Fixed Chrome 57 gives XSS error when editing a post

And would also like to note it isn't just inline, if from an inline editor we press "more options" it gives us the same error.
 
@Mike Will we be able to expect a release to address this for our 1.x communities?
Maybe an unofficial patch to give sites the option to detect urls and offer full editor instead for those posts?
 
You can workaround it by adding this to config.php:
Code: 
header('X-XSS-Protection: 1');
Actually, this is potentially another reason why I think this is a Chrome bug. It thinks there is an XSS vector here based on view source, but it's not actually scrubbing anything from the input, so it doesn't break the page. I will have to take this to them to see if there are any further comments -- though it may just lead to them scrubbing this value, which would mean that XSS protection will have to be entirely disabled to workaround this issue.
 
xenfans said:
@Mike Will we be able to expect a release to address this for our 1.x communities?
Maybe an unofficial patch to give sites the option to detect urls and offer full editor instead for those posts?
Click to expand...
Always assume that we will aim to resolve most bugs for the next release while practical or at least while it's open there will be an official resolution at some point.
 
Mike said:
You can workaround it by adding this to config.php:
Code: 
header('X-XSS-Protection: 1');
Actually, this is potentially another reason why I think this is a Chrome bug. It thinks there is an XSS vector here based on view source, but it's not actually scrubbing anything from the input, so it doesn't break the page. I will have to take this to them to see if there are any further comments -- though it may just lead to them scrubbing this value, which would mean that XSS protection will have to be entirely disabled to workaround this issue.
Click to expand...
Thank you. (edit: Version 58.0.3029.68 beta (64-bit) fixes a few things, but more options still triggers, your 'add this to config' fixed it completely for my site).
 
Last edited:
Same problem for me.

Edit: Same problem with Chrome Version 58.0.3029.68 beta (64-bit)
 
Last edited:
I'm getting this with Chrome 57 when going into 'more options' on edit. Only when the post contains a link.

However it's only on our 1.4 site. It doesn't happen on our 1.5 site
 
Just hit this today [link] and have added -- header('X-XSS-Protection: 1'); -- but would rather not leave that in permanently; if the Chrome devs do end up adding a fix for this would someone mind posting here with a heads-up so I can enable the protection again.

Thanks,
Shaun (y)

ETA: Misunderstood the original issue - protection value changed from 0 to 1.
 
Last edited:
Note that the code I posted uses the value "1", which I believe is what Chrome was doing without a header up until recently -- at least based on their comments. That will use the XSS protection but try to strip the issue rather than blocking.
 
Mike said:
You can workaround it by adding this to config.php:
Code: 
header('X-XSS-Protection: 1');
Actually, this is potentially another reason why I think this is a Chrome bug. It thinks there is an XSS vector here based on view source, but it's not actually scrubbing anything from the input, so it doesn't break the page. I will have to take this to them to see if there are any further comments -- though it may just lead to them scrubbing this value, which would mean that XSS protection will have to be entirely disabled to workaround this issue.
Click to expand...
Thanks for the work around - our members have just spotted this issue too!
 
Mike said:
Note that the code I posted uses the value "1", which I believe is what Chrome was doing without a header up until recently -- at least based on their comments. That will use the XSS protection but try to strip the issue rather than blocking.
Click to expand...
Thanks Mike. Perhaps I've misunderstood. I thought the default was '1' and that was what was causing the problem, hence my using zero. I'll change it to '1'. Cheers. (y)
 
Glad to have seen this thread. Getting this error as well for specific cases mentioned above (images as links back to site).
 

Similar threads

OguzhanM
  • Question Question
XF 1.5 Chrome gives XSS error when editing a post
Replies
7
Views
765
Martok
Martok
K
  • Question Question
XF 1.1 Server Error when editing a thread title
Replies
5
Views
942
Jake Bunce
Jake Bunce
estranged
Fixed Timeout error when editing a deleted thread.
Replies
1
Views
1K
Mike
Mike
Top Bottom