bug #6038
closed[Redmine] NoScript detects CrossSiteScritping for Redmine
0%
Description
I experienced this warning directly after logging in and when using one of my bookmarks which shows all my open issues http://dev.e-taxonomy.eu/redmine/projects/edit/issues?utf8=%E2%9C%93&set_filter=1&f%5B%5D=status_id&op%5Bstatus_id%5D=%3D&v%5Bstatus_id%5D%5B%5D=2&v%5Bstatus_id%5D%5B%5D=1&v%5Bstatus_id%5D%5B%5D=4&f%5B%5D=assigned_to_id&op%5Bassigned_to_id%5D=%3D&v%5Bassigned_to_id%5D%5B%5D=me&f%5B%5D=&c%5B%5D=tracker&c%5B%5D=status&c%5B%5D=priority&c%5B%5D=subject&c%5B%5D=assigned_to&c%5B%5D=updated_on&group_by=&t%5B%5D=
(btw. clicking on this link works for me. But copy&paste into the address bar does not)
Directly searching for issues works but the link is blocked and I am redirected to the main page
browser console output:
[NoScript InjectionChecker] JavaScript Injection in coalesced:///redmine/projects/edit/issuesutf8=â??&set_filter=1&f[]=status_id, assigned_to_id, &op[status_id]==&v[status_id][]=2, 1, 4&op[assigned_to_id]==&v[assigned_to_id][]=me&c[]=tracker, status, priority, subject, assigned_to, updated_on&group_by=&t[]= (function anonymous() { 2, 1, 4&op[assigned_to_id]== /* COMMENT_TERMINATOR */ DUMMY_EXPR }) [NoScript XSS] Eine verdächtige Anfrage wurde bereinigt. Original-URL [http://dev.e-taxonomy.eu/redmine/projects/edit/issues?utf8=%E2%9C%93&set_filter=1&f%5B%5D=status_id&op%5Bstatus_id%5D=%3D&v%5Bstatus_id%5D%5B%5D=2&v%5Bstatus_id%5D%5B%5D=1&v%5Bstatus_id%5D%5B%5D=4&f%5B%5D=assigned_to_id&op%5Bassigned_to_id%5D=%3D&v%5Bassigned_to_id%5D%5B%5D=me&f%5B%5D=&c%5B%5D=tracker&c%5B%5D=status&c%5B%5D=priority&c%5B%5D=subject&c%5B%5D=assigned_to&c%5B%5D=updated_on&group_by=&t%5B%5D=] angefordert von [chrome://browser/content/browser.xul]. Bereinigte URL: [http://dev.e-taxonomy.eu/#7388068497079853872]. mutating the [[Prototype]] of an object will cause your code to run very slowly; instead create the object with the correct initial [[Prototype]] value using Object.create panel.js:5816:3 Synchrone XMLHttpRequests am Haupt-Thread sollte nicht mehr verwendet werden, weil es nachteilige Effekte für das Erlebnis der Endbenutzer hat. Für weitere Hilfe siehe http://xhr.spec.whatwg.org/ panel.js:3525:3 nicht wohlgeformt messages.json:1:1
Updated by Andreas Kohlbecker over 7 years ago
- Status changed from New to Feedback
- Assignee changed from Andreas Kohlbecker to Patrick Plitzner
I think that this is a false positive xxs detection of NoScript.
Patric, please can you further investigate this issue, if you think that this is really a security problem with redmine or with our redmine setup.
Otherwise I suggest to close this ticket as Rejected.
Updated by Patrick Plitzner over 7 years ago
- Status changed from Feedback to Rejected
- Target version deleted (
Unassigned CDM tickets)
After playing around a little it seems like it the copied link only works if opened from within a Redmine issue. If copied to clipboard and pasted into the address bar or copied to a text file and opened from there or added to the bookmarks it does not work. I don't want to investigate any further but it seems like this is coherent with the origin policy for xss. Closing as rejected.