Thread

Before filing a bug report, i would like to know if you can replicate this.

- Publish or edit an entry with google chrome browser
- insert an image tag in any textarea (or source of a wygwam field), with the full url:
- click submit

  e.g.

<a href="http://example.com/images/avatars/default_set/big_horns.jpg">http://example.com/images/avatars/default_set/big_horns.jpg</a>

- on the subsequent preview page it seems some google chrome xss stuff kicks in.

The top-menu’s don’t work anymore, because chrome refused to load jquery.
and in the console you can see something along the lines of:
Refused to execute a JavaScript script. Source code of script found within request.

This seems to have to do with a page sending and receiving the same script somehow.
It would be really helpful if there would be a way around it.
I guess this might need altering the preview entry page.

Hello GDmac - expocom,

I was not able to replicate this.

I am using Google Chrome 16.0.912.77 on an iMac.

Inserting an image tag into a textarea and saving works great.

Let’s try something first.

Please navigate in your Control Panel to Admin->Security And Provacy->Security and Sessions and find the Preference “Apply XSS Filtering to uploaded files?” and shane that to “No” then hit submit and try again.

Retry the steps listed above and tell me if that makes any change.

I hope this helps!

Cheers,

hmmz. am on 17.0.963.46 beta, will test this further

Hey GDmac - expocom,

Sounds good. Let us know what you find.

Cheers,

Ok, tested also in non-beta, has the same issue.
If i put an img tag with quotes in the textarea, then jquery is not loaded
However, if i leave off the quotes, it gets thru. now getting even more strange.

Ok, can you please verify on a clean install?
If you put an img tag in a textarea with a full qualified url,
then Chrome will show the mentioned error…
e.g.

// generates error
<a href="http://example.com/images/avatar/default_set/big_horns.jpg">http://example.com/images/avatar/default_set/big_horns.jpg</a>
// no quotes, works ok
<img=http://example.com/images/avatar/default_set/big_horns.jpg  >

Hello GDmac,

I am still unable to recreate.

What version of ExpressionEngine are you on? I am using 2.4.

I used the following code in a textfield and a textarea. Chrome 17.0.963.46

<a href="http://static.expressionengine.com/201007/general/ee_logo.png">http://static.expressionengine.com/201007/general/ee_logo.png</a>

There were no errors.

Let me know what version you are using.

Cheers,

Shane, images from the same domain as were your EE install is.

Here is a screencast to show the issue.
(watch full-screen for better resolution)
http://www.screenr.com/Pqys

i’ve come across this issue too, seems to be a bug in chrome http://code.google.com/p/chromium/issues/detail?id=79014

Ha Ben, i posted to that chrome bug-report, linking to this thread 😊

The thing is, i can’t replicate it with a simple form and a bit of php.
Only when i put actual javascript in a textarea and echo that by php,
then i got some notice (if i recall correct).

Was hoping there would be a way around. (Other than advising: use Firefox/Safari)

ah nice one! well i’m seeing it and i believe it is happening because of a matrix field, would have to look closer though to know for sure. it is only happening when clicking on “Save Revision”, so when redirected back to the edit page. clicking on “Submit” doesn’t cause any errors.

The screencast i posted
( http://www.screenr.com/Pqys watch full-screen for better resolution)
Is a plain vanilla 2.4 install with one field group, with one textarea and one channel using that fieldgroup,
no other settings changed.

shane, i foresee this being a serious issue once enough people upgrade to the latest version of chrome. can you please notify the powers that be at ellislab about this?

Hi Ben,

I will bring this up with the team and update this thread when I have more news.

Thanks.

thanks shane