bug #6038

[Redmine] NoScript detects CrossSiteScritping for Redmine

Added by Patrick Plitzner over 4 years ago. Updated about 4 years ago.

Target version:
Start date:
Due date:
% Done:


Found in Version:


I experienced this warning directly after logging in and when using one of my bookmarks which shows all my open issues

(btw. clicking on this link works for me. But copy&paste into the address bar does not)

Directly searching for issues works but the link is blocked and I am redirected to the main page

browser console output:

[NoScript InjectionChecker] JavaScript Injection in coalesced:///redmine/projects/edit/issuesutf8=â??&set_filter=1&f[]=status_id, assigned_to_id, &op[status_id]==&v[status_id][]=2, 1, 4&op[assigned_to_id]==&v[assigned_to_id][]=me&c[]=tracker, status, priority, subject, assigned_to, updated_on&group_by=&t[]=
(function anonymous() {
2, 1, 4&op[assigned_to_id]== /* COMMENT_TERMINATOR */
[NoScript XSS] Eine verdächtige Anfrage wurde bereinigt. Original-URL [] angefordert von [chrome://browser/content/browser.xul]. Bereinigte URL: [].
mutating the [[Prototype]] of an object will cause your code to run very slowly; instead create the object with the correct initial [[Prototype]] value using Object.create panel.js:5816:3
Synchrone XMLHttpRequests am Haupt-Thread sollte nicht mehr verwendet werden, weil es nachteilige Effekte für das Erlebnis der Endbenutzer hat. Für weitere Hilfe siehe panel.js:3525:3
nicht wohlgeformt messages.json:1:1


#1 Updated by Andreas Kohlbecker over 4 years ago

  • Status changed from New to Feedback
  • Assignee changed from Andreas Kohlbecker to Patrick Plitzner

I think that this is a false positive xxs detection of NoScript.

Patric, please can you further investigate this issue, if you think that this is really a security problem with redmine or with our redmine setup.
Otherwise I suggest to close this ticket as Rejected.

#2 Updated by Patrick Plitzner about 4 years ago

  • Status changed from Feedback to Rejected
  • Target version deleted (Unassigned CDM tickets)

After playing around a little it seems like it the copied link only works if opened from within a Redmine issue. If copied to clipboard and pasted into the address bar or copied to a text file and opened from there or added to the bookmarks it does not work. I don't want to investigate any further but it seems like this is coherent with the origin policy for xss. Closing as rejected.

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 40 MB)