
Firefox is still vulnerable to XSS - maxwellito
http://maxwellito.tumblr.com/post/102269798636/xss-gotta-catchem-all
======
jupenur
Here [1] is the BMO ticket tracking this. I guess the main reason it hasn't
been implemented is that there have been several issues with other browsers'
implementations, as mentioned in the bug ticket. And every now and then, a new
one pops up. You can still get the feature by using NoScript.

There's a better solution though: CSP. Yes, it requires action from the site
owners and is a bit of a pain to implement on an established website, but it's
very effective at fighting both reflected and persistent XSS, and it can
prevent other attacks too, such as content exfiltration using dangling markup
injection.

[1]
[https://bugzilla.mozilla.org/show_bug.cgi?id=528661](https://bugzilla.mozilla.org/show_bug.cgi?id=528661)

------
maxwellito
I posted this a year ago. The situation hasn't changed despite my ticket on
Bugzilla (it was a duplicate of a looooong one).

Here is a URL to test :
[http://berghain.de/events/%22%20onmouseover=%22alert%28'NEIN...](http://berghain.de/events/%22%20onmouseover=%22alert%28'NEIN!'%29)

Once on the page go on the 'onmouseover' text. the alert will appear only on
Firefox. On other browsers, just check the console to see the Auditor blocking
the attack.

------
vicaya
NoScript (even when enabled for destination sites) does detect/filter the XSS
attempt though.

