Warning against Beethoven Wikipedia page

[ExTechOp]

When I try to open the Wikipedia page https://en.wikipedia.org/wiki/Piano_Sonata_No.14(Beethoven) I every time get a "NoScript XSS Warning". I haven't found other Wikipedia pages that trigger this, nor have I been able to figure out why that specific page does it.

This is on Firefox 128.6.0esr (64-bit) with NoScript 12.1.1 under RHEL 9.5 (Plow)

[Gliktch]

Still, on FF 137.0.2 with NS 12.1.1 on Linux Mint 22.1

[pettinen]

I’d guess it’s because the last path segment looks like a valid JS method call—same false positive for e.g. https://en.wikipedia.org/wiki/James_M._Turner_(physicist) or https://example.org/a.b() (although yes, I also stumbled upon this on a Beethoven Wikipedia page).

More precisely, this line doesn’t get rid of the benign dot properly: https://github.com/hackademix/noscript/blob/1b171c5a50c6cc1122a5e810bb1b64fe199bf608/src/xss/InjectionChecker.js#L391

;///wiki/Symphony_No._X_(Beethoven) -> ;///wiki/Symphony_No._X_(Beethoven)  (false positive)
;///wiki/Symphony_No.X_(Beethoven)  -> ;///wiki/Symphony_No|X_(Beethoven)   (no false positive)

Seems to me like this is fixable by tweaking the regex (can’t imagine when an underscore would make a difference). I’m not too sure of this analysis though; for example, I couldn’t actually reproduce the false positive for No._<digits>, hence the replacement with X above.