Bug report: False positives for mathematical equations

[benlisquare]

I'd like to file a bug report, but am unsure of the correct avenues to do so, however since this is a general forum for NoScript support, I guess I can post this here.

Whenever I make an internet forum post, imageboard/BBS post, or Wiki edit that involves a certain string of characters, I get the message "NoScript filtered a potential cross-site scripting (XSS) attempt from (the website I'm trying to post on)".

An example of something which triggers this would be: (I've typed this in full-width unicode alphanumeric; typing this in half-width/standard alphanumeric triggers the problem)
＞ｔａｎ（ａ）　＊　ｓｉｎ（ｎ）
(Explanation: The equation is the tangent of pronumeral "a" multiplied by the sine of pronumeral "n". The "greater than" sign is actually denoting that something is being quoted, like in early-90s era Usenet boards and emails.)
Note that I'm only using full-width just in case; it might not happen on all websites, but it does happen on some, and in all cases for that website.

First of all, wouldn't it be a good idea to have the "cross-site scripting attempt detection" feature capable of being optionally disabled? I'd rather not have to disable NoScript on Firefox altogether just to make one message post ("Restart Firefox", "Restart Firefox", "Restart Firefox"...), and it's a pain in the neck to have to open up Google Chrome (secondary browser that I generally avoid using) to the exact URL and make the post as well.

[Alan Baxter]

Does unchecking either or both XSS boxes in
NoScript Options > Advanced > XSS help?
Do any of the other tips in http://noscript.net/faq#xss help?

[Tom T.]

I can't see those characters. Could you please wrap them in [code} tags, or give a URL where this happens?

It's better to fix the issue, though as Alan says, an XSS exception is certainly better than disabling NS.
(Hunch: some sort of cross-site call to where the special fonts/symbols etc. are stored. I could be mistaken, of course.)

Could you please reproduce the issue, then copy/paste the error message here?
Ctrl+Shift+J, and look for red Error messages, then look in blue Messages, and copy/paste all NoScript-related here.

Probably starts with {NOSCRIPT XSS] or [XSS].
Thanks.

[dhouwn]

I can't see those characters.

You can't? Ｓｏ　ｔｈｉｓ　ｔｅｘｔ　ｈｅｒｅ　ｉｓ　ｉｎｖｉｓｉｂｌｅ　ｔｏ　ｙｏｕ？

Anyway, what he wrote was ">tan(a) * sin(n)".

The reason this triggers a XSS warning is because of the parentheses, it looks like potentially problematic JavaScript (a function invocation). Now the board software/setup has to be kinda strange to trigger a warning there, could you tell us the site?

[Alan Baxter]

I can't see those characters.

You can't? Ｓｏ　ｔｈｉｓ　ｔｅｘｔ　ｈｅｒｅ　ｉｓ　ｉｎｖｉｓｉｂｌｅ　ｔｏ　ｙｏｕ？

Tom may have seen the same thing I do. Here's an image of it.

Google Translate says it's in Korean and means ">tan(a) * sin(n)". Your reply looks similar. Google Translate says it's in Japanese and means "So this text here is invisible to you?". No, it's not invisible.

It looks the same in IE8 and vanilla Fx too.

[Tom T.]

Google Translate says it's in Korean and means ">tan(a) * sin(n)". Your reply looks similar. Google Translate says it's in Japanese and means "So this text here is invisible to you?". No, it's not invisible.

It looks the same in IE8 and vanilla Fx too.

I've deleted Korean and a few other fonts of languages that I can't read, write, or speak, which makes them sort of useless to me.

Having the Korean characters render wouldn't have helped to understand the issue.

Yes, we'd like to see the URL where that happens.

[benlisquare]

@Alan Baxter:
I've unchecked both boxes, and it seems to be working fine now, thanks for that. I wasn't aware that those options were available.

@dhouwn:
The website was boards.4chan.org/sci/ which is the "Science and Mathematics" board on 4chan (a potentially not-safe-for-work imageboard).

[Tom T.]

@Alan Baxter:
I've unchecked both boxes, and it seems to be working fine now, thanks for that. I wasn't aware that those options were available.

They significantly weaken NoScript's protections, and expose you to many possible attacks. See XSS FAQ.

If required, it would be better to write an "exception" in the box below those checkboxes. Then you can leave both checked, and be protected at all other sites on the planet.

Even better would be to try to find what's causing the issue, and do something here to work around it, or advise the site of the problem.
I have no trouble viewing complex mathematical formulae at Wikipedia pages, and without any XSS errors or disabling of protection.

@dhouwn:
The website was boards.4chan.org/sci/ which is the "Science and Mathematics" board on 4chan (a potentially not-safe-for-work imageboard).

I'll check it out. In doing support, we go to a lot of sites of highly variable content, and one focuses on solving the problem without worrying about the nature of the content.

[Tom T.]

Nothing immediately apparent, on Fx 3.6.28 or 11.0, but as you said, one needs to make a post to do this.

internet forum post, imageboard/BBS post, or Wiki edit that involves a certain string of characters,

Most forms, BB, and Wikipedia have "safe" encoding, which will not parse HTML or other "dangerous" posted content.

The reason this triggers a XSS warning is because of the parentheses, it looks like potentially problematic JavaScript (a function invocation)

Parentheses shouldn't cause problems (I don't think). ... hey, look, they just didn't!

Usually js uses braces or curly brackets { }. So don't use those.

Isolate the offending character(s), find a substitute, or disable XSS protection only while making a post with the offending characters (least desirable).

The following is from this forum's js, which i have allowed:

{
var doc;

if (document.forms[form_name])
{
doc = document;
}
else
{
doc = opener.document;
}

var textarea = doc.forms[form_name].elements[text_name];

if (is_ie && typeof(baseHeight) != 'number')
{
textarea.focus();
baseHeight = doc.selection.createRange().duplicate().boundingHeight;

if (!document.forms[form_name])
{
document.body.focus();
}
}
}

Deliberately did not wrap in code tags, yet the forum software had no problem with it.

(Not wrapping in code tags does remove the placement of the braces, in terms of indentation, etc.)

[Giorgio Maone]

Notice that the filter is triggered only if the request is made cross-site, i.e. if you submit from site A.com to site B.com (which is not the norm).

[Tom T.]

Notice that the filter is triggered only if the request is made cross-site, i.e. if you submit from site A.com to site B.com (which is not the norm).

(Hunch: some sort of cross-site call to where the special fonts/symbols etc. are stored. I could be mistaken, of course.)

Is that a reasonable possibility?