Fixed Chrome 57 gives XSS error when editing a post

[Gazhyde]

Haven't had much chance to test this, but just installed Chrome 57 and when editing a post it gives the following error when "More Options..." is pressed.

Quickly tested the same thing in Edge and Firefox and it doesn't give the same error. Have previously edited posts on this machine before upgrading to Chrome 57.0.2987.98 earlier today.



I'll try editing this post once I've posted it as it's the only other XF site I've got access to

EDIT: Can edit this post without an error, so looks like something to do with my site! I'll do some more testing when I'm at home later!

 

[Paul B]

I've just updated to Chrome 57 and also can't reproduce it here, or on other sites.

 

[Lawrence]

I can not reproduce this either, just for an FYI.

 

[rdn]

To re-produce, a post must have a link/url the same as the site url.
Sample here: https://xenforo.com/community/threads/testing-err_blocked_by_xss_auditor.127250/

Steps: Edit > More Options... > ERR_BLOCKED_BY_XSS_AUDITOR

 

[xenfans]

Yeah, I noticed this during the nightly beta last February, was annoying to figure out. https://twitter.com/Floris/status/831078087706165249

 

[Mike]

I'm going to leave this open for now, but this is essentially a false positive. There isn't actually anything in the basic example that would reasonably be called an XSS. I need to create a reduced test case to be able to report the issue, but I'm not sure (and not expecting) that we can really workaround it.

 

[Gazhyde]

To re-produce, a post must have a link/url the same as the site url.
Sample here: https://xenforo.com/community/threads/testing-err_blocked_by_xss_auditor.127250/

Steps: Edit > More Options... > ERR_BLOCKED_BY_XSS_AUDITOR
View attachment 149907

Cool, thanks for confirming I wasn't going mad! Didn't happen on my home machine, so put it down to a glitch on my laptop!

 

[Mike]

Reduced test case and Chrome bug report can be found here: https://bugs.chromium.org/p/chromium/issues/detail?id=703093

The root cause is not something we can workaround at this point. The only alternative if the bug doesn't get fixed is to disable XSS protection via an HTTP header which I'd really rather not do.

I'll wait to see what the Chrome developers make of the issue before taking any action.

 

[Falcyn]

With the Chrome developers saying it's a wontfix and that you'll have to disable the auditor, where does that leave us? As Chrome has updated for more people (me included) I'm getting a lot of complaints about being unable to fully edit posts with on-site links

 

[xenfans]

With the Chrome developers saying it's a wontfix and that you'll have to disable the auditor, where does that leave us? As Chrome has updated for more people (me included) I'm getting a lot of complaints about being unable to fully edit posts

Could we perhaps avoid the inline moderation and go straight to 'more' or does it trigger it as well.

 

[Chris D]

The current workaround would be to disable inline editing of messages:

Unless we can convince them otherwise, chances are we'll have to disable the auditor in that case. But it's a moot point in XF2 and this workaround should do until the next bug fix release assuming we come up with a fitting workaround, such as disabling the auditor.

 

[xenfans]

Could a conditional check if the content we're editing has the same url in it, and if so, use the full editor?

 

[Skyscape]

Hi all, I just wanted to add that I am experiencing this on my VBulletin site (that we are currently getting ready to move to XF).
I can get this 100% of the time by clicking "edit" on any home page article and then clicking "save". This also occurs by submitting posts and replies to posts, though not 100% of the time.

This began with the latest version of Chrome, Version 57.0.2987.133 (64-bit). The problem is, that error is frightening people into thinking our site is being hacked, or hacking their computer. Just what we need.

I just thought this input may help.

 

[bloop]

Started getting this error too on XF 1.4.12

 

[Laron]

This error started for me as of today. I haven't heard any reports from my users yet. I was just clicking 'More Options' to edit a thread.

XenForo 1.5.13
Chrome 57.0.2987.133

 

[xenfans]

People using the latest versions of Chrome, to which more and more people will upgrade. From the beta channel to latest stable upgrades, and recommend updates on various operating systems.

When the thread has the url of the site in it, and you inline edit, it will trigger this.

 

[PASS]

I'm starting to get reports of this as well.

 

[xenfans]

Secretly looking forward to a 1.5.14 release that will be able to detect the post has a link to the site's domain, and forwards us on edit to the full editor instead. Or someone who figured out a way to this with a plugin.

 

[Sim]

Got my first report of this error from one of my users today. Waiting for more details.

 

[Divvens]

My users are reporting this too.