On Jun 23, 11:00*pm, "themystic...@gmail.com"
wrote:
> When I, or my extension, try to load this url:
>
> http://192.168.123.100:591/classic.p...HTTP-EQUIV%3D%....
>
> Firefox 3 shows an alert box saying "URL is not valid and cannot be
> loaded" however I don't see anything the EC (EC^2, really) that gives
> even a hint. This did not happen in Firefox 2.
>
> Here's the kicker:
>
> http://192.168.123.100:591/classic.p...TTP-EQUIV%3D%2....
>
> (same as above except parameter myname is now yname) does not trigger
> the issue. Also changing myname to a longer name does not trigger the
> issue.
>
> Oh, a final note: the page does load fine. And when I view source
> everything looks like I expect. When view source is reloaded the
> message does *not* come up.
>
> Any ideas on what's the source of this?
>
> Thanks!

Lucy found a pseudo fix. Basically if you clear cookies this problem
sorta goes away.

The problem with the fix is that clearing the user's cookies every
time they run the extension isn't really a fix I can use .

Also, the popup still comes up if I go directly to that url but not if
I get it using JS:

var ioserv = Components.classes["@mozilla.org/network/io-
service;1"] .getService(Components.interfaces.nsIIOService);
var channel = ioserv.newChannel("http://192.168.123.100:591/
classic.php?yname=+%3CMETA+HTTP-EQUIV%3D%22refresh%22+CONTENT%3D%220%3B
+URL%3Dhttp%3A%2F%2F%3BURL%3Djavascript%3Adocument .vulnerable%3Dtrue%3B
%22%3E+", 0, null);
var stream = channel.open();
var sis = Components.classes["@mozilla.org/
scriptableinputstream;
1"].createInstance(Components.interfaces.nsIScriptabl eInputStream);
sis.init(stream);
alert(sis.read(sis.available()));

Any ideas on what's going on and how to stop it?