xss block when adding youtube content

4 years 3 weeks ago - 4 years 3 weeks ago #316925 by activha
xss block when adding youtube content was created by activha
Hello

I have noticed a strange xss block when trying to add a content with a youtube video. This occurs on all areas where CB allows to input html text.

The test html is only as attached

Trying to add or edit gives a blank page, and only after reload do we get the final page.

The browser error is
The XSS Auditor blocked access to 'XXXXX/profil?tab=cbblogsTab' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.

Did you already encounter this problem ?

Do you know how to solve this ?

Thanks

Ps to precise
our filter text settings are :
'applet', 'body', 'bgsound', 'base', 'basefont', 'frameset', 'head', 'html', 'id', 'ilayer', 'layer', 'link', 'meta', 'name', 'object', 'script', 'title', 'xml'
our filter tag attributes are :
'action', 'background', 'codebase', 'dynsrc', 'lowsrc'
and our CB exclude tags from filtering are :
embed iframe
Attachments:

Please Log in to join the conversation.

4 years 3 weeks ago #316926 by activha
Replied by activha on topic xss block when adding youtube content
Replying to myself if others had the same problem : this comes from the setting Reflected XSS prevention from Admin Tools htaccess makers.

On a side note, is this setting important for CB according to your codes ?

Please Log in to join the conversation.

4 years 3 weeks ago #316933 by krileon
Replied by krileon on topic xss block when adding youtube content

On a side note, is this setting important for CB according to your codes ?

I assume you're adding the video with a editor textarea field? We apply XSS filtering there, but it's still not a good idea to accept iframes which by default CB doesn't allow. You should be able to just use a Video field as it has specific support for YouTube links or use CB Gallery which also supports YouTube links.


Kyle (Krileon)
Community Builder Team Member
Before posting on forums: Read FAQ thoroughly + Read our Documentation + Search the forums
CB links: Documentation - Localization - CB Quickstart - CB Paid Subscriptions - Add-Ons - Forge
--
If you are a Professional, Developer, or CB Paid Subscriptions subscriber and have a support issue please always post in your respective support forums for best results!
--
If I've missed your support post with a delay of 3 days or greater and are a Professional, Developer, or CBSubs subscriber please send me a private message with your thread and will reply when possible!
--
Please note I am available Monday - Friday from 8:00 AM CST to 4:00 PM CST. I am away on weekends (Saturday and Sunday) and if I've missed your post on or before a weekend after business hours please wait for the next following business day (Monday) and will get to your issue as soon as possible, thank you.
--
My role here is to provide guidance and assistance. I cannot provide custom code for each custom requirement. Please do not inquire me about custom development.

Please Log in to join the conversation.

4 years 3 weeks ago #316934 by activha
Replied by activha on topic xss block when adding youtube content
yes but we use this now in GJ event edit which does not support yet video fields or youtube links for events, so we have to use our cms editor :-(

Unless you can hint me to add the specific code in event edit file in order to add videos from CB Gallery ? our users need something very simple to add youtube or other provider url. in event edit

Please Log in to join the conversation.

4 years 3 weeks ago #316939 by krileon
Replied by krileon on topic xss block when adding youtube content
CB Gallery will eventually provide a Joomla editor button to easily insert profile gallery entries, but aside from that you've already made the changes you needed to make to CB (allowing iframes) and adjusted your 3rd party extension to allow for inserting the videos. When CB Events is developed it'll likely have a media feature for inserting media (probably powered by CB Gallery).


Kyle (Krileon)
Community Builder Team Member
Before posting on forums: Read FAQ thoroughly + Read our Documentation + Search the forums
CB links: Documentation - Localization - CB Quickstart - CB Paid Subscriptions - Add-Ons - Forge
--
If you are a Professional, Developer, or CB Paid Subscriptions subscriber and have a support issue please always post in your respective support forums for best results!
--
If I've missed your support post with a delay of 3 days or greater and are a Professional, Developer, or CBSubs subscriber please send me a private message with your thread and will reply when possible!
--
Please note I am available Monday - Friday from 8:00 AM CST to 4:00 PM CST. I am away on weekends (Saturday and Sunday) and if I've missed your post on or before a weekend after business hours please wait for the next following business day (Monday) and will get to your issue as soon as possible, thank you.
--
My role here is to provide guidance and assistance. I cannot provide custom code for each custom requirement. Please do not inquire me about custom development.

Please Log in to join the conversation.

Moderators: beatnantkrileon
Time to create page: 0.191 seconds

Facebook Twitter LinkedIn