NoScript Updates

NoScript 2.6.6.2

Fri, 17 May 2013 11:33:14 +0000

x Fixed regression in Tab Mix Plus compatibility due to Gecko 21 changes
x Improved placeholder management for full-document plugin content, e.g.
  makes Youtube embeddings more usable on Facebook

NoScript 2.6.6.1

Mon, 29 Apr 2013 15:48:23 +0000

x Fixed backward compatibility issue with recent channel cloning changes
x [XSS] Compatibility with certain redirector URL patterns (thanks
  Stephen F. for reporting)
x [ABE] Fixed letest Tab Mix Plus version (4.1.0) causing loads started
  from the address bar to be considered cross-site
x [Locale] Updated Esperanto (thanks Michael Wolf)
x [Locale] Updated Upper Serbian (thanks Michael Wolf)

NoScript 2.6.6

Wed, 03 Apr 2013 21:39:03 +0000

x Added per-window private browsing support to some background requests
x Improved channel cloning for internal redirections
x Added further Microsoft mail services dependencies to the default
  whitelist
x [XSS] Fixed character class bug (thanks Masato Kinugawa for reporting)
x [XSS] Fixed potential jQuery-based injection (thanks Masato Kinugawa
  for reporting)
x Improved handling of some moz-null principal instances in ABE requests
  (thanks Thrawn for reporting)
+ New 360Haven surrogate lets the site work with 1st party scripts
  allowed and ads/tracker scripts forbidden

NoScript 2.6.5.9

Mon, 11 Mar 2013 20:31:22 +0000

x Fixed outlook.com UI broken in Nightly by work-around for bug 677050
  (thanks Raùl Duràn of Microsoft for troubleshooting help)
- Removed STS support for Gecko >= 4, which provides built-in HSTS
x Work around for multiple object creation causing UI inconsistencies
  (thanks al_9x for reporting)
x [XSS] Work-around for false positives caused by Gecko >= 18 changes in
  Function.prototype.toSource() (thanks yahoo mail user for report)

NoScript 2.6.5.8

Tue, 26 Feb 2013 13:23:16 +0000

+ Automatic Google Analytics web bugs blocking if google-analytics.com is
  not whitelisted
+ "Mark as untrusted" button on the site info page (thanks SwissBIT for
  RFE)
+ "Allow"/"Forbid"/"Mark as untrusted" icons on the site info buttons
x Inclusion type checks exception for yandex.st
x [XSS] Exception for requests across *.photobucket.com subdomains, which
  may legitimately contain syntactically valid Javascript fragments
  (thanks RAJAH235 for reporting)

NoScript 2.6.5.7

Mon, 18 Feb 2013 22:12:52 +0000

x Made "Yes, remove all protections" the default button in the removal
  warning dialog
x [XSS] Fixed post-response encoding checks applied to UTF-8 pages too
  (thanks Masato Kinugawa for reporting)
x [XSS] Removed host redirection chance on XSS-vulnerable pages (thanks
  Masato Kinugawa for reporting)

NoScript 2.6.5.6

Sun, 10 Feb 2013 19:07:37 +0000

x [XSS] Smarter syntax check optimization, removes harmful side effect
  (thanks Masato Kinugawa for reporting)

NoScript 2.6.5.5

Sat, 09 Feb 2013 22:45:41 +0000

x [XSS] Fixed bug in broken string literals balancing (thanks Masato
  Kinugawa for reporting)

NoScript 2.6.5.4

Sat, 09 Feb 2013 14:28:26 +0000

+ [XSS] Obfuscated string literals detection (thanks Masato Kinugawa for
  reporting)

NoScript 2.6.5.3

Fri, 08 Feb 2013 21:20:50 +0000

x [XSS] Improved parsing while decoding mixed-charset encoded URLs
  (thanks Masato Kinugawa for reporting)
+ [XSS] Better decoding of maliciously mixed-charset encoded strings
  (thanks Masato Kinugawa for reporting)

NoScript 2.6.5.2

Thu, 07 Feb 2013 23:42:45 +0000

x [XSS] Work-around for a Gecko race condition allowing some
  script-enabled attackers to make the charset-mismatch checks abort
  prematurely (thanks Masato Kinugawa for reporting)

NoScript 2.6.5.1

Wed, 06 Feb 2013 10:41:54 +0000

+ [XSS] Forced unicode conversions more resilient to invalid input
  (thanks Masato Kinugawa for reporting)

NoScript 2.6.5

Tue, 05 Feb 2013 18:40:05 +0000

+ [XSS] More exotic charset awareness added to script injection checks
  (thanks Masato Kinugawa for reporting)
x [XSS] Removed limited injection chance allowing redirection of XSS
  vulnerable pages to an integral IP (thanks Masato Kinugawa for
  reporting)
+ "Security Downgrade Warning" suggests blacklist mode as a better option
  than uninstalling, to retain scripting-unrelated protections 
- Removed legacy uninstall hooks and related localized strings

NoScript 2.6.4.4

Tue, 29 Jan 2013 10:19:37 +0000

x Fixed plugin placeholders not shown for plugin documents on Gecko >= 19
  (thanks therube for reporting)
+ [Surrogate] Support for callbacks in Google Analytics' _gaq.push()
  method (thanks Paola Moro for reporting)
+ Allow/Forbid button on the site info page (thanks Edward Huff for RFE)

NoScript 2.6.4.3

Mon, 14 Jan 2013 22:38:24 +0000

x [Surrogate] Less aggressive but more compatible adf.ly surrogate (it
  automatically skips ad but requires scripts enabled on adf.ly)
x Fixed whitelist listbox couldn't be fully selected by CTRL+A in recent
  Firefox versions (thanks Guardian for reporting)
+ [Surrogate] dimtus.com scriptless automatic image revelation
+ [Surrogate] imageteam.org scriptless automatic image revelation
x [External Filters] Fixed cache API compatibility issue

NoScript 2.6.4.2

Thu, 27 Dec 2012 10:44:01 +0000

x [ClearClick] Fixed miscalculations in screenshot comparison
x Fixed wrong placeholder position for standalone HTML 5 video content
  (thanks mjh563 for reporting)
+ "Appearance" option to hide the "About NoScript" menu item
x Deny loading of any empty Flash object
x Fixed HSB locale (thanks Michael Wolf)
x Fixed forced HTTPS breaks redirects on Firefox >= 18 (thanks mjh563 for
  reporting)
x Work-around for Gecko calling nsIContentPolicy::shouldProcess() with
  null location for Flash objects sometimes (thanks al_9x for report)
x Fixed broken early HTTP observer on Firefox >= 18 (thanks aloishammer
  for reporting)
x Fixed anti-popunder surrogate breaking BFCache (thanks whatever for
  reporting)

NoScript 2.6.4.1

Mon, 17 Dec 2012 16:22:53 +0000

x Fixed new placeholder close button being hidden on some Youtube pages

NoScript 2.6.4

Mon, 17 Dec 2012 10:46:40 +0000

x [XSS] Improved compatibility with Twitter's cross-site requests
+ Close button on embedding placeholder (like using shift+click on the
  placeholder itself). Shift clicking the close button bypasses it.
x Fixed placeholders intercepting clicks from overlaid elements (thanks
  al_9x)
x Fixed unbound embed enablement confirmation dialog size (thanks therube
  for reporting)

NoScript 2.6.3

Tue, 04 Dec 2012 10:18:47 +0000

x [XSS] Further tweaks to reduce false positives (thanks Edward C. Kim
  for reporting)
x [XSS] The "maybe JS" step now removes leading parens, reducing false
  positives e.g. on Picasa (thanks jerriy for reporting)
x [Surrogate] Work-around for anti-popunder surrogate causing Ebay to
  recreate phantom cookies on page unload (thanks mjh563 for reporting)
x Work-around for some extensions (e.g. Adblock Plus, Tab Mix Plus)
  breaking bookmarlets and URL bar Javascript support after being updated
  for Firefox 17
x Removed some console noise
+ [Surrogate] Updated adf.ly surrogate to work with new links

NoScript 2.6.2

Thu, 22 Nov 2012 14:03:30 +0000

x Fixed Google links anonymizer surrogate interfering with the "Search
  tools" button (thanks Sledge Fox and Brian Admire for reporting)
x Fixed impossible to copy lines from Console² if opened by NoScript
  (thanks therube for reporting and Phil Chee for suggestion)
x [XSS] Exception for wpcomwidgets.com safe inclusions
x Slightly reduced About box width (thanks GµårÐïåñ for RFE)

NoScript 2.6.1

Tue, 13 Nov 2012 14:55:08 +0000

x [XSS] Better compatibility with Ebay's saved searches
+ [Surrogate] Imagebax.com scriptless ads skipping redirection
x Fixed first non-cached page load in a session from about:newtab failing
- Removed legacy XUL script blocking code
+ Added optional diagnostic to centralized channel aborting
x Fixed bug in Java URLs resolution

NoScript 2.6

Fri, 02 Nov 2012 12:41:32 +0000

x Improved long URL wrapping for more manageable plugin placeholder
  tooltips
x Fixed ABE notifications bleeding out of the viewport when very long
  URLs are involved
+ [Surrogate] More efficient deferred script loading and syntax check,
  saves memory and startup time from unused surrogates
+ [Surrogate] Picbucks.com scriptless ads skipping redirection
+ [Surrogate] Imagebunk.com scriptless image revealing
+ [Surrogate] Picsee.net scriptless image revealing
+ Added navigator.doNotTrack property support

NoScript 2.5.9

Fri, 26 Oct 2012 07:21:44 +0000

+ Added afx.ms and gfx.ms (fully controlled by Microsoft, no user content
  allowed) to the default whitelist (required by MS mail services)
+ [XSS] Removed false positive on some Google Gadgets; the work-around
  can be disabled by setting the noscript.filterXExceptions.ggadgets
  about:config preference to false (thanks Silvana for reporting)
+ Added new fake mimetype placeholder "FRAME" to match FRAMEs and IFRAMES
  with the noscript.allowedMimeRegExp preference
+ Made mimetype whitelisting through the noscript.allowedMimeRegExp
  preference work with FRAMEs and IFRAMEs as well
x Fixed redirections involving sites marked as untrusted causing
  inconsistencies in page permissions, with JavaScript being blocked even
  if the site is whitelisted (thanks al_9x for reporting)
x Fixed regression on older Gecko versions causing NoScript to believe
  the browser is proxied when it's not

NoScript 2.5.8

Wed, 17 Oct 2012 18:03:02 +0000

x Work-around for unique origins being assigned to URL bar loads by Gecko
  16 and above interfering with some ABE rules
x Work-around for bug 797684 patch causing ABE's Sandbox action to fail
x Work-around for regression from Mozilla bug 797684 fix causing frames
  not to be blocked correctly in recent >= 18 builds
x Slightly revised About box to make more room for contributors

NoScript 2.5.7

Fri, 05 Oct 2012 20:24:15 +0000

x Fixed synchronous timeout emulation ordering bug in bookmarklet
  execution on scriptless pages (thanks Infocatcher for reporting)
x [XSS] Fixed comment preprocessing optimization affecting free
  JavaScript detection, thanks Masato Kinugawa for reporting
x [XSS] Fixed second order data: URLs sanitization issue, thanks Masato
  Kinugawa for reporting
x Fixed meta refresh blocker notification bar broken on Gecko < 4 (thanks
  nitou for reporting)
x Fixed iframe placeholder positioning issue (thanks al_9x for report)
x Fixed regression in placeholder positioning (thanks al_9x for report)
x [ClearClick] Fixed false positive on cross-site SVG document embeddings
  (thanks Steffen for reporting)

NoScript 2.5.6

Mon, 24 Sep 2012 09:24:04 +0000

x [XSS] Fixed slow regular expression causing some base64 request
  payloads to trigger false positives (thanks Mirko Tasler for reporting)
+ Force placeholders to frontmost position e.g. on HTML 5 Youtube content 
+ New icon for blocked embeddings on globally allowed pages (thanks
  therube for RFE)

NoScript 2.5.5

Wed, 12 Sep 2012 21:19:12 +0000

+ More reliable Java applet origin identification
x Cross-browser work-around for
  https://bugzilla.mozilla.org/show_bug.cgi?id=789773

NoScript 2.5.4

Tue, 04 Sep 2012 18:26:31 +0000

x Fixed HTTP checks not being skipped anymore for some chrome-generated
  XMLHttpRequest requests because of a Gecko 15 change
x Work-around for cloned DOM nodes not retaining additional
  chrome-attached information anymore, thus breaking placeholders in some
  cases (thanks al_9x for reporting)
x Fixed placeholder post-enablement event channeling broken by Sandbox
  changes
x Fixed placeholder sizes messed up by changes in Gecko 17
x Work-around for broken content policy call for Java plugin on Gecko 17
  and above (thanks marty60 for reporting)

NoScript 2.5.3

Mon, 27 Aug 2012 23:16:05 +0000

x [XSS] Fixed false positives on URLs containing an ASP.NET cookieless
  session identifier (thanks Trupti Chaudhari for reporting)
+ noscript.eraseFloatingElements about:config preference to switch the
  mousedown + del key floating popup erasing feature off and on
x Limited the mousedown + del key floating popup erasing feature to pages
  where scripts are forbidden and to absolute or fixed position elements
x Fixed JavaScript URL non-void expression evaluation in the URL bar
  causing scripts to get globally allowed (thanks al_9x for reporting)
x [XSS] Work-around for a Gecko URL parsing quirk (thanks .mario for
  reporting)

NoScript 2.5.2

Wed, 22 Aug 2012 11:15:10 +0000

x [ClearClick] Improved protection against clickjacking timing attacks
  (thanks Nafeez Ahmed for reporting)
x Fine tuned floating div (in-page popup) removal by locking it to the
  nearest positioned ancestor and swallowing the mouseup event if the
  DEL key has been hit after last mousedown

NoScript 2.5.1

Sun, 12 Aug 2012 22:22:16 +0000

+ Holding the left mouse button down on an absolutely positioned page
  element and hitting the DEL key will remove it (useful to forcibly kill
  in-page popups when scripts are disabled)
x Fixed Acid3 test scoring 99 instead of 100 because of a Cursorjacking
  protection implementation detail
- Disabled LiveConnect interception on Gecko 16 or better, since Java
  globals have been removed from the DOM
x [XSS] Work-around for Mozilla TBPL DOS (thanks Daniel Holbert for
  reporting)
x Fixed Silverlight and Flash scripted initialization patches being
  broken by recent JavaScript interpreter changes
x Work-around for hp-ww.com misconfiguration (JavaScript files served
  with bogus content-type header)

NoScript 2.5

Sun, 29 Jul 2012 14:19:47 +0000

+ [XSS] Improved XML handling algorithm preserves E4X detection accuracy
  while removing false positives, e.g. against OAUTH payloads
x Work-around for additional browser tools placed on the bottom of the
  content messing with NoScript's notification height (thanks ochristi
  for report)
x [XSS] Added exception for self-injecting yahoo.com/yimg.com frames (can
  be disabled by setting the noscript.filterXExceptions.yahoo
  about:config preference to false)
x Fixed placeholders for absolutely positioned elements may cause layout
  glitches (thanks al_9x for reporting)
x Fixed interaction with built-in Firefox's click-to-play causing
  infinite object activation loop (thanks al_9x for reporting)

NoScript 2.4.9

Fri, 20 Jul 2012 22:13:02 +0000

+ Added ability to replace obsolete default whitelist entries
x Replaced browserid.org with persona.org in the default whitelist
x Improved anti-DOS protection
x Better usability with some HTML5 Youtube videos (thanks Mike Perry
  for reporting)
x Reverted to the ctrl+shift+S main keyboard shortcut
x [XSS] Fixed XML preprocessing breaking detection of some E4X
  constructs (thanks Pepe Vila for reporting)
+ [XSS] Protection against error-based SQLI with a XSS payload (thanks
  Ashar Javed for reporting, original disclosure by Keith Makan)

NoScript 2.4.8

Tue, 10 Jul 2012 21:37:34 +0000

x Work-around for Mozilla bug 771655 (broken debugger)
x Changed default UI shortcut to ctrl+shift+N because ctrl+shift+S is
  taken by the debugger
x Fixed feed: and pcast: URLs not being unwrapped in some checks (thanks
  Alex Inführ for reporting)
x Removed assumptions of a body element from some code paths which may
  handle generic XML documents

NoScript 2.4.7

Thu, 28 Jun 2012 23:03:38 +0000

x [ClearClick] Fixed Tumblr widgets false positive (thanks @Raydere for
  report)
x [XSS] Fixed false positive with some Base64-encoded Yahoo News
  subrequests
x Fixed regression, noscript.allowedMimeRegExp not working anymore for
  plugins other than Java, Flash and Silverlight
x Auto-anchored multi-valued regexp preferences can now be separated by
  regular spaces rather than just newlines (this behavior was documented
  but not actually implemented for noscript.allowedMimeRegExp)

NoScript 2.4.6

Tue, 12 Jun 2012 08:57:47 +0000

x [XSS] Updated execution sink checks (thanks Masato Kinugawa for report)
x [XSS] Fixed newline parsing bug (thanks Masato Kinugawa for report)
x [XSS] Fixed document.cookie minimal assignment false negative (thanks
  Masato Kinugawa for report)
x [XSS] Fixed dotted query parameter names false positives, affecting
  OpenID, Hotmail and other services (thanks Gavin H for report)
x Fixed some messages being dumped to the console even if logging is
  turned off (thanks marbler for report)

NoScript 2.4.5

Sun, 10 Jun 2012 22:16:37 +0000

+ [XSS] Improved E4X handling (thanks Masato Kinugawa for report)
x [XSS] Fixed regression allowing some alert-only PoCs (thanks Soroush
  Dalili and Ahamed Nafeez for reporting)
x [XSS] Improved unconventional assignments detection  (thanks Masato
  Kinugawa for report)
x [Locale] Corrected he-IL merge (thanks baryoni)
x [XSS] Improved data: URIs detection (thanks Masato Kinugawa for report)
+ [XSS] More regular expression objects caching as a speed optimization
- [XSS] Removed optimization shortcut causing false negatives on some
  kind of concatenated assignments (thanks Masato Kinugawa for report)
+ [XSS] Improved "Maybe JS" heuristic (thanks Masato Kinugawa for report)
+ [XSS] More aggressive obsolete charsets filtering (thanks Masato
  Kinugawa for report)

NoScript 2.4.4

Mon, 04 Jun 2012 10:08:53 +0000

x [Locale] Updated he-IL (thanks baryoni)
x Fixed early synthetic DNS notification causing blank stripe on the
  bottom of the first browser window if started maximized or fullscreen
- Removed Firefox 2.x compatibility code
x Fixed regression from 2.4.3rc3 causing same-site stylesheets to be
  checked for mime type mismatches and XSLT inclusions to be incorrectly
  blocked (thanks hanfi for reporting)

NoScript 2.4.3

Sun, 27 May 2012 22:09:36 +0000

x Fixed JS links detection not resolving JS string escapes (thanks vyznev
  for reporting)
x Fixed HTML 5 parser detection in META refresh processing being broken
  by a removed browser preference
x Fixed exception raised by inclusion type checks when parent document's
  URI has no host
+ [XSS] Better detection of free inline script injections (without string
  literal evasion) inside function calls
+ The noscript.allowedMimeRegExp preference now applies also to Java,
  Flash and Silverlight mime types

NoScript 2.4.2

Sat, 19 May 2012 10:11:52 +0000

x [ABE] IPv6 link-local addresses (fe80:/10) are not considered belonging
  to the LAN anymore for the purpose of cross-zone request forgery checks
  in order to safely work-around DNS misconfiguration issues in the wild
  (thanks siu and ralf for reporting)
x [ABE] Fixed router WEB UI fingerprinting failing on some devices
  because of redirection loops
x [XSS] Protection against HPP attacks exploiting URL parsing quirks
  specific to ASP Classic (thanks Soroush Dalili for reporting)
x Fixed first application updates check failing on Nightly (bug 754393)
x [XSS] Fixed false positive regression on some file hosting sites (thanks
   Janne Maekelae for reporting)

NoScript 2.4.1

Thu, 10 May 2012 13:09:44 +0000

+ [XSS] Protection against exploitation of classic MS ASP's coalescing of
  same-name query parameters (thanks  Soroush Dalili for reporting)
+ [XSS] Protection against URL injections in in window.name
x [XSS] Fixed case-sensitivity bug in detection of unicode escape
  sequences (thanks Masato Kinugawa for reporting)
+ [Surrogate] adagionet.com inclusion surrogate
x Fixed "Allow sites open through bookmarks" regression (thanks jerryi and
  therube for reporting)
x [XSS] Fixed bug in the InjectionChecker tokenization (thanks Phil
  Purviance for reporting)
+ Added inclusion type check exception to the lesscss Google Code file
  repository, often used as a CDN

NoScript 2.4

Fri, 04 May 2012 11:25:41 +0000

x Improved temporary permissions management during bookmarklet execution
+ [Surrogate] Skimlinks surrogate script (thanks Drewett for reporting)
+ [XSS] Improved InjectionChecker detection of in-code multiple insertions
  (thanks Krzysztof Kotowicz)
+ [XSS] InjectionChecker detection of single assignment evaluation through
  global exception handling (thanks Gareth Heyes)
x [Locale] Fixed broken overlay on Basque localized browsers (thanks afa
  for reporting)
x [XSS] Fixed bug in late window.name payload checking (thanks Soroush
  Dalili for reporting)

NoScript 2.3.9

Wed, 25 Apr 2012 22:44:07 +0000

+ [ClearClick] More tolerant snapshot comparation algorithm (partially
  backported from NSA) to reduce false positives (tweaked by the
  noscript.clearClick.threshold percentage value in about:config)
- Removed about:credits from default whitelist
x [ClearClick] Fixed false positives (e.g. on embedded Vimeo movies) in
  obscuration by windowed plugins checks
x Fixed compatibility regressions on Firefox 3.x
x Following links from the About dialog now closes it (thanks Guardian for
  suggestions)
x Fixed NOSCRIPT META refreshes blocking not working when scripts are
  globally allowed (thanks and Ken and Tom T. for reporting)
x [ClearClick] Fixed false positives caused by accelerated graphics with
  some plugin content

NoScript 2.3.8

Thu, 19 Apr 2012 09:48:07 +0000

+ Smart integration with the new browser-native click to play: if a plugin
  object is manually allowed from NoScript's UI, it gets also natively 
  activated (noscript.smartClickToPlay about:config preference)
+ Improved active content identity tracking, to avoid redundant blocking
  steps across reloads
x Fixed redirections in legacy frames not being blocked (thanks "utente"
  for reporting)
x [Surrogate] Surrogate to fix broken buttons at Uniblue e-commerce site

NoScript 2.3.7

Sun, 08 Apr 2012 03:28:42 +0000

x [ClearClick] Work-around for "rapid fire" protection interfering with
  some add-ons, such as 1Password (thanks Mike Tselikman for report) and
  FloatNotes (thanks endofmiles and Tom T. for reports)
x [ClearClick] Compatibility with Bitdefender TrafficLight (thanks
  Christopher A. M. Gerlach for reporting)
x [XSS] Enhanced InjectionChecker tolerance to certain URL patterns
  containing domain-names as parameter values (thanks gazer75 for report)

NoScript 2.3.6

Mon, 26 Mar 2012 21:27:00 +0000

x Restored Nightly compatibility, broken by bug 719154 
+ [ClearClick] improved compatibility with Disqus widgets (thanks El Cid
  for reporting)
+ [AddressMatcher] Optimized trailing "*" in glob expressions
x Fixed origin URL detection flawed when certain wrapped URIs are loaded
 (thanks Masato Kinugawa for reporting)
x [XSS] Fixed false positive with query string patterns mimicking array
  access (thanks Aicke Schulz for reporting)

NoScript 2.3.5

Fri, 16 Mar 2012 20:26:49 +0000

x Work-around for a Flash 32-bit issue (64-bit Firefox unaffected) causing
  Google Music Player to fail (thanks DG42 for original report, Alan Baxter
  for providing a test account, all the forum staff and many users for
  their help in reproducing)
x [ABE] Fixed "Sandbox" action permanently disabling plugins, frames and
  meta refreshes on the affected tab even if document changes (thanks
  Tom T. and Patrick E. for reporting)
x [ClearClick] Better special-casing for same-site embedded objects
x [Surrogate] Global variables introduced by sandboxed surrogates are
  attached as window properties after execution to fix recently surfaced
  scope-related bugs
x [XSS] Better window.name protection  (thanks Masato Kinugawa for report)
x [XSS] Improved detection of javascript: URL injections

NoScript 2.3.4

Thu, 08 Mar 2012 22:06:40 +0000

x [ClearClick] Fixed subtle bug which may lead to infinite loops in some
  cases (thanks GµårÐïåñ for reporting)

NoScript 2.3.3

Thu, 08 Mar 2012 16:45:05 +0000

+ Improved InjectionChecker logging
x Reduced false positive rate on HTML injection checks (thanks therube for
  reporting)
x [ClearClick] Fixed clicking on some plugin content causing elements of
  the parent page to become white (thanks Markus Wienand for report)
x [ClearClick] Fixed minor bugs triggered by ABP placeholders
+ [ClearClick] Protection against partial obscuration via Flash objects
  with OS-native wmode values (thanks David Lin-Shung Huang for reporting)
x [XSS] Further sensitivity tweaks
x [XSS] Better compatibility with some 3rd party ads on Ebay
x [XSS] Fixed false positive on dotted name-value assignments chained with
  semicolons (e.g. on some Yahoo-served ads)

NoScript 2.3.2

Sun, 26 Feb 2012 21:58:12 +0000

x [XSS] Fixed regression in 2.3.2rc5 preventing some URLs from loading
x [XSS] Removed issue on Chinese pages using HZ-GB-2312 encoding (thanks
  Masato Kinugawa for reporting)
+ [XSS] Added event injection checks for scriptless pages too, in order to
  prevent edge-case execution on permissions change
x [XSS] Fixed InjectionChecker JavaScript scanning bug (thanks Masato
  Kinugawa for reporting)
x [XSS] Improved HTML detection accuracy
+ Better tagging of surrogate sandboxes for about:memory debugging
x Improved glinks surrogate