Forum Bug - XSS Error

**Thalamask** · 09-04-2017, 02:03 PM

Hi guys... I hope somebody can help me with this. I've tried everything I know, and my limited googlefu has revealed nothing useful.

I've been editing my posts using the advanced editor for a while now, and all of a sudden I'm getting wierd errors. Everything's fine when I click Edit, but as soon as I click Go Advanced to get the full editor I'm now getting the following error :

This page isn’t working

Chrome detected unusual code on this page and blocked it to protect your personal information (for example, passwords, phone numbers, and credit cards).

Try visiting the site's homepage.

ERR_BLOCKED_BY_XSS_AUDITOR

I've got no idea how to get around this. I haven't changed, installed, updated etc. anything recently, so is it me? My computer? Chrome? Or is it something on the forums that needs fixing?

Thanks in advance!

**Cordovan** · 09-04-2017, 02:05 PM

I usually find this has to do with the content of the posts. I see someone reporting this error once every couple of years, and it's usually due to vBulletin thinking there's "dangerous" code in the post. Copy your post into Notepad or something, and try adding it to the advanced editor then hit preview one paragraph at a time until you find the culprit.

**Thalamask** · 09-04-2017, 02:30 PM

Thanks for getting back to me so quickly, Cordovan!

You were right. It was something to do with the links I'd included in the thread. I dunno why the DDO forum seems to hate links to the DDO forum, but there you go!

I'll work on a way to get around that.

Thanks again!

**janave** · 09-05-2017, 04:58 AM

Originally Posted by Thalamask

Thanks for getting back to me so quickly, Cordovan!

You were right. It was something to do with the links I'd included in the thread. I dunno why the DDO forum seems to hate links to the DDO forum, but there you go!

I'll work on a way to get around that.

Thanks again!

You probably had your session id in the link. remove the ?s=... part. and you should be ok.

Setting a known sessid by an attacker is one way to do XSS. So if an admin clicks it, the attacker can log in by setting up a cookie in browser with that sid.

**Thalamask** · 09-05-2017, 02:52 PM

Originally Posted by janave

You probably had your session id in the link. remove the ?s=... part. and you should be ok.

Setting a known sessid by an attacker is one way to do XSS. So if an admin clicks it, the attacker can log in by setting up a cookie in browser with that sid.

Thanks for the suggestion, but I don't think that's it.

The post in question is this one : https://www.ddo.com/forums/showthrea...=1#post5980081

It's the link section at the top of the post that's breaking things, and a quick check through them didn't show any ?s= unless I've completely misunderstood you.

Thread: Forum Bug - XSS Error

Thread Tools

Search Thread

Display

Forum Bug - XSS Error

Posting Permissions