Fixed Chrome 57 gives XSS error when editing a post

The issue appears again here too. I got a report from a user with Chrome. I can reproduce it with Chrome on my Mac (everything latest version).
Issue appears when I try to edit a message in full screen. Please let me know if I need to open a bug or that this thread is reopened.
 
Can you reproduce it in the test forum on this site? If not, that would imply you aren't running the version with the fix (or haven't applied the workaround I posted in this thread for prior versions).
 
I am not familiar with your test site, sorry. I read later on the work around (extra line in config.php) and asked @MattW if he can activate it. Currently the work around is not active on MattW's shared hosting (as far as I'm aware). So if MattW can add the work around it should be ok. Thanks for the quick reply!
 
It looks like you're running the latest version of XF which fixed this issue, so no further workaround should be necessary.

By "test forum on this site" Mike was referring to this forum: https://xenforo.com/community/forums/test-messages.6/

Can you reproduce the issue if you create and edit some posts in that forum?

If you can, then please let us know the exact reproduction steps, browser and OS version.

If you can't, then it's likely something specific to you. It might be worth doing a File Health Check in your Admin CP to ensure the files were uploaded correctly.
 
Could you confirm the exact reproduction steps, browser and OS version?

If you open the following file on your server:
library/XenForo/ViewRenderer/Abstract.php

Do you see the following:
Code: 
$this->_response->setHeader('X-XSS-Protection', '1');
 
Chris D said:
Could you confirm the exact reproduction steps, browser and OS version?

If you open the following file on your server:
library/XenForo/ViewRenderer/Abstract.php

Do you see the following:
Code: 
$this->_response->setHeader('X-XSS-Protection', '1');
Click to expand...
PHP: 
public function __construct(XenForo_Dependencies_Abstract $dependencies, Zend_Controller_Response_Http $response, Zend_Controller_Request_Http $request)
        {
                $this->_dependencies = $dependencies;
                $this->_response = $response;
                $this->_request = $request;

                if (!XenForo_Application::isRegistered('config') || XenForo_Application::getConfig()->enableClickjackingProtection)
                {
                        $this->_response->setHeader('X-Frame-Options', 'SAMEORIGIN');
                }

                $this->_response->setHeader('X-XSS-Protection', '1');

                $this->_preloadContainerData();
        }
 
Chris D said:
Could you confirm the exact reproduction steps, browser and OS version?

If you open the following file on your server:
library/XenForo/ViewRenderer/Abstract.php

Do you see the following:
Code: 
$this->_response->setHeader('X-XSS-Protection', '1');
Click to expand...

I use Chrome Version 58.0.3029.110 (64-bit) on a Macbook.
It happens with this topic: http://mainecoon.nl/forum/threads/johnny-delusional-black-smoke-white-kater.87920/
If I try to Edit > More Options, the error appears.

I tried some other random topics and the error does not appear.
 
Just to check - if I have the latest update of XF do I still need the line in my config.php file or can that be removed now?
 
It can be removed.

If anyone can still reproduce it on the latest version, we'd need to know the exact BB code in the post in question and the URL to the thread containing the post. The examples from the original report which were posted in our testing forum no longer reproduce the issue, so we haven't seen an example that's confirmed to cause issues with the most recent release.
 
As a follow up, someone did send me an example and looking at one of the examples here, it looks like the same issue.

It appears that some people are explicitly sending custom X-XSS-Protection headers which are overriding what XF is sending and thus undoing the workaround. These headers are being added outside of XF, so there isn't anything we can do to control them. You would need to adjust how they are added.
 
Mike said:
As a follow up, someone did send me an example and looking at one of the examples here, it looks like the same issue.

It appears that some people are explicitly sending custom X-XSS-Protection headers which are overriding what XF is sending and thus undoing the workaround. These headers are being added outside of XF, so there isn't anything we can do to control them. You would need to adjust how they are added.
Click to expand...
It may happen when CloudFlare is between the server and the client.
Afaik, they do add some additional (minimal) code to the code the server is sending to the client. But this is just an "may be" not "it is". I am not an expert at all, so yeah...
But it is possible.

Will try to test out (since i am using CloudFlare) and see what are the results.

Kind regards :)
 
Can not reproduce the error while using / not using CloudFlare (my bad)

  • CloudFlare , ExtraLine = error
  • CloudFlare , ExtraLine = NoError
  • CloudFlare , ExtraLine = Error
  • CloudFlare , ExtraLine = No Error

    Extra line:
    Code: 
    $this->_response->setHeader('X-XSS-Protection', '1');
Conclusion; You need that extra line
Forum Software Version: 1.5.13
ThemeUsing: UI.X-dark [ThemeHouse]
 

Similar threads

OguzhanM
  • Question Question
XF 1.5 Chrome gives XSS error when editing a post
Replies
7
Views
767
Martok
Martok
K
  • Question Question
XF 1.1 Server Error when editing a thread title
Replies
5
Views
943
Jake Bunce
Jake Bunce
estranged
Fixed Timeout error when editing a deleted thread.
Replies
1
Views
1K
Mike
Mike
Back
Top Bottom