ERR_BLOCKED_BY_XSS_AUDITOR

Get help with installation and running phpBB 3.2.x here. Please do not post bug reports, feature requests, or extension related questions here.
User avatar
Stoker 4.0
Registered User
Posts: 1487
Joined: Sun Feb 13, 2011 1:33 pm
Location: Funen, Denmark
Name: Ulrik Christensen
Contact:

ERR_BLOCKED_BY_XSS_AUDITOR

Post by Stoker 4.0 »

After updating to 3.2.2 I get this error when previewing a post with the following using the code bbcode.
Exactly as below.
Only when using chrome.
This is the error message from Chrome: ERR_BLOCKED_BY_XSS_AUDITOR

Code: Select all

<fieldset id="buttons" class="submit-buttons">
					{S_FORM_TOKEN}
					{QR_HIDDEN_FIELDS}
					<input type="submit" accesskey="f" tabindex="6" name="preview" value="{L_FULL_EDITOR}" class="button2" id="qr_full_editor" onclick="JavaScript:document.getElementById('buttons').style.display='none';document.getElementById('processingfed').style.display='block';" />&nbsp;				
					<input type="submit" accesskey="s" tabindex="7" name="post" value="{L_SUBMIT}" class="button1" onclick="JavaScript:document.getElementById('buttons').style.display='none';document.getElementById('processingsub').style.display='block';" />&nbsp;
				</fieldset>
				<fieldset id="processingfed" class="submit-buttons" style="display:none;">
					<i class="fa fa-refresh fa-spin fa-fw"></i> <input class="buttonpw buttonpwbg" type="button" value="{L_FULLED_SENDING}" disabled="disabled" />
				</fieldset>
				<fieldset id="processingsub" class="submit-buttons" style="display:none;">
					<i class="fa fa-refresh fa-spin fa-fw"></i> <input class="buttonpw buttonpwbg" type="button" value="{L_POST_SENDING}" disabled="disabled" />
				</fieldset>
User avatar
Marc
Development Team Leader
Development Team Leader
Posts: 5657
Joined: Tue Oct 30, 2007 10:57 pm
Location: Munich, Germany
Name: Marc
Contact:

Re: ERR_BLOCKED_BY_XSS_AUDITOR

Post by Marc »

The code you're referring to is not part of the 3.2.2 package. I guess this was added by a manual edit or is part of a custom style.
I guess Chrome does no longer like inline JavaScript. This does actually make sense as unobtrusive JavaScript is what should be unused nowadays (and since a few years actually ;)).
User avatar
Stoker 4.0
Registered User
Posts: 1487
Joined: Sun Feb 13, 2011 1:33 pm
Location: Funen, Denmark
Name: Ulrik Christensen
Contact:

Re: ERR_BLOCKED_BY_XSS_AUDITOR

Post by Stoker 4.0 »

Marc wrote: Sun Jan 14, 2018 5:18 pm The code you're referring to is not part of the 3.2.2 package. I guess this was added by a manual edit or is part of a custom style.
I guess Chrome does no longer like inline JavaScript. This does actually make sense as unobtrusive JavaScript is what should be unused nowadays (and since a few years actually ;)).
Okay thanks. Ill see if I can find a nowadays solution for using this ;)
User avatar
AmigoJack
Registered User
Posts: 6108
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: ERR_BLOCKED_BY_XSS_AUDITOR

Post by AmigoJack »

Stoker 4.0 wrote: Sun Jan 14, 2018 2:57 pm

Code: Select all

onclick="JavaScript:document
Try using valid JavaScript instead: a HTML handler is already in the script scope, hence the prefix JavaScript: is wrong.

Marc wrote: Sun Jan 14, 2018 5:18 pmI guess Chrome does no longer like inline JavaScript
Then this very page shouldn't work either anymore when clicking on "Select all" of a code block.
  • "The problem is probably not my English but you do not want to understand correctly. ... We will not come anybody anyway, nevertheless, it's best to shit this." Affin, 2018-11-20
  • "But this shit is not here for you. You can follow with your. Maybe the question, instead, was for you, who know, so you shoved us how you are." axe70, 2020-10-10
  • "My reaction is not to everyone, especially to you." Raptiye, 2021-02-28
User avatar
Stoker 4.0
Registered User
Posts: 1487
Joined: Sun Feb 13, 2011 1:33 pm
Location: Funen, Denmark
Name: Ulrik Christensen
Contact:

Re: ERR_BLOCKED_BY_XSS_AUDITOR

Post by Stoker 4.0 »

Did some more testing. The problem is not my code edits because it happens here too.
When using Google Chrome try quote this post and click the preview button





This is for the posting page on viewtopic and PM
Open styles/prosilver/template/posting_editor.html
Find:

Code: Select all

<fieldset class="submit-buttons">
			{S_HIDDEN_ADDRESS_FIELD}
			{S_HIDDEN_FIELDS}
			<!-- EVENT posting_editor_submit_buttons -->
			<!-- IF S_HAS_DRAFTS --><input type="submit" accesskey="d" tabindex="8" name="load" value="{L_LOAD_DRAFT}" class="button2" onclick="load_draft = true;" />&nbsp; <!-- ENDIF -->
			<!-- IF S_SAVE_ALLOWED --><input type="submit" accesskey="k" tabindex="7" name="save" value="{L_SAVE_DRAFT}" class="button2" />&nbsp; <!-- ENDIF -->
			<input type="submit" tabindex="5" name="preview" value="{L_PREVIEW}" class="button1"<!-- IF not S_PRIVMSGS --> onclick="document.getElementById('postform').action += '#preview';"<!-- ENDIF --> />&nbsp;
			<input type="submit" accesskey="s" tabindex="6" name="post" value="{L_SUBMIT}" class="button1 default-submit-action" />&nbsp;

		</fieldset>
Replace with:

Code: Select all

<fieldset id="buttons" class="submit-buttons">
			{S_HIDDEN_ADDRESS_FIELD}
			{S_HIDDEN_FIELDS}
			<!-- IF S_HAS_DRAFTS --><input type="submit" accesskey="d" tabindex="8" name="load" value="{L_LOAD_DRAFT}" class="button2" onclick="JavaScript:document.getElementById('buttons').style.display='none';document.getElementById('processingload').style.display='block';load_draft = true;" />&nbsp; <!-- ENDIF -->
			<!-- IF S_SAVE_ALLOWED --><input type="submit" accesskey="k" tabindex="7" name="save" value="{L_SAVE_DRAFT}" onclick="JavaScript:document.getElementById('buttons').style.display='none';document.getElementById('processingsave').style.display='block';" class="button2" />&nbsp; <!-- ENDIF -->
			<input type="submit" tabindex="5" name="preview" value="{L_PREVIEW}" onclick="JavaScript:document.getElementById('buttons').style.display='none';document.getElementById('processingprev').style.display='block';<!-- IF not S_PRIVMSGS --> document.getElementById('postform').action += '#preview';<!-- ENDIF -->" class="button1" />&nbsp;
			<input type="submit" accesskey="s" tabindex="6" name="post" value="{L_SUBMIT}" onclick="JavaScript:document.getElementById('buttons').style.display='none';document.getElementById('processingsub').style.display='block';" class="button1 default-submit-action" />&nbsp;
		</fieldset>
		
		<fieldset id="processingload" class="submit-buttons" style="display:none;">
			<i class="fa fa-refresh fa-spin fa-fw"></i> <input class="buttonpw buttonpwbg" type="button" value="<!-- IF S_IN_UCP -->{L_PM_LOAD_SENDING}<!-- ELSE -->{L_LOAD_SENDING}<!-- ENDIF -->" disabled="disabled" />
		</fieldset>
		<fieldset id="processingsave" class="submit-buttons" style="display:none;">
			<i class="fa fa-refresh fa-spin fa-fw"></i> <input class="buttonpw buttonpwbg" type="button" value="<!-- IF S_IN_UCP -->{L_PM_DRAFT_SENDING}<!-- ELSE -->{L_DRAFT_SENDING}<!-- ENDIF -->" disabled="disabled" />
		</fieldset>
		<fieldset id="processingprev" class="submit-buttons" style="display:none;">
			<i class="fa fa-refresh fa-spin fa-fw"></i> <input class="buttonpw buttonpwbg" type="button" value="<!-- IF S_IN_UCP -->{L_PM_PREVIEW_SENDING}<!-- ELSE -->{L_PREVIEW_SENDING}<!-- ENDIF -->" disabled="disabled" />
		</fieldset>
		<fieldset id="processingsub" class="submit-buttons" style="display:none;">
			<i class="fa fa-refresh fa-spin fa-fw"></i> <input class="buttonpw buttonpwbg" type="button" value="<!-- IF S_IN_UCP -->{L_PM_POST_SENDING}<!-- ELSE -->{L_POST_SENDING}<!-- ENDIF -->" disabled="disabled" />
		</fieldset>
This is for the posting page on viewtopic and PM
Open styles/prosilver/template/quickreply_editor.html
Find:

Code: Select all

<fieldset class="submit-buttons">
					{S_FORM_TOKEN}
					{QR_HIDDEN_FIELDS}
					<input type="submit" accesskey="f" tabindex="6" name="preview" value="{L_FULL_EDITOR}" class="button2" id="qr_full_editor" />&nbsp;
					<input type="submit" accesskey="s" tabindex="7" name="post" value="{L_SUBMIT}" class="button1" />&nbsp;
				</fieldset>
Replace with:

Code: Select all

<fieldset id="buttons" class="submit-buttons">
					{S_FORM_TOKEN}
					{QR_HIDDEN_FIELDS}
					<input type="submit" accesskey="f" tabindex="6" name="preview" value="{L_FULL_EDITOR}" class="button2" id="qr_full_editor" onclick="JavaScript:document.getElementById('buttons').style.display='none';document.getElementById('processingfed').style.display='block';" />&nbsp;				
					<input type="submit" accesskey="s" tabindex="7" name="post" value="{L_SUBMIT}" class="button1" onclick="JavaScript:document.getElementById('buttons').style.display='none';document.getElementById('processingsub').style.display='block';" />&nbsp;
				</fieldset>
				<fieldset id="processingfed" class="submit-buttons" style="display:none;">
					<i class="fa fa-refresh fa-spin fa-fw"></i> <input class="buttonpw buttonpwbg" type="button" value="{L_FULLED_SENDING}" disabled="disabled" />
				</fieldset>
				<fieldset id="processingsub" class="submit-buttons" style="display:none;">
					<i class="fa fa-refresh fa-spin fa-fw"></i> <input class="buttonpw buttonpwbg" type="button" value="{L_POST_SENDING}" disabled="disabled" />
				</fieldset>
And add this to the bottom of language/en/common.php

Code: Select all

//Posting , draft , preview , cancel message... [Please Wait]
$lang = array_merge($lang, array(
	'POST_SENDING'					=> 'Sending post - Please wait...',
	'DRAFT_SENDING'					=> 'Saving post - Please wait...',
	'LOAD_SENDING'					=> 'Loading post - Please wait...',
	'PREVIEW_SENDING'				=> 'Loading preview - Please wait...',
	'PM_POST_SENDING'				=> 'Sending PM - Please wait...',
	'PM_DRAFT_SENDING'				=> 'Saving PM - Please wait...',
	'PM_LOAD_SENDING'				=> 'Loading PM  - Please wait...',
	'PM_PREVIEW_SENDING'			=> 'Loading preview - Please wait...',
	'AT_FILE_UPLOADING'				=> 'Uploading file - Please wait...',
));
Save files, upload and purge cache!
User avatar
AmigoJack
Registered User
Posts: 6108
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: ERR_BLOCKED_BY_XSS_AUDITOR

Post by AmigoJack »

Stoker 4.0 wrote: Mon Jan 15, 2018 1:47 pmquote this post and click the preview button
I can confirm this with version 62.0.3202.62. Trying it on a local installation (only going thru 127.0.0.1) won't trigger this.
  • "The problem is probably not my English but you do not want to understand correctly. ... We will not come anybody anyway, nevertheless, it's best to shit this." Affin, 2018-11-20
  • "But this shit is not here for you. You can follow with your. Maybe the question, instead, was for you, who know, so you shoved us how you are." axe70, 2020-10-10
  • "My reaction is not to everyone, especially to you." Raptiye, 2021-02-28
User avatar
Brf
Support Team Member
Support Team Member
Posts: 53400
Joined: Tue May 10, 2005 7:47 pm
Location: {postrow.POSTER_FROM}
Contact:

Re: ERR_BLOCKED_BY_XSS_AUDITOR

Post by Brf »

So what is the question?
Apparently, Chrome is blocking some of the text, saying it is malicious.
Chrome detected unusual code on this page and blocked it to protect your personal information
User avatar
Stoker 4.0
Registered User
Posts: 1487
Joined: Sun Feb 13, 2011 1:33 pm
Location: Funen, Denmark
Name: Ulrik Christensen
Contact:

Re: ERR_BLOCKED_BY_XSS_AUDITOR

Post by Stoker 4.0 »

Brf wrote: Mon Jan 15, 2018 2:30 pm So what is the question?
Apparently, Chrome is blocking some of the text, saying it is malicious.
Chrome detected unusual code on this page and blocked it to protect your personal information
A workaround would be nice so we are able to post ANY KIND of code in the codebox.
Maybe it is a bug?
User avatar
Brf
Support Team Member
Support Team Member
Posts: 53400
Joined: Tue May 10, 2005 7:47 pm
Location: {postrow.POSTER_FROM}
Contact:

Re: ERR_BLOCKED_BY_XSS_AUDITOR

Post by Brf »

A bug in Chrome? It is Chrome that is doing the blocking. This is just like the problems we have with mod_security blocking text in a post.
User avatar
Stoker 4.0
Registered User
Posts: 1487
Joined: Sun Feb 13, 2011 1:33 pm
Location: Funen, Denmark
Name: Ulrik Christensen
Contact:

Re: ERR_BLOCKED_BY_XSS_AUDITOR

Post by Stoker 4.0 »

Brf wrote: Mon Jan 15, 2018 3:15 pm A bug in Chrome? It is Chrome that is doing the blocking. This is just like the problems we have with mod_security blocking text in a post.
Styles are developed to work on all common browsers. Even if the bug is in the browser.
I dont know enough about this to argue :D
User avatar
Brf
Support Team Member
Support Team Member
Posts: 53400
Joined: Tue May 10, 2005 7:47 pm
Location: {postrow.POSTER_FROM}
Contact:

Re: ERR_BLOCKED_BY_XSS_AUDITOR

Post by Brf »

This has nothing to do with the style. It is something in the text of the message that is being blocked. I remember once seeing a complaint where mod_security was blocking the word "cat". Chrome is blocking something in your text the same way.
User avatar
Brf
Support Team Member
Support Team Member
Posts: 53400
Joined: Tue May 10, 2005 7:47 pm
Location: {postrow.POSTER_FROM}
Contact:

Re: ERR_BLOCKED_BY_XSS_AUDITOR

Post by Brf »

OK.... Got it down to one line:

onclick="document.getElementById('postform').action += '#preview';"
User avatar
Brf
Support Team Member
Support Team Member
Posts: 53400
Joined: Tue May 10, 2005 7:47 pm
Location: {postrow.POSTER_FROM}
Contact:

Re: ERR_BLOCKED_BY_XSS_AUDITOR

Post by Brf »

Quote the previous post and preview it.
User avatar
Stoker 4.0
Registered User
Posts: 1487
Joined: Sun Feb 13, 2011 1:33 pm
Location: Funen, Denmark
Name: Ulrik Christensen
Contact:

Re: ERR_BLOCKED_BY_XSS_AUDITOR

Post by Stoker 4.0 »

Brf wrote: Mon Jan 15, 2018 3:48 pm Quote the previous post and preview it.
Yes, that triggers it
User avatar
canonknipser
Registered User
Posts: 2096
Joined: Thu Sep 08, 2011 4:16 am
Location: Germany
Name: Frank Jakobs
Contact:

Re: ERR_BLOCKED_BY_XSS_AUDITOR

Post by canonknipser »

Same happens in Opera 49.0.2725.64
Opera detected unusual code on this page and blocked it to protect your personal information (for example, passwords, phone numbers, and credit cards).
on preview of brf's post
Greetings, Frank
phpbb.de support team member
English is not my native language - no support via PM or mail
New arrival - Extensions and scripts for phpBB
Post Reply

Return to “[3.2.x] Support Forum”