Help please… I use Firefox 3.6 and NoScript, and it just came up with a message that it “filtered a potential cross-site scripting (XSS) attempt”.

I did click on the link to “XSS FAQ”, but I still don’t understand what’s really going on here and whether it’s safe to override this message (and how :oops:!?)

Cross-site scripting is when a website tries to run a script against another unrelated site. This is a common means of attempting to attack a website; theoretically it shouldn’t be possible, but security flaws sometimes sneak through the cracks.

It could be innocuous; it could be a ‘false positive’ from NoScript (ie, it’s finding a problem when there isn’t one), or it could be an innocent misconfiguration error on the web server. It could also be malicious in intent. How to tell the difference will largely depend on context (ie, how trustworthy is the site you’re on, and how likely is it that it’s hosting adverts that may be carrying an unchecked payload?)

(note to pedantic techies, the above contains simplification for clarity)

Thank you very much, Cougar, that’s the right level of simplifcation for me I think – apologies to the more techie minded web experts ;-)!

I had this message pop up on two sites, one was on Arriva Trains, just at the start of looking up train timetable details; the other one on a gardening equipment shop site – there I had gone through most of the “checkout process” and the XSS warning came up during the “Verified by Visa” bit, which did worry me as it then caused the transaction to fail… I guess I’ll keep an extra close eye on my credit card transactions, just in case :-/

I strongly suspect that it’s a false positive in this case.

As ever, when in doubt, do a malware scan. http://www.malwarebytes.org (I should be on comission).