...didn't have the problem until the most recent update. Since it is happening with the developmental build as well, it seems that something was introduced in the last "official" release that is messing things up.

Did you try rolling back to prove your theory?

Same problem here since today:
Happens when I follow in RSS link from my.yahoo.com.
Results in a 404.
Problem since upgrade to 2.3.2 yesterday.

jan

[NoScript XSS] Sanitized suspicious request. Original URL [http://us.lrd.yahoo.com/_ylt=As8.n6pF2R ... 07fpEkpl0-] requested from [http://my.yahoo.com/]. Sanitized URL: [http://us.lrd.yahoo.com/_ylt%20As8.n6pF ... 1608086172].

whitelisted in options>XSS>anti-XSS protection exceptions
^http://us\.lrd\.yahoo\.com/_.+$
works now.

jan

Where can I find an earlier version to rollback to

olorin wrote:whitelisted in options>XSS>anti-XSS protection exceptions
^http://us\.lrd\.yahoo\.com/_.+$
works now.

jan

Thank you Jan... that seems to work so far... I'll report back here if anything negative happens.

guest wrote:Where can I find an earlier version to rollback to

Guest... copy/paste what Jan posted into Options/Advanced and the XSS tab... paste it at the end
of the other items listed.

I have been having similar problem when I log into ebay. I get an xss error message. I have the site whitelisted but it doesn't seem to matter. This started with the last update. If anyone knows how to fix it I would appreciate it. Thanks - Ruth

guest wrote:Where can I find an earlier version to rollback to

http://noscript.net/feed=a or on AMO.