Jump to content

(Archived) Cross-site scripting attempt at Evernote blog

Recommended Posts

AFAIK, this is because the page info is being passed to another location and data is being transferred between the two.

You will also notice that the fields in the entry window are empty, as the passing of the information (title, suggested tags, etc.) is blocked

[NoScript XSS] Sanitized suspicious upload to [https]

Complete code here (if needed):

https://www.evernote.com/shard/s26/sh/a ... 9f705bae3b

This is when using the site memory clip button on the blog.

Link to comment
  • Level 5

I tried clicking the link and got the Evernote screen but it said the service is unavailable.

  • Possible reasons:
    • We may be performing regular system maintenance (typically Wednesday evenings, US Pacific time)
      We may be experiencing unexpected problems that require a brief outage

In either case, we are working to restore access to the Evernote Service as quickly as possible.

Here is some additional information from NoScript: XSS Cross site scripting is a web application vulnerability which allows the attacker to inject malicious code from a certain site into a different site, and can be used by an attacker to "impersonate" a different user or steal valuable information.


Link to comment

Yes, so essentially the site memory button/additional js attepmts to send data from the blog page, to another webpage (clipper).

NoScript intercepts this as suspicious, and "sanitises" the request. --> Turns the sending of data into getting the web clipper page - so no data is passed between the two (I think)

It may be necessary to add an exclusion mask into NS settings to prevent that from happening.

Adding https://www.evernote.com/noteit.action to NS settings -> Advanced -> XSS prevents this from happening

Link to comment
  • Level 5

It may be necessary to add an exclusion mask into NS settings to prevent that from happening.

Or perhaps Evernote can clean up their side.

I have not seen this problem crop up on other websites.

Link to comment

Not all websites are trying to pass data to other locations.

The site clipper is slightly different in this way.

Google, for example, does it (somehow), but is excluded from being sanitised in the NS settings.

This is based on my very limited knowledge in this area, so I could be way off :lol:

Link to comment


This topic is now archived and is closed to further replies.

  • Create New...