noscript icon indicating copy to clipboard operation
noscript copied to clipboard
verified publisher icon hackademix

XSS Protection: False positive if websites wants to create a google calendar date with special characters like ẞ ß Ä Ö Ü ö ä ü

Open MartinX3 opened this issue 4 years ago • 5 comments

The access to https://calendar.google.com/calendar/u/0/r/eventedit?parametersForDate is blocked if XSS protection is active and I get no question if I want to allow it.

Only workaround is a global deactivation of the XSS protection in the NoScript settings.

MartinX3 avatar Jan 13 '21 12:01 MartinX3

It works for me. The most likely reason is that sometimes in the past the XSS filter has been triggered by some request landing on calendar.google.com and, when asked, you selected "Always block cross-site requests to calendar.google.com". You can easily find out by using NoScript Options>Export and examining the "xssUserChoices" property and/or by using NoScript Options>Advanced>Clear XSS Choices.

hackademix avatar Jan 13 '21 13:01 hackademix

My xssUserChoices:{} were empty :) I clicked also the "Reset" button for XSS Choices, but no change in behaviour. Just a blank, loading page. :(

PS: Ah. It loads, it just takes ~5minutes until the page got loaded. While it loads instant with a deactivated XSS protection.

Is there some way to debug why the NoScript XSS protection delays the website access there?

MartinX3 avatar Jan 13 '21 17:01 MartinX3

You can obtain verbose debugging output by checking NoScript Options>Advanced>Debug , then opening about:debugging and clicking the "Inspect" button in the NoScript entry.

Some other information which may help diagnosing this issue:

  1. Does it happen on a clean profile with just NoScript installed?
  2. Does it happen for you if you paste that URL in the navigation bar and hit [Enter], or this needs to be navigated from another website? Any website or a specific one? Something I could test to reproduce?

Thanks!

hackademix avatar Jan 13 '21 18:01 hackademix

Thank you for your help :)

Sadly it seems to still happen and I think I was able to find the source of the issues. Here in germany we use special letters like ẞßÄÖÜöäü and it seems to loop longer until it finish loading the page.

https://www.google.com/calendar/render?action=TEMPLATE&dates=20210712T074500Z%2F20210712T080000Z&location=ff%C3%9Faa+Raa%C3%9Fe+99%2C+99999+A%C3%B6ff&text=ff%C3%9Faa+Raa%C3%9Fe+99%2C+99999+A%C3%B6ff&details=ff%C3%9Faa+Raa%C3%9Fe+99%2C+99999+A%C3%B6ff

console-export-2021-1-14_10-38-33.txt

MartinX3 avatar Jan 14 '21 09:01 MartinX3

It should be fixed in 11.1.9rc4, thanks.

hackademix avatar Jan 15 '21 17:01 hackademix