Google Forms precompiled URLs containing %0A or %3C are not correctly managed

RESOLVED INVALID

Status

()

RESOLVED INVALID
2 years ago
2 years ago

People

(Reporter: patrick.zanon, Unassigned)

Tracking

46 Branch
x86_64
Windows
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

2 years ago
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Build ID: 20160507231935

Steps to reproduce:

I entered into the browser the following precompiled link of the Google forms:

https://docs.google.com/forms/d/1W3m2IlO9IbVOdD2xKV2jBuOcPooHVHfHx9JLXkapug4/viewform?entry.1892547157=patrick.zanon@gmail.com&entry.1925673112=Zanon&entry.875761068=Patrick&entry.235524706=1A&entry.775447471=67-(30-26)*%7B%5B94-18%5D:2-%5B15%2B(45-26)%5D%7D%0A67-4*%7B%5B94-18%5D:2-%5B15%2B19%5D%7D%0A67-4*%7B76:2-%5B15%2B19%5D%7D%0A67-4*%7B76:2-34%7D%0A67-4*%7B38-34%7D%0A67-4*4%0A67-16%0A51+%3C!--mat(1,511,81)--%3E&entry.1902033024=51+%3C!--mat(1,64,1)--%3E&entry.532412603=69%2B(17%2B11*5):%5B(45%2B29):2-68:2%5D%0A69%2B(17%2B55):%5B74:2-68:2%5D%0A69%2B72:%5B74:2-68:2%5D%0A69%2B72:%5B37-34%5D%0A69%2B72:3%0A69%2B24%0A93+%3C!--mat(1,511,81)--%3E&entry.642230352=93+%3C!--mat(1,64,1)--%3E&entry.2040284953=%5B17-(15-3):4%5D*2-%5B(3%2B4)*4%5D%0A%5B17-12:4%5D*2-%5B7*4%5D%0A%5B17-3%5D*2-28%0A14*2-28%0A28-28%0A0+%3C!--mat(1,511,81)--%3E&entry.1101714191=0+%3C!--mat(1,64,1)--%3E

and I selected "Casa" as the first answer and then I pressed the "Continue" button


Actual results:

The form is not correctly loaded since the answers of the exercise x1 that should contain both new lines and "<" characters are not correctly displayed: here follows the wrong result

67- 30-26 *{ 94-18 :2- 15  45-26  } 67-4*{ 94-18 :2- 15 19 } 67-4*{76:2- 15 19 } 67-4*{76:2-34} 67-4*{38-34} 67-4*4 67-16 51  !-mat 1,511,81 ->


Expected results:

On the contrary, by loading the previous URL with Chromium I have the correct result, which is:

67-(30-26)*{[94-18]:2-[15+(45-26)]}
67-4*{[94-18]:2-[15+19]}
67-4*{76:2-[15+19]}
67-4*{76:2-34}
67-4*{38-34}
67-4*4
67-16
51 <!--mat(1,511,81)-->
(Reporter)

Updated

2 years ago
Component: Untriaged → Private Browsing
OS: Unspecified → Linux
Hardware: Unspecified → x86_64

Comment 1

2 years ago
Nothing about the description seems to be related to the private browsing feature.
Component: Private Browsing → Untriaged
(Reporter)

Updated

2 years ago
Summary: URLs containing %0A or %3C are not correctly managed → Google Forms precompiled URLs containing %0A or %3C are not correctly managed
(Reporter)

Updated

2 years ago
Version: 45 Branch → 46 Branch
(Reporter)

Updated

2 years ago
OS: Linux → Windows

Comment 2

2 years ago
User Agent 	Mozilla/5.0 (X11; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0
Build ID 	20160531030258

I could not reproduce the issue on Ubuntu 15.04 and Windows 10. I tested on Firefox 45, Firefox 46, Firefox 46.0.1 and latest Nightly (49.0a1). 

Could you test in Safe Mode (https://support.mozilla.org/en-US/kb/troubleshoot-firefox-issues-using-safe-mode) and with a new profile(  https://support.mozilla.org/en-US/kb/profile-manager-create-and-remove-firefox-profiles) to see if the issue is still reproducible?
Flags: needinfo?(patrick.zanon)
(Reporter)

Comment 3

2 years ago
I can confirm that the problem is related to NoScript plugin that stops every Cross-site scripting (XSS) and then by filtering the url that is suspected of javascript injection...

Thanks!
P. Zanon
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 years ago
Flags: needinfo?(patrick.zanon)
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.