• Google Translate to French or Other Languages Click on the link and a new tab will open with this page translated into French.
    Click on the "To:" pull down option to select a different language. Users will not be logged in on the new Google tab.

Way Outside My Wheelhouse !

Coil_Smoke

Pinball Pusher
Site Supporters
Trying to preview my latest post returned an unusual error message. I admire you guys what understands how any of this works...C_S :salut:

Chrome ERR_BLOCKED_BY_XSS_AUDITOR PHP Solution to Avoid Bogus Cross-Site Scripting Detection - Secure HTML parser and filter package blog


Author: Manuel Lemos

Updated on: 2017-04-29

Posted on: 2017-04-20

Package: Secure HTML parser and filter

Since version 57, Chrome started blocking the submission of forms with content created by regular HTML editor inputs.

The problem is that this is preventing many sites that use regular HTML content editors to work in some cases, despite there is no real XSS exploit going on.

Read this article to learn more why this happens and what workarounds you can implement while Chrome blocks the requests.





Picture of Manuel Lemos
By Manuel Lemos Portugal

manuellemos.net

<email contact>
Contents

What is a XSS Security Exploit?

The Chrome Form Submission Error ERR_BLOCKED_BY_XSS_AUDITOR

Using the X-XSS-Protection Header asTemporary Workaround to Avoid the ERR_BLOCKED_BY_XSS_AUDITOR Block Error

Make it Safer by Filtering Harmful HTML on the Server Side using PHP

Download the Secure HTML Filter and Parser PHP Class package


ERR_BLOCKED_BY_XSS_AUDITOR
What is a XSS Security Exploit?

XSS is the abbreviation of Cross-Site Scripting. This a security attack that consists in submitting HTML with malicious JavaScript to a site.

If the site displays that HTML with JavaScript without having filtered the malicious JavaScript code, the cookies sent by the site can be stollen and sent to an attacker site, so he can use to forge user sessions and access the user site account without permissions.

The Chrome Form Submission Error ERR_BLOCKED_BY_XSS_AUDITOR

The Chrome (and Chromium) browser has a XSS security audit feature that analyzes HTML submitted via form values and blocks those requests XSS, so the forms are never submitted and eventual XSS exploits are avoided.

The problem is that since Chrome version 57 it started blocking form POST submissions with certain HTML structures. So it shows an error message named ERR_BLOCKED_BY_XSS_AUDITOR and the form is not submitted at all.

The XSS auditor feature of Chrome is a good idea because it protects users from having their accounts in certain sites exploited.

The problem is that this auditor is not very reliable under version of Chrome 57. There are some cases that it is blocking the submission of HTML that does not contain malicious JavaScript, or even any JavaScript at all.

This the case when a site uses a HTML content editor. In reality HTML content editors are parts of a HTML pages with the contenteditable attribute.

<div contenteditable="true">Some HTML goes here</div>
This attribute tells the browser that the use can enter content in there for instance by typing text or pasting part of a page in there. Then some JavaScript code in the page extracts the edited HTML and puts it in a hidden form input, so it can be submitted to the server when the form is submitted.

Usually HTML editors show edit areas inside an iframe so the select, cut, copy and paste operations are contained inside the iframe. Then some JavaScript code pulls the edited HTML from the iframe into the form hidden input.

The problem is happening with Chrome 57 apparently because it is detecting the HTML pulled from the contenteditable element as insecure, even when it does not contain any JavaScript code.

It is hard to detect what exactly is the HTML code that is being detected as malicious because the problem does not happen with all sorts of HTML code being edited.

Using the X-XSS-Protection Header asTemporary Workaround to Avoid the ERR_BLOCKED_BY_XSS_AUDITOR Block Error

Unfortunately this affects thousands of Web sites that use HTML editors to let their legitimate users edit HTML content. This is the case of this blog system I am using now to edit this article.

The problem has been reported to the Google Chrome team but it has not been fixed. It is not even clear if they will fix for future Chrome versions.

One temporary workaround until Chrome stops filtering form submission with HTML is to use the X-XSS-Protection header. You can set that header before sending the current page HTML to the browser in PHP like this:

Header('X-XSS-Protection: 0');
Keep in mind that the XSS protection is a good thing when it works and does not block harmless HTML. So it is recommended that you only use this header while Chrome is blocking submission HTML in the current versions.

Make it Safer by Filtering Harmful HTML on the Server Side using PHP

Secure applications should always validate and filter insecure HTML that is received on the server side, precisely to avoid XSS attacks performed by attackers that forge form submissions.

One way to proper filtering is to use a full HTML parser that will discard malformed HTML and filter insecure JavaScript. That is one of the capabilities Secure HTML parser and filter package .

This is a a modular markup parser that parses HTML, ignored malformed HTML tags and text sequences. It provides several module classes that can be chained to perform different filtering operations.

It uses a white list to determine which HTML tag attributes and CSS style attributes are safe. This way JavaScript code and any unknown tag attributes or CSS properties and ignored.

The package can rewrite the HTML as result of the HTML filtering operation, as you may see using the following example script.

$html = 'some HTML code here';

$filter = new markup_filter_safe_html_class;

/* Add here the proprietary CSS properties that you know that are
* safe to allow.
*/
$filter->safe_proprietary_css_properties = array(
'-moz-border-radius'=>array(),
'-moz-border-radius-topleft'=>array(),
'-moz-border-radius-topright'=>array(),
'-moz-border-radius-bottomleft'=>array(),
'-moz-border-radius-bottomright'=>array(),
'-webkit-border-radius'=>array(),
'-webkit-border-top-left-radius'=>array(),
'-webkit-border-top-right-radius'=>array(),
'-webkit-border-bottom-left-radius'=>array(),
'-webkit-border-bottom-right-radius'=>array(),
);

/* Add here the CSS property function names properties that you know
* that are safe to allow.
*/
$filter->safe_css_property_functions = array(
'alpha'=>array()
);

$parameters=array(
'Data'=>$html,
/* Set to 1 if want to filter HTML that only contains the body
part of a page */
'OnlyBody'=>0,
);

if(($success = $filter->StartParsing($parameters)))
{
$output = '';
do
{
if(!($success = $filter->Parse($end, $elements)))
break;
$te = count($elements);
for($e = 0; $e < $te; ++$e)
{
if(!($success = $filter->RewriteElement( $elements[$e], $markup)))
break;
$output.= $markup;
}
}
while(!$end);
if($success)
$success = $filter->FinishParsing();
if($success)
echo $output;
}
Download the Secure HTML Filter and Parser PHP Class package

You can download and install the secure HTML filter and parser package ZIP archive or install it using the composer PHP tool using instructions from the package download page.

__________________________________________________
The Above web page > https://www.phpclasses.org/blog/package/5614/post/1-How-to-Handle-Chrome-HTML-Editor-Form-Submission-Block-Due-to-Bogus-XSS-Detection-Causing-ERRBLOCKEDBYXSSAUDITOR-Error.html
 

Isaac Sauvage

Meep!
Site Supporters
Consultant
what was the exact context of your actions and in what kind of formatting did this result appear?

screenshot?

is it replicable?

are you sure it was generated by PN and not some kind of middle layer?

what kind of web security are you running?

what kind of PC security are you running?
 

JonPurpleHaze

Site Nudger
Staff member
I was helping a user a couple months ago about after he upgraded Firefox, they started to receive a insecure connection notification to Pinball Nirvana.

A change was made to Firefox to display the message on any website that you would log on to that didn't have a https address.

This was my reply:
I also received this message after upgrading Firefox and have been researching the warning.
The change was made by Firefox because any web page that requires a Username and password could possibly be intercepted by what they refer to as a MITM (Man In The Middle).
The risk is very low for Pinball Nirvana because we don't sell anything and there are no financial transactions, some financial Vbulletin powered sites have added the https (secured connection) to their shopping carts, etc.
I could add the https but it would create a bunch of new problems and the risk is low, a good suggestion is for users to have different passwords for different websites, especially any financial related sites.
I believe your error message is connected to this but I don't use Chrome so can't say for sure.
 
General chit-chat
Help Users
  • No one is chatting at the moment.
    There are no messages in the chat. Be the first one to say Hi!
    Top