Gazer75 wrote:Please make a simple way to white list for XSS. The regular expression cr*p is confusing. Been trying for months to figure out how to use it, not just for this, and not getting anywhere.
Why cant this list be a simple website list?
Probably because the detection and prevention of the various types of XSS, and the minimization of false positives, is more complex than simply whitelisting a script or site, though I could be mistaken.
As a quick-and-dirty work-around, this made the XSS notification go away for me:
although since Javascript injection is in fact being reported, I'd rather have Giorgio look at this and see if it's a false positive or something genuinely amiss.
Ahh -- going further, a pop-up opens, asking for login creds, and that pop-up has a blocked object that requires further permission.
Code: Select all
Temporarily allow http://www.se.no/xdr/xd_receiver.html#fname=clientLogin$namespace=DB.Client
(text/html <IFRAME> / https://konto.dagbladet.no)
So yes, iFrame injection or similar appears to be going on. But everything else works, including all of the links.
Confirmed as also successfully removing the XSS notification on Fx 11.0 as well as 3.6.28.
I'll let him know. Please confirm that the work-around works in the meantime.
"The Big Bang Theory" is popular there?
@ Giorgio:
Code: Select all
[NoScript InjectionChecker] JavaScript Injection in ///api/xdr/dev/#host=www.se.no$xdr=xdr/xd_receiver.html$sf=checkServerLogin
(function anonymous() {host = www.se.no$xdr = xdr;DUMMY_EXPR;})
[NoScript XSS] Sanitized suspicious request. Original URL [https://konto.dagbladet.no/api/xdr/dev/#host=www.se.no$xdr=xdr/xd_receiver.html$sf=checkServerLogin] requested from [http://www.se.no/tv/#]. Sanitized URL: [https://konto.dagbladet.no/api/xdr/dev/#6425552468366076828].
