XSS Filter Messages

[Deyeno]

Dear All.

Does anyone know what is causing these XSS Messages as I am getting on average 20 messages aday and its very annoying as clicking on the X in the yellow ribbon doesnt close the message but rather I have to reload the page again.

This has only started after upgrading to Palemoon 26.X.X.

I get these messages in while surfing in the following URL's as these are always open in my browser.

http://www.stuff.co.nz/sport
http://www.sportsfan.com.au/
http://www.practicalmachinist.com/vb/cnc-machining/
http://www.news.com.au/

[superA]

See the last post and reply there: viewtopic.php?f=5&t=10817

Funny thing, I don't get those XSS messages on any of these sites, especially the first one after going to exact same location, even without an adblocker.

[Moonchild]

Doubleclick and possibly some other ad networks will likely need to be added to the source whitelist in the future, dependign on how their advertising framework works.
I don't know exactly why an advertisement would want to add an event listener in their loaded ads though, that sounds a little dodgy to me.

Please do post the browser console messages as outlined so we have all necessary information.

[Pallid Planetoid]

I haven't as yet updated to 26.0.3 (still on 26.0.2) but after reading this I have some concerns.

POINTS:
1) I would not want to have to "whitelist" Doubleclick or for that matter any other "ad networks" in the form of a workaround (I currently block these types of sites via NoScript)
2) As pointed out above I use NoScript which already applies XSS filtering anyway (and I've found this to be not only complicated in the first place but adjustments in NoScript SSL filtering for some banks I need were necessary as it is).

QUESTIONS: So considering that 26.0.3 has changed the XSS filter configuration to address filter hits in a different manner:
1) Should I or more precisely DO I really want to go with this new update (considering that my NoScript add-on already has XSS filtering included anyway)?
2) Or would it be better to wait for another PM update?

I'm far from an expert on this stuff so I may be asking stupid questions.

EDIT: Never mind my questions above, after looking into further, XSS filtering in place as of v26 anyway and current version is improving web compatibility and more specifically reconfiging XSS filter to address some of the known but harmless filter hits that have been reported. So no brainer to update!!!

[dark_moon]

I agree with Pale Moon Rising.
Include one of the big bad adtracker in the whitelist isn't a good idea.
Doubleclick distributed a lot of malware in their ads.

@Pale Moon Rising: You can and its recomment to use always the latest version of Pale Moon.
I use NoScript since and before i use Pale Moon and never have any problems. Not even in the long beta testing with the XSS in Pale Moon.

[Pallid Planetoid]

Thanks for the info dark_moon, good to know there's been no conflict between NoScript XSS filtering and Pale Moon's XSS filtering including going forward in beta.

I've taken the time to catch-up, XSS filtering has been in use by PM since v26, all the current version is intended to do is improve web compatibility with both cookies and XSS filtering, so all is good .... Have updated to current Pale Moon.

[Thrawn]

I don't know exactly why an advertisement would want to add an event listener in their loaded ads though, that sounds a little dodgy to me.

I'm sure it is dodgy. NoScript's XSS filter has run into various ad networks before that assemble pages in messy ways. I guess it's not so surprising, when advertisers want to insert markup into the page, and webmasters are in need of funds, that they take shortcuts.

Whether the page really is vulnerable - that would depend on the specific page, but it's very possible.