• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Fixed Chrome 57 gives XSS error when editing a post

Gazhyde

Well-known member
#1
Haven't had much chance to test this, but just installed Chrome 57 and when editing a post it gives the following error when "More Options..." is pressed.

Quickly tested the same thing in Edge and Firefox and it doesn't give the same error. Have previously edited posts on this machine before upgrading to Chrome 57.0.2987.98 earlier today.

upload_2017-3-15_15-47-57.png

I'll try editing this post once I've posted it as it's the only other XF site I've got access to ;)

EDIT: Can edit this post without an error, so looks like something to do with my site! I'll do some more testing when I'm at home later!
 

Mike

XenForo developer
Staff member
#6
I'm going to leave this open for now, but this is essentially a false positive. There isn't actually anything in the basic example that would reasonably be called an XSS. I need to create a reduced test case to be able to report the issue, but I'm not sure (and not expecting) that we can really workaround it.
 

Mike

XenForo developer
Staff member
#8
Reduced test case and Chrome bug report can be found here: https://bugs.chromium.org/p/chromium/issues/detail?id=703093

The root cause is not something we can workaround at this point. The only alternative if the bug doesn't get fixed is to disable XSS protection via an HTTP header which I'd really rather not do.

I'll wait to see what the Chrome developers make of the issue before taking any action.
 

Chris D

XenForo developer
Staff member
#11
The current workaround would be to disable inline editing of messages:
upload_2017-3-24_0-7-46.png
Unless we can convince them otherwise, chances are we'll have to disable the auditor in that case. But it's a moot point in XF2 and this workaround should do until the next bug fix release assuming we come up with a fitting workaround, such as disabling the auditor.
 
#13
Hi all, I just wanted to add that I am experiencing this on my VBulletin site (that we are currently getting ready to move to XF).
I can get this 100% of the time by clicking "edit" on any home page article and then clicking "save". This also occurs by submitting posts and replies to posts, though not 100% of the time.

This began with the latest version of Chrome, Version 57.0.2987.133 (64-bit). The problem is, that error is frightening people into thinking our site is being hacked, or hacking their computer. Just what we need.

I just thought this input may help.
 
#15
This error started for me as of today. I haven't heard any reports from my users yet. I was just clicking 'More Options' to edit a thread.

XenForo 1.5.13
Chrome 57.0.2987.133

more.png
 

xenfans

Well-known member
#16
People using the latest versions of Chrome, to which more and more people will upgrade. From the beta channel to latest stable upgrades, and recommend updates on various operating systems.

When the thread has the url of the site in it, and you inline edit, it will trigger this.
 

xenfans

Well-known member
#18
Secretly looking forward to a 1.5.14 release that will be able to detect the post has a link to the site's domain, and forwards us on edit to the full editor instead. Or someone who figured out a way to this with a plugin.
 

Sim

Well-known member
#19
Got my first report of this error from one of my users today. Waiting for more details.
 
Last edited: