[ext] NoScript 1.1.4.8 - The XSS Sniper

[Alan Baxter]

I found the following post in the mozilla.support.firefox Usenet newsgroup. Thought you should know about it, Giorgio, so I've copied it here along with my reply. Is this a bug or false positive?

I've got NoScript installed in firefox, when I google a page with ',
ä, ü, ö, ß or something like that it the title NoScript deletes these
as a XSS attempt. I put my own page on the XSS whitelist but it seems
that the standard whitelist already contains wikipedia, and I still
have problems.

When I go to:
http://www.google.de/search?q=ANTM+%22A ... ipedia.org
and click the link, it calls:
http://en.wikipedia.org/wiki/America's_Next_Top_Model
this is change to
http://en.wikipedia.org/wiki/America_s_Next_Top_Model
firefox caches the reply for some reason and
http://en.wikipedia.org/wiki/America's_Next_Top_Model
goes on not working till I call for example a
http://en.wikipedia.org/wiki/America's_ ... tion=purge

The NoScript Console says:
[NoScript XSS] Sanitized suspicious request referer. URL [http://
en.wikipedia.org/wiki/America's_Next_Top_Model (REF:
http://www.google.de/search?q=america's ... =firefox-a)]
requested from [http://www.google.de/search?q=america's+next+top
+model&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-
US:official&client=firefox-a]. Sanitized Referrer: [http://
en.wikipedia.org/wiki/America's_Next_Top_Model].)

and

[NoScript XSS] Sanitized suspicious request. Original URL [http://
en.wikipedia.org/wiki/America's_Next_Top_Model] requested from [http://
www.google.de/search?q=america's+next+t ... =firefox-a].
Sanitized URL: [http://en.wikipedia.org/wiki/America
%20s_Next_Top_Model].)

My reply:

I get the same behavior too. google.de is not whitelisted.
wikipedia.org is whitelisted. Might be a bug in NoScript because the
sanitization is replacing the apostrophe with a space according to this
message NoScript put in the Error Console:
[NoScript XSS] Sanitized suspicious request. Original URL
[http://en.wikipedia.org/wiki/America's_Next_Top_Model] requested from
[http://www.google.de/search?q=ANTM+%22ANTM+redirects+here%22+site%3Aen.wikipedia.org].
Sanitized URL:
[http://en.wikipedia.org/wiki/America%20s_Next_Top_Model].

If you can, post this problem in the official NoScript topic in the
MozillaZine forums at
http://forums.mozillazine.org/viewtopic ... order=desc. The
developer of NoScript provides support for NoScript there. In the
meantime I'll post a copy of this problem there because I do think it's
something that the developer should know about.

--
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3
NoScript 1.1.4.8.070502

[Giorgio Maone]

@cericson46:
Since you mentioned a slow dialup connection and frames, I'm inclined to believe some external JavaScript file fails to load due to a network timeout, especially if the problem is intermittent.
Can I have an URL to test? Thanks!

@jdopple:
This may be related to the changes which made Linux build crash on some Flash intensive sites.
Even if you're not on Linux, could you try upgrading to 070502 and see if the problem persist?

@Alan:
this is not a bug, as single quote/apostrophe is actually one of the most dangerous XSS characters.
On the other hand, its usage in Wikipedia title URLs is probably safe, so you can just edit the NoScript Options|XSS|Anti-XSS Protection Exceptions removing the apostrophe from the last line:
^http://[a-z]+\.wikipedia\.org/wiki/[^"'<>\?%]+$
becomes
^http://[a-z]+\.wikipedia\.org/wiki/[^"<>\?%]+$
Next NoScript version will use the latter regexp by default.
Thanks for your always timely reports

[jdopple]

Im using Win xp, and upgraded to the latest version.

So far, seems to have fixed that problem . Will report if I see it again.

[jdopple]

Sorry, still getting it. Heres a capture of what happened when I clicked on this link:


http://www.fatwallet.com/t/52/731851/

the black box lasts until the page fully loads. Enabling GLOBAL SCRIPTING cures the problem

[ltsnow]

The "temporarily allow" function is no longer in my right-click context menu for the latest nightly of Minefield. It is still working fine in Firefox 2.0.0.5pre. Any thoughts?

[ltsnow]

I see what's happening. The word "temporarily" is not present in Minefield, only italics. Why is this?

[Giorgio Maone]

I see what's happening. The word "temporarily" is not present in Minefield, only italics. Why is this?

Minefield bug, probably a regression caused by the fix to 53901.

@jdopple:
I've been able to reproduce and fix, just please wait for the next build. Many thanks for reporting

[Aerik]

This hasn't happened in a while, but file: disappeared from my whitelist. Other than that, this latest build has been pretty good to me.

[niko322]

bug with 1.1.4.8.070502 ?

in ver 1.1.4.8.070429 change log its say

+ Shortcut to show NoScript menu works even if status bar icon and
toolbar button are both hidden

i try "ctrl shift s" when status bar its hidden and its not working...

[Giorgio Maone]

NoScript 1.1.4.8.070511 available here should fix all the issues reported so far, and adds a couple of extra safety preferences for links opened from external applications (XSS filtered by default) and from temporarily allowed sites (XSS filtered optionally), look at the changelog for details.

Please let me know if you find any outstanding regression, otherwise I'll merge the updated locales and make an AMO release in 12 hours.

@Aerik: can you check if file:// went in the untrusted blacklist by accident?

Thank you all

[ltsnow]

Thanks for the update Giorgio and thanks for the acknowledgement in the changelog. The word "temporarily" now appears fine in Minefield.

[Soul Stealer]

Just wanted to say thanks to Giorgio for all the work he puts into this script.


And, been to your corner of the world in my travels while in the U. S. Navy.

[Alan Baxter]

It looks like NoScript 1.1.4.8.070511 has changed the default value for noscript.filterXGetRx to "[^\w:\/\.\-\+\*\=\(\)\[\]\{\}~,@;\|#]". I bet this corresponds to Better compatibility with Google Toolbar's translation service in the changelog. The only modification I had made to that pref was appending "\|" to it as you suggested in http://forums.mozillazine.org/viewtopic ... 63#2871963 . Of course the NoScript update did not replace my edited version with the new default, so I replaced it manually by resetting it in about.config. That was the right thing to do, wasn't it?
--
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4
NoScript 1.1.4.8.070511

[Giorgio Maone]

It looks like NoScript 1.1.4.8.070511 has changed the default value for noscript.filterXGetRx
[...]
I replaced it manually by resetting it in about.config. That was the right thing to do, wasn't it?

Yes it was, young Skywalker.

Nuttysman, hope you're home with your family now, bad times for traveling with U. S. Navy/Army.
Take care.

[mamas6667]

Mr Giorgio Maone
1st thank you for the nocript Extension, Excellent safety tool

- I will like to disable seeing "Allow XXX.com" or "Allow XXX.com"when I right click the nocript icon
- And only see the option "Temporarily allow XXX.com" or "Temporarily allow XXX.com"

I searched around, and found nothing, also tried changing some values in About:config noscript.show but I wasnt able to do it.

I know it's an odd request but i'm sure it can be done

Be well.