[RESOLVED] XSS whitelisting

[Gazer75]

Please make a simple way to white list for XSS. The regular expression cr*p is confusing. Been trying for months to figure out how to use it, not just for this, and not getting anywhere.
Why cant this list be a simple website list?

Can someone help me fix www.se.no/tv/ so I can use my tv guide again?

Thank you

[Tom T.]

Please make a simple way to white list for XSS. The regular expression cr*p is confusing. Been trying for months to figure out how to use it, not just for this, and not getting anywhere.
Why cant this list be a simple website list?

Probably because the detection and prevention of the various types of XSS, and the minimization of false positives, is more complex than simply whitelisting a script or site, though I could be mistaken.

As a quick-and-dirty work-around, this made the XSS notification go away for me:

Code: Select all

^https?://konto\.dagbladet\.no/.*

although since Javascript injection is in fact being reported, I'd rather have Giorgio look at this and see if it's a false positive or something genuinely amiss.

Ahh -- going further, a pop-up opens, asking for login creds, and that pop-up has a blocked object that requires further permission.

Code: Select all

Temporarily allow http://www.se.no/xdr/xd_receiver.html#fname=clientLogin$namespace=DB.Client
(text/html <IFRAME> / https://konto.dagbladet.no)

So yes, iFrame injection or similar appears to be going on. But everything else works, including all of the links.

Confirmed as also successfully removing the XSS notification on Fx 11.0 as well as 3.6.28.

I'll let him know. Please confirm that the work-around works in the meantime.

"The Big Bang Theory" is popular there?

@ Giorgio:

Code: Select all

[NoScript InjectionChecker] JavaScript Injection in ///api/xdr/dev/#host=www.se.no$xdr=xdr/xd_receiver.html$sf=checkServerLogin
(function anonymous() {host = www.se.no$xdr = xdr;DUMMY_EXPR;})

[NoScript XSS] Sanitized suspicious request. Original URL [https://konto.dagbladet.no/api/xdr/dev/#host=www.se.no$xdr=xdr/xd_receiver.html$sf=checkServerLogin] requested from [http://www.se.no/tv/#]. Sanitized URL: [https://konto.dagbladet.no/api/xdr/dev/#6425552468366076828].

[Giorgio Maone]

It is a false positive, indeed, caused by the weird hash parameters convention which overlaps with JavaScript syntax.
I'll try to "desensitize" the InjectionChecker module to this pattern in a future version.

In the meanwhile, thanks Tom T. for the suggested work-around, which can further be tweaked this way to be more specific:

Code: Select all

^https?://konto\.dagbladet\.no/[^<"']+#

[Gazer75]

Thank you!

I love NoScript, but sometimes it makes me scratch my head

Sorry if the language was a bit harsh. Regex really makes me angry as I can't seem to figure out out it works...
Any good sites that can teach me?

[therube]

Good or bad, don't know, but ... Wikipedia: Regular expression.

[Tom T.]

@ Gazer75:

Good or bad, don't know, but ... Wikipedia: Regular expression.

It's good, but to avoid information overload, I'd suggest focusing on "Basic Concepts", "Syntax", and "Posix" (including all subsections).
Else, it becomes overwhelming for the novice.

Perhaps let the webmaster know of the issue, and of Giorgio's recommendation to modify their syntax? Link to this thread...

@ Giorgio:
Thanks for the confirmation as false positive, the possible future tweak of InjectionChecker (can't anyone tell these sites not to use parameters that may collide with JS?), and the fine-tuning. It was near the end of my session, and I wanted to give OP *something* that would work while it was still fairly early in the indicated region's day.

Will mark as Resolved, thanks.

[Giorgio Maone]

Please check latest development build 2.3.7rc1: it should work even without exceptions.

[Tom T.]

Please check latest development build 2.3.7rc1: it should work even without exceptions.

Confirmed that with NS 2.3.7rc1, the site works all the way through the loading of the pop-up login box, with no XSS messages, nothing pertinent in Error Console, and with zero XSS exceptions, in both Fx 11.0 and (what's left of) Fx 3.6.28, thanks.

[dhouwn]

Considering regular expressions, http://perldoc.perl.org/perlre.html and https://developer.mozilla.org/en/JavaSc ... on_Pattern look like quite good summaries (in former you just need to ignore all the Perl-specific stuff).

[Tom T.]

Considering regular expressions, http://perldoc.perl.org/perlre.html <snip> ignore all the Perl-specific stuff).

Consult a Perl guide, but ignore all Perl-specific stuff?

Can't argue with the MDN link, but as the name implies, it's targeted to developers (presupposing a good bit of knowledge and experience). WP article seems more targeted to a lay audience, but it's OP's call.