Pinball Nirvana Home Page

Go Back   Pinball Nirvana Forums > Pinball Nirvana Site > Site Problems

Site Problems Post about problems and report bugs with the site.

Reply
 
Thread Tools Search this Thread
  #1  
Old 06-16-2017, 03:24 AM
Coil_Smoke's Avatar
Coil_Smoke Coil_Smoke is offline
Pinball Pusher
 

Join Date: Dec 2011
Location: Planet Dirt
Posts: 1,003
Credits: 104,428.27
Thanks: 501
Thanked 371 Times in 294 Posts
Rep Power: 19
Coil_Smoke is just really niceCoil_Smoke is just really niceCoil_Smoke is just really niceCoil_Smoke is just really nice
Exclamation Way Outside My Wheelhouse !

Trying to preview my latest post returned an unusual error message. I admire you guys what understands how any of this works...C_S

Chrome ERR_BLOCKED_BY_XSS_AUDITOR PHP Solution to Avoid Bogus Cross-Site Scripting Detection - Secure HTML parser and filter package blog


Author: Manuel Lemos

Updated on: 2017-04-29

Posted on: 2017-04-20

Package: Secure HTML parser and filter

Since version 57, Chrome started blocking the submission of forms with content created by regular HTML editor inputs.

The problem is that this is preventing many sites that use regular HTML content editors to work in some cases, despite there is no real XSS exploit going on.

Read this article to learn more why this happens and what workarounds you can implement while Chrome blocks the requests.





Picture of Manuel Lemos
By Manuel Lemos Portugal

manuellemos.net


Contents

What is a XSS Security Exploit?

The Chrome Form Submission Error ERR_BLOCKED_BY_XSS_AUDITOR

Using the X-XSS-Protection Header asTemporary Workaround to Avoid the ERR_BLOCKED_BY_XSS_AUDITOR Block Error

Make it Safer by Filtering Harmful HTML on the Server Side using PHP

Download the Secure HTML Filter and Parser PHP Class package


ERR_BLOCKED_BY_XSS_AUDITOR
What is a XSS Security Exploit?

XSS is the abbreviation of Cross-Site Scripting. This a security attack that consists in submitting HTML with malicious JavaScript to a site.

If the site displays that HTML with JavaScript without having filtered the malicious JavaScript code, the cookies sent by the site can be stollen and sent to an attacker site, so he can use to forge user sessions and access the user site account without permissions.

The Chrome Form Submission Error ERR_BLOCKED_BY_XSS_AUDITOR

The Chrome (and Chromium) browser has a XSS security audit feature that analyzes HTML submitted via form values and blocks those requests XSS, so the forms are never submitted and eventual XSS exploits are avoided.

The problem is that since Chrome version 57 it started blocking form POST submissions with certain HTML structures. So it shows an error message named ERR_BLOCKED_BY_XSS_AUDITOR and the form is not submitted at all.

The XSS auditor feature of Chrome is a good idea because it protects users from having their accounts in certain sites exploited.

The problem is that this auditor is not very reliable under version of Chrome 57. There are some cases that it is blocking the submission of HTML that does not contain malicious JavaScript, or even any JavaScript at all.

This the case when a site uses a HTML content editor. In reality HTML content editors are parts of a HTML pages with the contenteditable attribute.

Some HTML goes here

This attribute tells the browser that the use can enter content in there for instance by typing text or pasting part of a page in there. Then some JavaScript code in the page extracts the edited HTML and puts it in a hidden form input, so it can be submitted to the server when the form is submitted.

Usually HTML editors show edit areas inside an iframe so the select, cut, copy and paste operations are contained inside the iframe. Then some JavaScript code pulls the edited HTML from the iframe into the form hidden input.

The problem is happening with Chrome 57 apparently because it is detecting the HTML pulled from the contenteditable element as insecure, even when it does not contain any JavaScript code.

It is hard to detect what exactly is the HTML code that is being detected as malicious because the problem does not happen with all sorts of HTML code being edited.

Using the X-XSS-Protection Header asTemporary Workaround to Avoid the ERR_BLOCKED_BY_XSS_AUDITOR Block Error

Unfortunately this affects thousands of Web sites that use HTML editors to let their legitimate users edit HTML content. This is the case of this blog system I am using now to edit this article.

The problem has been reported to the Google Chrome team but it has not been fixed. It is not even clear if they will fix for future Chrome versions.

One temporary workaround until Chrome stops filtering form submission with HTML is to use the X-XSS-Protection header. You can set that header before sending the current page HTML to the browser in PHP like this:

Header('X-XSS-Protection: 0');
Keep in mind that the XSS protection is a good thing when it works and does not block harmless HTML. So it is recommended that you only use this header while Chrome is blocking submission HTML in the current versions.

Make it Safer by Filtering Harmful HTML on the Server Side using PHP

Secure applications should always validate and filter insecure HTML that is received on the server side, precisely to avoid XSS attacks performed by attackers that forge form submissions.

One way to proper filtering is to use a full HTML parser that will discard malformed HTML and filter insecure JavaScript. That is one of the capabilities Secure HTML parser and filter package .

This is a a modular markup parser that parses HTML, ignored malformed HTML tags and text sequences. It provides several module classes that can be chained to perform different filtering operations.

It uses a white list to determine which HTML tag attributes and CSS style attributes are safe. This way JavaScript code and any unknown tag attributes or CSS properties and ignored.

The package can rewrite the HTML as result of the HTML filtering operation, as you may see using the following example script.

$html = 'some HTML code here';

$filter = new markup_filter_safe_html_class;

/* Add here the proprietary CSS properties that you know that are
* safe to allow.
*/
$filter->safe_proprietary_css_properties = array(
'-moz-border-radius'=>array(),
'-moz-border-radius-topleft'=>array(),
'-moz-border-radius-topright'=>array(),
'-moz-border-radius-bottomleft'=>array(),
'-moz-border-radius-bottomright'=>array(),
'-webkit-border-radius'=>array(),
'-webkit-border-top-left-radius'=>array(),
'-webkit-border-top-right-radius'=>array(),
'-webkit-border-bottom-left-radius'=>array(),
'-webkit-border-bottom-right-radius'=>array(),
);

/* Add here the CSS property function names properties that you know
* that are safe to allow.
*/
$filter->safe_css_property_functions = array(
'alpha'=>array()
);

$parameters=array(
'Data'=>$html,
/* Set to 1 if want to filter HTML that only contains the body
part of a page */
'OnlyBody'=>0,
);

if(($success = $filter->StartParsing($parameters)))
{
$output = '';
do
{
if(!($success = $filter->Parse($end, $elements)))
break;
$te = count($elements);
for($e = 0; $e < $te; ++$e)
{
if(!($success = $filter->RewriteElement( $elements[$e], $markup)))
break;
$output.= $markup;
}
}
while(!$end);
if($success)
$success = $filter->FinishParsing();
if($success)
echo $output;
}
Download the Secure HTML Filter and Parser PHP Class package

You can download and install the secure HTML filter and parser package ZIP archive or install it using the composer PHP tool using instructions from the package download page.

__________________________________________________
The Above web page > https://www.phpclasses.org/blog/pack...TOR-Error.html
__________________

When Lit
Reply With Quote
The Following 3 Users Say Thank You to Coil_Smoke For This Useful Post:
Ike Savage (06-16-2017), JonPurpleHaze (06-18-2017), pinballdaveh (06-16-2017)
  #2  
Old 06-16-2017, 11:44 PM
Ike Savage's Avatar
Ike Savage Ike Savage is offline
Pinball Porcupine
 

Join Date: Jun 2003
Posts: 3,172
Credits: 266,947.15
Thanks: 956
Thanked 579 Times in 448 Posts
Rep Power: 52
Ike Savage is a name known to allIke Savage is a name known to allIke Savage is a name known to allIke Savage is a name known to allIke Savage is a name known to allIke Savage is a name known to all
Default

what was the exact context of your actions and in what kind of formatting did this result appear?

screenshot?

is it replicable?

are you sure it was generated by PN and not some kind of middle layer?

what kind of web security are you running?

what kind of PC security are you running?
Reply With Quote
The Following User Says Thank You to Ike Savage For This Useful Post:
JonPurpleHaze (06-18-2017)
  #3  
Old 06-18-2017, 01:12 PM
JonPurpleHaze's Avatar
JonPurpleHaze JonPurpleHaze is offline
EM Enthusiast
 

Join Date: Jun 2003
Posts: 1,922
Credits: 181,498.67
Thanks: 1,379
Thanked 457 Times in 269 Posts
Rep Power: 38
JonPurpleHaze is a glorious beacon of lightJonPurpleHaze is a glorious beacon of lightJonPurpleHaze is a glorious beacon of lightJonPurpleHaze is a glorious beacon of lightJonPurpleHaze is a glorious beacon of light
Default

I was helping a user a couple months ago about after he upgraded Firefox, they started to receive a insecure connection notification to Pinball Nirvana.

A change was made to Firefox to display the message on any website that you would log on to that didn't have a https address.

This was my reply:
Quote:
I also received this message after upgrading Firefox and have been researching the warning.
The change was made by Firefox because any web page that requires a Username and password could possibly be intercepted by what they refer to as a MITM (Man In The Middle).
The risk is very low for Pinball Nirvana because we don't sell anything and there are no financial transactions, some financial Vbulletin powered sites have added the https (secured connection) to their shopping carts, etc.
I could add the https but it would create a bunch of new problems and the risk is low, a good suggestion is for users to have different passwords for different websites, especially any financial related sites.
I believe your error message is connected to this but I don't use Chrome so can't say for sure.
__________________
Pinball Nirvana
IRPinball
Reply With Quote
Reply

Bookmarks

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On

Forum Jump


All times are GMT -4. The time now is 10:08 PM.


Powered by vBulletin® Version 3.8.9
Copyright ©2000 - 2017, vBulletin Solutions, Inc.
Template-Modifications by TMS
Credits System provided by vBCredits II Deluxe (Lite) - vBulletin Mods & Addons Copyright © 2017 DragonByte Technologies Ltd.
Shoutbox provided by vBShout v6.2.15 (Lite) - vBulletin Mods & Addons Copyright © 2017 DragonByte Technologies Ltd.