-
-
Notifications
You must be signed in to change notification settings - Fork 840
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Legitimate wiki code triggers Chrome XSS auditor script refusal #1182
Comments
It seems its a known Chrome issue, a false positive with a "won't fix" designation, Chrome issue #418888 |
At first glance, this issue has the same symptoms as my regularly occurring issue with failed saves of articles. However, so far I know on these pages were no empty |
@Klap-in, the |
There's not even a need for the form tag, the following is enough to trigger this:
|
I just hit this bug myself. I guess we need to disable the XSS checks as described in http://stackoverflow.com/questions/17016960/chromiums-xss-auditor-refused-to-execute-a-script |
Attempting to "preview" a page containing the following wiki syntax will trigger the Chrome XSS auditor to refuse script execution[1]. Refusing script execution means any further editing of the page will be lost. Clicking one of the editor buttons, save, preview or cancel will result in a blank browser with just "data:;" in the address bar. And a draft at the state when the first preview was done.
The problem seems to be the action property. Remove that and Chrome is fine. Other URL containing properties don't appear to cause the problem (e.g. href & src). I haven't looked into other properties.
Seen in Chrome versions:
[1] Message in Chrome console.
The XSS Auditor refused to execute a script in 'https://www.dokuwiki.org/sandbox:chrome_xss_auditor?do=edit' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
@selfthinker
The text was updated successfully, but these errors were encountered: