![]() Would you consider adding the X-XSS-Protection header to the page, and setting its value to 0 to disable the XSS auditor on this page? I'm not sure if it would work on that page because of how the validator is implemented as a shortcode, though. I replied noting that it didn't affect Safari or Firefox, and added: The input is escaped with esc_textarea(). #Htmlvalidator chrome code#The code for the validator can be found here. In response to the HackerOne filing, wrote: The text that was pasted, causing this error, can be found in The error is not caused by the presence of valid PHP code on the page. This looks like a Blink-specific feature that detects HTML in the response that matches HTML in the POST. Firefox and Safari didn't complain for either submission I haven't yet tested with any version of IE. If the submitted text is resubmitted with all HTML tags removed, Chrome does not trip that error. The auditor was enabled as the server did not send an 'X-XSS-Protection' header. The XSS Auditor blocked access to ' ' because the source code of a script was found within the request. In the Chrome dev tools console, the following information is provided: Why should I use AMP AMP loads faster and looks better than standard HTML pages on mobile devices. If the submitted text contains unescaped HTML, Chrome will refuse to display the page, giving a ERR_BLOCKED_BY_XSS_AUDITOR page. Upon submission, the user is sent to a page that contains an evaluation of the pasted text and the pasted text as the value of a textarea. has a feature that allows users to paste in the contents of a readme.txt file for validation. After discussion on HackerOne (ticket 277012), and determined that is the proper venue for reporting this bug. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |