This causes the main Phabricator page to load. Since we want users to report issues, we need to figure out the difference between the link in the footer and on the error page.
Description
Description
Related Objects
Related Objects
- Mentioned In
- rXTRMRB3e346474d44c: Merge branch 'master' into T170292
rXTRMRBeaca305b0be7: Merge pull request #39 from x-tools/T170292
rXTRMRB249d543a5b65: Fix error handling to avoid an XSS error within NoScript
rXT3e346474d44c: Merge branch 'master' into T170292
rXTeaca305b0be7: Merge pull request #39 from x-tools/T170292
rXT249d543a5b65: Fix error handling to avoid an XSS error within NoScript
rXTR3e346474d44c: Merge branch 'master' into T170292
rXTReaca305b0be7: Merge pull request #39 from x-tools/T170292
rXTR249d543a5b65: Fix error handling to avoid an XSS error within NoScript
Event Timeline
Comment Actions
It's the file name in the task description. Logging output:
[NoScript InjectionChecker] JavaScript Injection in ///maniphest/task/create/?title=PLEASE%20REPLACE%20WITH%20A%20DESCRIPTION%20OF%20THE%20ERROR&priority=75&projects=Tool-labs-tools-xtools&description=```/var/www/src/Xtools/Edit.php:%20103%20-%20Error:%20Call%20to%20a%20member%20function%20format()%20on%20boolean```(function anonymous( ) { ```/var/www/src/Xtools/Edit.php:%20103%20-§:§§§§§§()§§``` /* COMMENT_TERMINATOR */ DUMMY_EXPR }) [NoScript XSS] Sanitized suspicious request. Original URL [https://phabricator.wikimedia.org/maniphest/task/create/?title=PLEASE%20REPLACE%20WITH%20A%20DESCRIPTION%20OF%20THE%20ERROR&priority=75&projects=Tool-labs-tools-xtools&description=```/var/www/src/Xtools/Edit.php:%20103%20-%20Error:%20Call%20to%20a%20member%20function%20format()%20on%20boolean```] requested from [http://xtools.wmflabs.org/articleinfo/en.wikipedia.org/Thomas%20Jefferson]. Sanitized URL: [https://phabricator.wikimedia.org/#42521639302495773499].
Comment Actions
It seems like even with replacing the filename with just the class name this could still be a bit fragile — what if there's a file name in the error message at some point?
I think the most useful thing to submit in the bug report is the full current URL that the user is accessing, query string and all. No, actually just the timestamp really, because we can look in the log for the rest.
(But, the above PR solves this for now, so I'm also happy to close this till some further problem arises!)
Comment Actions
The full URL may still be seen as an XSS attempt... that's why I went with the class instead. The more long term solution might be full path if we could figure out a way to URL encode it.