ERR_BLOCKED_BY_XSS_AUDITOR

Get help with installation and running phpBB 3.2.x here. Please do not post bug reports, feature requests, or extension related questions here.
User avatar
Stoker 4.0
Registered User
Posts: 1476
Joined: Sun Feb 13, 2011 1:33 pm
Location: Funen, Denmark
Name: Ulrik Christensen
Contact:

ERR_BLOCKED_BY_XSS_AUDITOR

Post by Stoker 4.0 » Sun Jan 14, 2018 2:57 pm

After updating to 3.2.2 I get this error when previewing a post with the following using the code bbcode.
Exactly as below.
Only when using chrome.
This is the error message from Chrome: ERR_BLOCKED_BY_XSS_AUDITOR

Code: Select all

<fieldset id="buttons" class="submit-buttons">
					{S_FORM_TOKEN}
					{QR_HIDDEN_FIELDS}
					<input type="submit" accesskey="f" tabindex="6" name="preview" value="{L_FULL_EDITOR}" class="button2" id="qr_full_editor" onclick="JavaScript:document.getElementById('buttons').style.display='none';document.getElementById('processingfed').style.display='block';" />&nbsp;				
					<input type="submit" accesskey="s" tabindex="7" name="post" value="{L_SUBMIT}" class="button1" onclick="JavaScript:document.getElementById('buttons').style.display='none';document.getElementById('processingsub').style.display='block';" />&nbsp;
				</fieldset>
				<fieldset id="processingfed" class="submit-buttons" style="display:none;">
					<i class="fa fa-refresh fa-spin fa-fw"></i> <input class="buttonpw buttonpwbg" type="button" value="{L_FULLED_SENDING}" disabled="disabled" />
				</fieldset>
				<fieldset id="processingsub" class="submit-buttons" style="display:none;">
					<i class="fa fa-refresh fa-spin fa-fw"></i> <input class="buttonpw buttonpwbg" type="button" value="{L_POST_SENDING}" disabled="disabled" />
				</fieldset>

User avatar
Marc
Development Team Leader
Development Team Leader
Posts: 5281
Joined: Tue Oct 30, 2007 10:57 pm
Location: Munich, Germany
Name: Marc
Contact:

Re: ERR_BLOCKED_BY_XSS_AUDITOR

Post by Marc » Sun Jan 14, 2018 5:18 pm

The code you're referring to is not part of the 3.2.2 package. I guess this was added by a manual edit or is part of a custom style.
I guess Chrome does no longer like inline JavaScript. This does actually make sense as unobtrusive JavaScript is what should be unused nowadays (and since a few years actually ;)).
Quickedit for phpBB 3.1
I'm available for custom work - just send me a PM for a quote.

User avatar
Stoker 4.0
Registered User
Posts: 1476
Joined: Sun Feb 13, 2011 1:33 pm
Location: Funen, Denmark
Name: Ulrik Christensen
Contact:

Re: ERR_BLOCKED_BY_XSS_AUDITOR

Post by Stoker 4.0 » Sun Jan 14, 2018 5:55 pm

Marc wrote:
Sun Jan 14, 2018 5:18 pm
The code you're referring to is not part of the 3.2.2 package. I guess this was added by a manual edit or is part of a custom style.
I guess Chrome does no longer like inline JavaScript. This does actually make sense as unobtrusive JavaScript is what should be unused nowadays (and since a few years actually ;)).
Okay thanks. Ill see if I can find a nowadays solution for using this ;)

User avatar
AmigoJack
Registered User
Posts: 5104
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: ERR_BLOCKED_BY_XSS_AUDITOR

Post by AmigoJack » Sun Jan 14, 2018 10:20 pm

Stoker 4.0 wrote:
Sun Jan 14, 2018 2:57 pm

Code: Select all

onclick="JavaScript:document
Try using valid JavaScript instead: a HTML handler is already in the script scope, hence the prefix JavaScript: is wrong.

Marc wrote:
Sun Jan 14, 2018 5:18 pm
I guess Chrome does no longer like inline JavaScript
Then this very page shouldn't work either anymore when clicking on "Select all" of a code block.
The worst thing about censorship is ███████████

User avatar
Stoker 4.0
Registered User
Posts: 1476
Joined: Sun Feb 13, 2011 1:33 pm
Location: Funen, Denmark
Name: Ulrik Christensen
Contact:

Re: ERR_BLOCKED_BY_XSS_AUDITOR

Post by Stoker 4.0 » Mon Jan 15, 2018 1:47 pm

Did some more testing. The problem is not my code edits because it happens here too.
When using Google Chrome try quote this post and click the preview button





This is for the posting page on viewtopic and PM
Open styles/prosilver/template/posting_editor.html
Find:

Code: Select all

<fieldset class="submit-buttons">
			{S_HIDDEN_ADDRESS_FIELD}
			{S_HIDDEN_FIELDS}
			<!-- EVENT posting_editor_submit_buttons -->
			<!-- IF S_HAS_DRAFTS --><input type="submit" accesskey="d" tabindex="8" name="load" value="{L_LOAD_DRAFT}" class="button2" onclick="load_draft = true;" />&nbsp; <!-- ENDIF -->
			<!-- IF S_SAVE_ALLOWED --><input type="submit" accesskey="k" tabindex="7" name="save" value="{L_SAVE_DRAFT}" class="button2" />&nbsp; <!-- ENDIF -->
			<input type="submit" tabindex="5" name="preview" value="{L_PREVIEW}" class="button1"<!-- IF not S_PRIVMSGS --> onclick="document.getElementById('postform').action += '#preview';"<!-- ENDIF --> />&nbsp;
			<input type="submit" accesskey="s" tabindex="6" name="post" value="{L_SUBMIT}" class="button1 default-submit-action" />&nbsp;

		</fieldset>
Replace with:

Code: Select all

<fieldset id="buttons" class="submit-buttons">
			{S_HIDDEN_ADDRESS_FIELD}
			{S_HIDDEN_FIELDS}
			<!-- IF S_HAS_DRAFTS --><input type="submit" accesskey="d" tabindex="8" name="load" value="{L_LOAD_DRAFT}" class="button2" onclick="JavaScript:document.getElementById('buttons').style.display='none';document.getElementById('processingload').style.display='block';load_draft = true;" />&nbsp; <!-- ENDIF -->
			<!-- IF S_SAVE_ALLOWED --><input type="submit" accesskey="k" tabindex="7" name="save" value="{L_SAVE_DRAFT}" onclick="JavaScript:document.getElementById('buttons').style.display='none';document.getElementById('processingsave').style.display='block';" class="button2" />&nbsp; <!-- ENDIF -->
			<input type="submit" tabindex="5" name="preview" value="{L_PREVIEW}" onclick="JavaScript:document.getElementById('buttons').style.display='none';document.getElementById('processingprev').style.display='block';<!-- IF not S_PRIVMSGS --> document.getElementById('postform').action += '#preview';<!-- ENDIF -->" class="button1" />&nbsp;
			<input type="submit" accesskey="s" tabindex="6" name="post" value="{L_SUBMIT}" onclick="JavaScript:document.getElementById('buttons').style.display='none';document.getElementById('processingsub').style.display='block';" class="button1 default-submit-action" />&nbsp;
		</fieldset>
		
		<fieldset id="processingload" class="submit-buttons" style="display:none;">
			<i class="fa fa-refresh fa-spin fa-fw"></i> <input class="buttonpw buttonpwbg" type="button" value="<!-- IF S_IN_UCP -->{L_PM_LOAD_SENDING}<!-- ELSE -->{L_LOAD_SENDING}<!-- ENDIF -->" disabled="disabled" />
		</fieldset>
		<fieldset id="processingsave" class="submit-buttons" style="display:none;">
			<i class="fa fa-refresh fa-spin fa-fw"></i> <input class="buttonpw buttonpwbg" type="button" value="<!-- IF S_IN_UCP -->{L_PM_DRAFT_SENDING}<!-- ELSE -->{L_DRAFT_SENDING}<!-- ENDIF -->" disabled="disabled" />
		</fieldset>
		<fieldset id="processingprev" class="submit-buttons" style="display:none;">
			<i class="fa fa-refresh fa-spin fa-fw"></i> <input class="buttonpw buttonpwbg" type="button" value="<!-- IF S_IN_UCP -->{L_PM_PREVIEW_SENDING}<!-- ELSE -->{L_PREVIEW_SENDING}<!-- ENDIF -->" disabled="disabled" />
		</fieldset>
		<fieldset id="processingsub" class="submit-buttons" style="display:none;">
			<i class="fa fa-refresh fa-spin fa-fw"></i> <input class="buttonpw buttonpwbg" type="button" value="<!-- IF S_IN_UCP -->{L_PM_POST_SENDING}<!-- ELSE -->{L_POST_SENDING}<!-- ENDIF -->" disabled="disabled" />
		</fieldset>
This is for the posting page on viewtopic and PM
Open styles/prosilver/template/quickreply_editor.html
Find:

Code: Select all

<fieldset class="submit-buttons">
					{S_FORM_TOKEN}
					{QR_HIDDEN_FIELDS}
					<input type="submit" accesskey="f" tabindex="6" name="preview" value="{L_FULL_EDITOR}" class="button2" id="qr_full_editor" />&nbsp;
					<input type="submit" accesskey="s" tabindex="7" name="post" value="{L_SUBMIT}" class="button1" />&nbsp;
				</fieldset>
Replace with:

Code: Select all

<fieldset id="buttons" class="submit-buttons">
					{S_FORM_TOKEN}
					{QR_HIDDEN_FIELDS}
					<input type="submit" accesskey="f" tabindex="6" name="preview" value="{L_FULL_EDITOR}" class="button2" id="qr_full_editor" onclick="JavaScript:document.getElementById('buttons').style.display='none';document.getElementById('processingfed').style.display='block';" />&nbsp;				
					<input type="submit" accesskey="s" tabindex="7" name="post" value="{L_SUBMIT}" class="button1" onclick="JavaScript:document.getElementById('buttons').style.display='none';document.getElementById('processingsub').style.display='block';" />&nbsp;
				</fieldset>
				<fieldset id="processingfed" class="submit-buttons" style="display:none;">
					<i class="fa fa-refresh fa-spin fa-fw"></i> <input class="buttonpw buttonpwbg" type="button" value="{L_FULLED_SENDING}" disabled="disabled" />
				</fieldset>
				<fieldset id="processingsub" class="submit-buttons" style="display:none;">
					<i class="fa fa-refresh fa-spin fa-fw"></i> <input class="buttonpw buttonpwbg" type="button" value="{L_POST_SENDING}" disabled="disabled" />
				</fieldset>
And add this to the bottom of language/en/common.php

Code: Select all

//Posting , draft , preview , cancel message... [Please Wait]
$lang = array_merge($lang, array(
	'POST_SENDING'					=> 'Sending post - Please wait...',
	'DRAFT_SENDING'					=> 'Saving post - Please wait...',
	'LOAD_SENDING'					=> 'Loading post - Please wait...',
	'PREVIEW_SENDING'				=> 'Loading preview - Please wait...',
	'PM_POST_SENDING'				=> 'Sending PM - Please wait...',
	'PM_DRAFT_SENDING'				=> 'Saving PM - Please wait...',
	'PM_LOAD_SENDING'				=> 'Loading PM  - Please wait...',
	'PM_PREVIEW_SENDING'			=> 'Loading preview - Please wait...',
	'AT_FILE_UPLOADING'				=> 'Uploading file - Please wait...',
));
Save files, upload and purge cache!

User avatar
AmigoJack
Registered User
Posts: 5104
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: ERR_BLOCKED_BY_XSS_AUDITOR

Post by AmigoJack » Mon Jan 15, 2018 2:26 pm

Stoker 4.0 wrote:
Mon Jan 15, 2018 1:47 pm
quote this post and click the preview button
I can confirm this with version 62.0.3202.62. Trying it on a local installation (only going thru 127.0.0.1) won't trigger this.
The worst thing about censorship is ███████████

User avatar
Brf
Support Team Member
Support Team Member
Posts: 50862
Joined: Tue May 10, 2005 7:47 pm
Location: {postrow.POSTER_FROM}
Contact:

Re: ERR_BLOCKED_BY_XSS_AUDITOR

Post by Brf » Mon Jan 15, 2018 2:30 pm

So what is the question?
Apparently, Chrome is blocking some of the text, saying it is malicious.
Chrome detected unusual code on this page and blocked it to protect your personal information

User avatar
Stoker 4.0
Registered User
Posts: 1476
Joined: Sun Feb 13, 2011 1:33 pm
Location: Funen, Denmark
Name: Ulrik Christensen
Contact:

Re: ERR_BLOCKED_BY_XSS_AUDITOR

Post by Stoker 4.0 » Mon Jan 15, 2018 3:09 pm

Brf wrote:
Mon Jan 15, 2018 2:30 pm
So what is the question?
Apparently, Chrome is blocking some of the text, saying it is malicious.
Chrome detected unusual code on this page and blocked it to protect your personal information
A workaround would be nice so we are able to post ANY KIND of code in the codebox.
Maybe it is a bug?

User avatar
Brf
Support Team Member
Support Team Member
Posts: 50862
Joined: Tue May 10, 2005 7:47 pm
Location: {postrow.POSTER_FROM}
Contact:

Re: ERR_BLOCKED_BY_XSS_AUDITOR

Post by Brf » Mon Jan 15, 2018 3:15 pm

A bug in Chrome? It is Chrome that is doing the blocking. This is just like the problems we have with mod_security blocking text in a post.

User avatar
Stoker 4.0
Registered User
Posts: 1476
Joined: Sun Feb 13, 2011 1:33 pm
Location: Funen, Denmark
Name: Ulrik Christensen
Contact:

Re: ERR_BLOCKED_BY_XSS_AUDITOR

Post by Stoker 4.0 » Mon Jan 15, 2018 3:36 pm

Brf wrote:
Mon Jan 15, 2018 3:15 pm
A bug in Chrome? It is Chrome that is doing the blocking. This is just like the problems we have with mod_security blocking text in a post.
Styles are developed to work on all common browsers. Even if the bug is in the browser.
I dont know enough about this to argue :D

User avatar
Brf
Support Team Member
Support Team Member
Posts: 50862
Joined: Tue May 10, 2005 7:47 pm
Location: {postrow.POSTER_FROM}
Contact:

Re: ERR_BLOCKED_BY_XSS_AUDITOR

Post by Brf » Mon Jan 15, 2018 3:40 pm

This has nothing to do with the style. It is something in the text of the message that is being blocked. I remember once seeing a complaint where mod_security was blocking the word "cat". Chrome is blocking something in your text the same way.

User avatar
Brf
Support Team Member
Support Team Member
Posts: 50862
Joined: Tue May 10, 2005 7:47 pm
Location: {postrow.POSTER_FROM}
Contact:

Re: ERR_BLOCKED_BY_XSS_AUDITOR

Post by Brf » Mon Jan 15, 2018 3:47 pm

OK.... Got it down to one line:

onclick="document.getElementById('postform').action += '#preview';"

User avatar
Brf
Support Team Member
Support Team Member
Posts: 50862
Joined: Tue May 10, 2005 7:47 pm
Location: {postrow.POSTER_FROM}
Contact:

Re: ERR_BLOCKED_BY_XSS_AUDITOR

Post by Brf » Mon Jan 15, 2018 3:48 pm

Quote the previous post and preview it.

User avatar
Stoker 4.0
Registered User
Posts: 1476
Joined: Sun Feb 13, 2011 1:33 pm
Location: Funen, Denmark
Name: Ulrik Christensen
Contact:

Re: ERR_BLOCKED_BY_XSS_AUDITOR

Post by Stoker 4.0 » Mon Jan 15, 2018 4:14 pm

Brf wrote:
Mon Jan 15, 2018 3:48 pm
Quote the previous post and preview it.
Yes, that triggers it

User avatar
canonknipser
Registered User
Posts: 1320
Joined: Thu Sep 08, 2011 4:16 am
Location: Germany
Name: Frank Jakobs
Contact:

Re: ERR_BLOCKED_BY_XSS_AUDITOR

Post by canonknipser » Mon Jan 15, 2018 5:00 pm

Same happens in Opera 49.0.2725.64
Opera detected unusual code on this page and blocked it to protect your personal information (for example, passwords, phone numbers, and credit cards).
on preview of brf's post
Greetings
Frank
phpbb.de support team member
English is not my native language
New arrival - Extensions and scripts for phpBB
no support via PM or mail

Post Reply

Return to “[3.2.x] Support Forum”

Who is online

Users browsing this forum: AntonioGPS, Charlie_M, hewmac06, janus_zonstraal, JohnW63, MACVB, stevemaury and 28 guests