Fixed Chrome 57 gives XSS error when editing a post

Gazhyde

Well-known member
Haven't had much chance to test this, but just installed Chrome 57 and when editing a post it gives the following error when "More Options..." is pressed.

Quickly tested the same thing in Edge and Firefox and it doesn't give the same error. Have previously edited posts on this machine before upgrading to Chrome 57.0.2987.98 earlier today.

upload_2017-3-15_15-47-57.png

I'll try editing this post once I've posted it as it's the only other XF site I've got access to ;)

EDIT: Can edit this post without an error, so looks like something to do with my site! I'll do some more testing when I'm at home later!
 

Mike

XenForo developer
Staff member
I'm going to leave this open for now, but this is essentially a false positive. There isn't actually anything in the basic example that would reasonably be called an XSS. I need to create a reduced test case to be able to report the issue, but I'm not sure (and not expecting) that we can really workaround it.
 

Mike

XenForo developer
Staff member
Reduced test case and Chrome bug report can be found here: https://bugs.chromium.org/p/chromium/issues/detail?id=703093

The root cause is not something we can workaround at this point. The only alternative if the bug doesn't get fixed is to disable XSS protection via an HTTP header which I'd really rather not do.

I'll wait to see what the Chrome developers make of the issue before taking any action.
 

Chris D

XenForo developer
Staff member
The current workaround would be to disable inline editing of messages:
upload_2017-3-24_0-7-46.png
Unless we can convince them otherwise, chances are we'll have to disable the auditor in that case. But it's a moot point in XF2 and this workaround should do until the next bug fix release assuming we come up with a fitting workaround, such as disabling the auditor.
 
Reactions: rdn

xenfans

Well-known member
Could a conditional check if the content we're editing has the same url in it, and if so, use the full editor?
 

Skyscape

New member
Hi all, I just wanted to add that I am experiencing this on my VBulletin site (that we are currently getting ready to move to XF).
I can get this 100% of the time by clicking "edit" on any home page article and then clicking "save". This also occurs by submitting posts and replies to posts, though not 100% of the time.

This began with the latest version of Chrome, Version 57.0.2987.133 (64-bit). The problem is, that error is frightening people into thinking our site is being hacked, or hacking their computer. Just what we need.

I just thought this input may help.
 

Laron

Member
This error started for me as of today. I haven't heard any reports from my users yet. I was just clicking 'More Options' to edit a thread.

XenForo 1.5.13
Chrome 57.0.2987.133

more.png
 

xenfans

Well-known member
People using the latest versions of Chrome, to which more and more people will upgrade. From the beta channel to latest stable upgrades, and recommend updates on various operating systems.

When the thread has the url of the site in it, and you inline edit, it will trigger this.
 

xenfans

Well-known member
Secretly looking forward to a 1.5.14 release that will be able to detect the post has a link to the site's domain, and forwards us on edit to the full editor instead. Or someone who figured out a way to this with a plugin.
 

Sim

Well-known member
Got my first report of this error from one of my users today. Waiting for more details.
 
Last edited:
Top