ERR_BLOCKED_BY_XSS_AUDITOR

AmigoJack · Post by **AmigoJack** » Tue Jan 16, 2018 9:31 am

Brf wrote: ↑Mon Jan 15, 2018 3:48 pmQuote the previous post and preview it.

I said it right away and you didn't notice?

And Opera uses the same engine as Chrome - no wonder it happens there too. Most likely Vivaldi and Chromium do the same.

Most recommendations tend to just disable that browser behaviour thru an X-XSS-Protection header. Currently it is still filed as a bug.

AmigoJack · Post by **AmigoJack** » Tue Jan 16, 2018 10:25 am

Okay I've narrowed it down to this:

Sending the following text does not trigger anything: <input onclick="new();" /><input onclick="new();" />
Nor does this: <input onclick="getElementById()" />
This neither: <input onclick="document.getElementById" />
But if you take example #3 and add an opening bracket (resulting in ...ById("..., the XSS Author is triggered.
But this surprisingly works again although being valid JavaScript and thus be as malicious as everything else: <input onclick="document.getElementById ()" />

Go try it yourself.

Conclusion: it's not about phpBB's preview onsubmit handler, it's about the payload you submit.