Purchase button requires XSS (cross-site scripting)

You are viewing a static copy of the old 2DBoy forum, which closed in 2010. It is preserved here for historical interest, but it is not possible to reply to topics. For more recent discussion about World of Goo, visit our new forum.
Purchase button requires XSS (cross-site scripting)keshlam11/28/2008 - 00:18

... which the NoScript system considers a dangerous action, and I'm not willing to authorize it. That makes buying a full copy somewhat difficult.

Re: Purchase button requires XSS (cross-site scripting)The Happy Friar11/28/2008 - 17:38

you don't trust a company that, odds are, has been on the internet long then you have (what is it with all the security-paranoid people who want the game?  Not directed towards you, but people have complained they're afraid someone will steal their CC info, the AV says WoG is a virus & they don't trust it, WoG uses some secret DRM that doesn't exist...)?  From my experience, paypal is safer then going to the store & buying a copy.

plus there's the option of going to the store & buy a copy. Or amazon.  Or authorize the button.  There's nothing wrong with it, your security settings are set pretty high.

I'm off to make a tinfoil hat.  Out of paper mache as tinfoil lets the govt read your brainwaves.  :D

I'm curious what else that considers a "dangerous action".  There's a lot more evasive things out there then a hyper link.

EDIT: it's cross-site scripting because it fills out how much & what you're buying.  Obviously, site A needs to send the data to site B for this to happen.

Re: Purchase button requires XSS (cross-site scripting)keshlam11/28/2008 - 17:55

Actually, it's those of us who have been on the 'net for 30 years who are more likely to be cautious about security. We've seen the hazards evolve.

And most Internet sales channels, including those using PayPal, seem to manage fine without XSS.

But all of that's irrelevant to my question, which was simply whether there was a non-XSS purchase mechanism. If your answer is the official one, fine.

(The customer is not always right, but the customer is always the one with the money.)

Re: Purchase button requires XSS (cross-site scripting)kyle11/28/2008 - 18:08

Hey guys, one other person asked about cross site scripting a few weeks ago, but they later looked at the html manually, and gave their thumbs up.

I wouldn't worry too much, I just copied and pasted the code paypal told me too, and that's it. Nothing malicious. If you still feel uncomfortable, there are lots of other places the game is available, linked to just beneath the paypal button. Hope that helps!

Re: Purchase button requires XSS (cross-site scripting)keshlam11/28/2008 - 18:45

Thanks, Kyle.

Re: Purchase button requires XSS (cross-site scripting)jrodman11/30/2008 - 19:38

XSS scripting doesn't mean that the site is malicous, it means that the way the site is written, it's open for an unpleasant user of the site to inject malicious content for other users to encounter.  It's a channel by which some users can attack other users.  So that the code was given by PayPal doesn't mean that it's safe.

In this case, the concern may be unfounded, because the paypal site isn't trying to act as a forum where user content is stored and then shown to later users.  Unless the design is very very stupid, there shouldn't be any replay of content for later users to encounter.

Re: Purchase button requires XSS (cross-site scripting)keshlam12/01/2008 - 00:11

JRodman: Thanks. That was sorta my understanding -- no accusation of malice, just a question of whether the site was as secure as it might be, and whether it might be worth looking for ways to tighten this up to avoid unnecessarily confusing/scaring potential customers.

Other sites using Paypal seem to avoid triggering this flag in NoScript, which presumably means they've found another solution. Might be worth finding out what that is.

Maybe I should be directing this gripe to Paypal instead, if you're using a code fragment they supplied.

Re: Purchase button requires XSS (cross-site scripting)jrodman12/14/2008 - 17:18

Yeah, way late, this is a paypal thing.  And they should address it, but I don't believe it is a pressing issue, since I don't believe it's exploitable.