Level 5 jbenson2 2,149 Posted April 3, 2011 Level 5 Share Posted April 3, 2011 I tried clicking on the Elephant clipper at the Evernote blog site mentioned below. http://blog.evernote.com/2011/03/29/the-shiny-new-evernote-web-redesigned-interface-expanded-note-sharing-options-and-more/ NoScript warned me that there was a potential Cross-site scripting attempt. Link to comment
spg SCOTT 736 Posted April 4, 2011 Share Posted April 4, 2011 AFAIK, this is because the page info is being passed to another location and data is being transferred between the two.You will also notice that the fields in the entry window are empty, as the passing of the information (title, suggested tags, etc.) is blocked[NoScript XSS] Sanitized suspicious upload to [https]Complete code here (if needed):https://www.evernote.com/shard/s26/sh/a ... 9f705bae3bThis is when using the site memory clip button on the blog. Link to comment
Level 5 jbenson2 2,149 Posted April 4, 2011 Author Level 5 Share Posted April 4, 2011 I tried clicking the link and got the Evernote screen but it said the service is unavailable.Possible reasons: We may be performing regular system maintenance (typically Wednesday evenings, US Pacific time) We may be experiencing unexpected problems that require a brief outageIn either case, we are working to restore access to the Evernote Service as quickly as possible.Here is some additional information from NoScript: XSS Cross site scripting is a web application vulnerability which allows the attacker to inject malicious code from a certain site into a different site, and can be used by an attacker to "impersonate" a different user or steal valuable information. . Link to comment
spg SCOTT 736 Posted April 4, 2011 Share Posted April 4, 2011 Yes, so essentially the site memory button/additional js attepmts to send data from the blog page, to another webpage (clipper).NoScript intercepts this as suspicious, and "sanitises" the request. --> Turns the sending of data into getting the web clipper page - so no data is passed between the two (I think)It may be necessary to add an exclusion mask into NS settings to prevent that from happening.Adding https://www.evernote.com/noteit.action to NS settings -> Advanced -> XSS prevents this from happening Link to comment
Level 5 jbenson2 2,149 Posted April 4, 2011 Author Level 5 Share Posted April 4, 2011 It may be necessary to add an exclusion mask into NS settings to prevent that from happening.Or perhaps Evernote can clean up their side. I have not seen this problem crop up on other websites. Link to comment
spg SCOTT 736 Posted April 4, 2011 Share Posted April 4, 2011 Not all websites are trying to pass data to other locations. The site clipper is slightly different in this way. Google, for example, does it (somehow), but is excluded from being sanitised in the NS settings. This is based on my very limited knowledge in this area, so I could be way off Link to comment
Level 5 jbenson2 2,149 Posted April 4, 2011 Author Level 5 Share Posted April 4, 2011 Sounds like a Mexican standoff between NoScript and Evernote. I wonder who will blink first. Link to comment
Recommended Posts
Archived
This topic is now archived and is closed to further replies.