Create a WYSIWYG editor (embedded)?

[djr33]

isn't that why we have the little view source button when you right click?

That's not the problem, though. See my post above. It's because there's "javascript" in the HTTP request, then sent back in the content of the page. Safari, Chrome (and others?) block any request that contains the same content as was submitted if that content includes any JS at all. It's much more trouble than it's worth, I think. See my post above.

yes, it is very nice. I can replicate the issue on safari and chrome so far, haven't looked at opera.

Good, glad to hear it. Ok, I'm going to see what I can do about Safari and see if it generalizes to the others.

create a new element, press space until you hit the edge.

I understand. I've seen it do that. I just mean that I don't know if that's actually a problem-- is that bad? And I don't see any way to change this-- that's just how the browsers work.

as far as I can tell the only variable causing firefox to work and other browsers not to, is something to do with the fact that newly created elements are yellow in every browser but firefox. What does the yellow indicate?

They're still yellow in Firefox. But they're 0px in height-- no content yet. So they have no visible background. If I change it to include default text it's yellow. (Ajrmrf found this bug earlier. I'm not sure how to fix it.)

The yellow indicates "active"-- it's just the background color changed through JS. I want to highlight the active area. I first tried using a border but that causes the elements to shift around by a few pixels. I was planning to revisit the "active" look later.

I believe the real difference here is that Firefox doesn't have this particular type of XSS "protection".

[djr33]

Ok, sorry for all of the posts in a row, but there's just a lot of information.

I seem to have (at least temporarily) fixed that by adding just one line to the top of my page:

PHP Code:

<?php header('X-XSS-Protection: 0'); ?>

It's a bad fix in my opinion, but it works for now and I can work around that differently later if necessary. For example, I could strip any JS from the POST content before sending the request, using JS. Then it won't ever become an issue.


Here's a new test page:
http://ci-pro.com/wysiwyg/demo2.php

Now, the important question: traq and bernie, is everything working on that page now that wasn't before? Are there any more issues at all? traq's problem (null) elements may still be relevant. I still haven't duplicated that one though.

If everything is solved with that fix, I'll leave it for now and move on to the rest. I can revisit the best way to actually solve the XSS security issue later.


Thanks for the help tracking that down. Now... on to the next steps.
By the way, this is going to be an excessively busy week for me, so I might not get too much more done for a bit. But I'll keep going when I have some free time!

[bernie1227]

there is a post in this vbulletin thread about disabling xss in chrome:
http://www.vbulletin.org/forum/showthread.php?t=276212

Edit:
the solution you had when we crossposted is detailed in the above link.

this is also very helpful in explaining why the xss protection is stiopping the javascript:
https://www.owasp.org/index.php/XSS_...on_Cheat_Sheet

[bernie1227]

Now, the important question: traq and bernie, is everything working on that page now that wasn't before? Are there any more issues at all? traq's problem (null) elements may still be relevant. I still haven't duplicated that one though.

sorry, but it's still returning the same errors in the console, and I am still able to replicate the effect of disabling the ability to edit anything.

[djr33]

there is a post in this vbulletin thread about disabling xss in chrome:
http://www.vbulletin.org/forum/showthread.php?t=276212

Edit:
the solution you had when we crossposted is detailed in the above link.

this is also very helpful in explaining why the xss protection is stiopping the javascript:
https://www.owasp.org/index.php/XSS_...on_Cheat_Sheet

Alright. Those links support the use of the header, at least as a temporary fix, and they confirm that's what was going on. So for the moment it's fine.
In the end, I think I'll remove all onclick/onmousedown/etc attributes. That'll fix it, but it's not my focus at the moment

sorry, but it's still returning the same errors in the console, and I am still able to replicate the effect of disabling the ability to edit anything.

Ok, that's fine. Now I can debug them without worrying about the XSS nonsense. Thanks.

For a moment I thought I had fixed it. It seemed to be working. But now I can actually see the errors rather than just the "AHHH XSS" warning from before. Much easier to fix now... haha

[bernie1227]

hang on, hold it right there, it appears to be working as far as I can tell now, you can do what I was doing to replicate the issue without a problem now, the only thing is, it takes two clicks to actually edit the first thing you click after you've created and clicked on a new element.

In short, it looks like it works now.

Edit:
it appears the errors about parentNode and innerHTML are now replaced with:

Uncaught TypeError: Object false has no method 'replace' demo2.php:51

[djr33]

Sorry, Bernie. I think you were testing it while I was fixing it. No magic changes, just new code

But ok, I think it's working too. Same link, check to be sure. I can't find any more problems with it.

I'm also not getting the double click problem. Is that still happening? What should I do to replicate it?

[bernie1227]

yep, no double click problem anymore, it's looking like it's working fine.

[traq]

...Isn't any competent serverside designer going to filter out XSS as required???

lol, you had me rolling with that one. thanks for the laugh!

Your updates look good. I'm not experiencing the problem anymore. I'll keep playing with it.

[djr33]

Ok, great. I'll keep posting updates as I have them. I'll make new demoN pages as needed in case you want to compare to the old versions.


traq, I wasn't suggesting there are no incompetent serverside desginers.... I was just pointing out that they're incompetent