<!-- in script will execute javascript even when ScriptNo should be blocking it

[GoogleCodeExporter]

What steps will reproduce the problem?
1. Visit website http://www.ueda.info.waseda.ac.jp/~n-kato/lightsout/index.html
2. Make sure ScriptNo is set to block scripts and click Solve button
3. See pop-up window produced by javascript

What is the expected output? What do you see instead?
Clicking the Solve button should have no effect, since it makes a javascript 
call. The javascript is executed nonetheless.

What version of the product are you using? On what operating system?
ScriptNo v1.0.6.2 on Chrome 23.0.1271.64 m on Win7x64

Please provide any additional information below.
The script that is executing within the page has a <!-- mark as the first thing 
inside the script tags. For some reason, Chrome still executes it, and ScriptNo 
doesn't block it

Original issue reported on code.google.com by predrag....@gmail.com on 25 Nov 2012 at 1:45

[GoogleCodeExporter]

Can you try v1.0.6.3 and let me know if this still occurs? I can't reproduce it.

Original comment by andr...@gmail.com on 27 Dec 2012 at 1:05

• Changed state: NeedsReproduction

[GoogleCodeExporter]

As a litmus test I always to go http://noscript.net/misc/notscripts.html to 
test out if inline script can be blocked or not. Since the update and using I'm 
assuming Manifest 2 it seems like it is now blocked. Giorgio Maone (dev of 
NoScript) seems to be keeping an eye on this project as well.

Good luck ScriptSafe Dev!

Original comment by android....@gmail.com on 27 Dec 2012 at 11:19

[GoogleCodeExporter]

I feel honoured to have Giorgio keeping an eye on this project's progress! :)

Thank you, and I appreciate your submissions!

Original comment by andr...@gmail.com on 27 Dec 2012 at 11:53

• Changed state: Fixed

[GoogleCodeExporter]

The problem seems fixed in v1.6.0.9

Thanks for the speedy fix!

Original comment by predrag....@gmail.com on 29 Dec 2012 at 10:54

[GoogleCodeExporter]

Even though the original repro on the link I gave above doesn't work any more, 
the original problem is still there.

I saved the html page at http://noscript.net/misc/notscripts.html and modified 
the script part as follows:

<script>
<!--
w=__proto__;
d=this.document.__proto__;
d.getElementById.call(this.document, "x").innerHTML="Notice that I'm executing 
JavaScript no matter if this site is in your whitelist or not...";
function a(msg) { w.alert.call(null, msg) }
function i() { a("You've got NotScripts (but it doesn't work that well, does 
it?)"); ni = function(){} }
function ni() { a("You do not have NotScripts.") };
//-->
</script>

When I reload the page with this modification, javascript executes normally 
("You do not have NotScripts.")

I am attaching my modified html file to the post.

This is on ScriptSafe v1.0.6.9, Chrome 23.0.1271.97 m on Win7x64.

Original comment by predrag....@gmail.com on 30 Dec 2012 at 10:44

Attachments:

• notscripts.html

[GoogleCodeExporter]

Something really weird is going on here. I made two copies of the noscript page 
above, modified one as described above, and put both of them in my dropbox so I 
can test them over http.

Having never opened either page in Chrome before (or having cleared the page 
cache, or in Incognito mode), if I open the normal noscript page first, and 
then the modified one, then javascript is blocked on both.

However, if I open the modified noscript page before the normal one (as above, 
with the page not in cache, or in Incognito) then javascript executes on both 
-- the "You do not have NotScripts." pop up window appears.

Both variants of this work reliably every time.

Original comment by predrag....@gmail.com on 30 Dec 2012 at 11:08