Page 1 of 1
RFE: Remove obsolete default XSS Exceptions
Posted: Thu May 10, 2012 6:08 am
by Tom T.
Thrawn and I have been testing the default XSS exceptions. Neither of us was able easily to trigger an XSS warning with the exceptions removed.
I started deleting all exceptions a few years ago anyway. I use Google only when absolutely necessary, but have used Wikipedia, as both guest and registered user, including secure version, many times, with no XSS errors at either site. Couldn't create one in Yahoo search, either.
Last mention of XSS re: Wikipedia is
v 1.1.4.8.070424
x Improved Wikipedia XSS exception
or more than five years ago.
Wikimedia:
v 1.1.9.9
x Better compatibility with Wikimedia sites
(doesn't specify XSS)
With the continued fine-tuning of the XSS sensitivity, perhaps these may be deleted as defaults -- unless anyone can show a reasonable set of steps to trigger an XSS message when these exceptions are removed?
Re: RFE: Remove obsolete default XSS Exceptions
Posted: Thu May 10, 2012 7:27 pm
by dhouwn
Wasn't it introduced because quite a lot of WP sites have brackets in them, e.g.
http://en.wikipedia.org/wiki/John_Doe_(disambiguation) or one might search for things with braces
http://en.wikipedia.org/wiki/Special:Se ... oe+(actor)?
Re: RFE: Remove obsolete default XSS Exceptions
Posted: Fri May 11, 2012 2:32 am
by Tom T.
I just clicked both of your links, and neither produced an XSS message. Both went directly to the target pages.
Any more explicit steps to produce an XSS message?
Re: RFE: Remove obsolete default XSS Exceptions
Posted: Fri May 11, 2012 3:34 am
by Thrawn
I support this RFE, but I'm going to play devil's advocate for a moment and point out that the default exceptions provide a good set of examples for anyone needing to write a new one. If they're removed, there should be some replacement.
Re: RFE: Remove obsolete default XSS Exceptions
Posted: Fri May 11, 2012 5:01 am
by Tom T.
Thrawn wrote:I support this RFE, but I'm going to play devil's advocate for a moment and point out that the default exceptions provide a good set of examples for anyone needing to write a new one. If they're removed, there should be some replacement.
Such as the one listed in the
XSS FAQ, which would be well-advised reading for anyone before they start creating exceptions?
(or click "XSS FAQ..." at the top of the XSS tab itself.)
Re: RFE: Remove obsolete default XSS Exceptions
Posted: Mon May 14, 2012 11:08 am
by Thrawn
Tom T. wrote:Thrawn wrote:I support this RFE, but I'm going to play devil's advocate for a moment and point out that the default exceptions provide a good set of examples for anyone needing to write a new one. If they're removed, there should be some replacement.
Such as the one listed in the
XSS FAQ, which would be well-advised reading for anyone before they start creating exceptions?
(or click "XSS FAQ..." at the top of the XSS tab itself.)
Yes, that's the ideal, of course. But it might be good to add
to the default exceptions?
Re: RFE: Remove obsolete default XSS Exceptions
Posted: Tue May 15, 2012 12:58 am
by Tom T.
Thrawn wrote:Tom T. wrote:Thrawn wrote:I support this RFE, but I'm going to play devil's advocate for a moment and point out that the default exceptions provide a good set of examples for anyone needing to write a new one. If they're removed, there should be some replacement.
Such as the one listed in the
XSS FAQ, which would be well-advised reading for anyone before they start creating exceptions?
(or click "XSS FAQ..." at the top of the XSS tab itself.)
Yes, that's the ideal, of course. But it might be good to add
to the default exceptions?
I might include that as a
sample, but not a default exception. What if example.com gets XSSed?
Re: RFE: Remove obsolete default XSS Exceptions
Posted: Wed May 16, 2012 1:06 am
by Thrawn
Tom T. wrote:Thrawn wrote:
<snip>it might be good to add
to the default exceptions?
I might include that as a
sample, but not a default exception. What if example.com gets XSSed?
Huh. I would have thought it was safe, but when I actually visit, turns out that it's trying to run 3 scripts. Who'd have thunk?
Re: RFE: Remove obsolete default XSS Exceptions
Posted: Wed May 16, 2012 6:45 am
by Tom T.
Thrawn wrote:Tom T. wrote:Thrawn wrote:
<snip>it might be good to add
to the default exceptions?
I might include that as a
sample, but not a default exception. What if example.com gets XSSed?
Huh. I would have thought it was safe, but when I actually visit, turns out that it's trying to run 3 scripts. Who'd have thunk?
"Never assume".
... I was working on a post in which the user was differentiating between internal LAN sites and external Internet sites, and used external dot com for the latter. Turns out there actually is a web site by that name.
Not surprising -- most common expressions have been co-opted as domain names, to get the "accidental" traffic, where their ads are displayed.
E. g., for ABE rules -- using as an example "friend dot com" (vs. foe dot com). There is a site at friend dot com, too.
So I check all "generic" domains for an actual site there before using them. At least example/IANA is a non-profit site.
