Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Legitimate wiki code triggers Chrome XSS auditor script refusal #1182

Closed
Chris--S opened this issue Jun 7, 2015 · 5 comments
Closed

Legitimate wiki code triggers Chrome XSS auditor script refusal #1182

Chris--S opened this issue Jun 7, 2015 · 5 comments
Labels
Bug Category: Backend Category: CSS XHTML JS Browsers Severity: Large

Comments

@Chris--S
Copy link
Collaborator

Chris--S commented Jun 7, 2015

Attempting to "preview" a page containing the following wiki syntax will trigger the Chrome XSS auditor to refuse script execution[1]. Refusing script execution means any further editing of the page will be lost. Clicking one of the editor buttons, save, preview or cancel will result in a blank browser with just "data:;" in the address bar. And a draft at the state when the first preview was done.

<code html>
<form action="">
</form>
</code>

The problem seems to be the action property. Remove that and Chrome is fine. Other URL containing properties don't appear to cause the problem (e.g. href & src). I haven't looked into other properties.

Seen in Chrome versions:

  • Version 42.0.2311.152 m (64-bit) [Windows]
  • Version 43.0.2357.81 (64-bit) [OSX]

[1] Message in Chrome console.
The XSS Auditor refused to execute a script in 'https://www.dokuwiki.org/sandbox:chrome_xss_auditor?do=edit' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.

@selfthinker
@Chris--S
Copy link
Collaborator Author

Chris--S commented Jun 7, 2015

It seems its a known Chrome issue, a false positive with a "won't fix" designation, Chrome issue #418888

@Klap-in Klap-in mentioned this issue Jun 8, 2015
Open
@Klap-in
Copy link
Collaborator

Klap-in commented Jun 8, 2015

At first glance, this issue has the same symptoms as my regularly occurring issue with failed saves of articles. However, so far I know on these pages were no empty action="" included in the article. If I'm once hit again, I will ensure that I check the console as well. (I cannot remember that I have noticed any related error message in the console)

@selfthinker
Copy link
Collaborator

@Klap-in, the action doesn't need to be empty to trigger this.

@ibauersachs
Copy link

There's not even a need for the form tag, the following is enough to trigger this:

<code>
action="x"
</code>

@Chris--S Chris--S mentioned this issue Aug 17, 2015
Closed
@splitbrain
Copy link
Collaborator

I just hit this bug myself. I guess we need to disable the XSS checks as described in http://stackoverflow.com/questions/17016960/chromiums-xss-auditor-refused-to-execute-a-script

@micgro42 micgro42 mentioned this issue Oct 29, 2015
Merged
1 task
@Klap-in Klap-in mentioned this issue Dec 22, 2015
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Category: Backend Category: CSS XHTML JS Browsers Severity: Large
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@splitbrain @selfthinker @Chris--S @Klap-in @ibauersachs