A couple of days ago, I started implementing a rather interesting piece of code. It was late into the night, and I was not feeling like doing my regular work and neither was I sleepy.
While editing content on a client site last week, I got a rather confusing error in Google Chrome Developer tools:
- The user has an input field on the page where s/he can enter and submit content.
Chrome considers it an XSS vulnerability which is indeed a fair check to perform by the browser, considering that if it happens when you are normally browsing the web, more often than not, it would indeed be a Cross-Site scripting exploit.
One quick solution was to disable XSS filtering by the browser completely by sending a "X-XSS-Protection: 0" header from the server. But it was not desirable to do so (and I would advise against it on public sites) because users (and anonymous users) could submit comments and other content on the site. And while Drupal input formats certainly filter out harmful content when properly configured, it nevers hurts to have an extra layer of security.
The second option is to Save your content in Drupal (whether its a node or block) and after Saving it, refresh that page. When you refresh the page, it would be a normal GET request to the server with no content submitted and hence XSS filter would not kick in.
But this would not help if you want to "Preview" your changes before submitting and saving them. Anytime you content contains <script> tags and you click "Preview" on a form in Drupal, Chrome would not execute the <script> inside the content preview (the html however would render just fine).
So, what's the solution?? Simple, switch to FireFox/IE (or another browser with not such XSS filtering checks) for such content editing which has <script> tags as part of the content :)
Chrome would not allow scripts to be executed in any way if the scripts were submitted on previous page by the user ("X-XSS-Protection: 0" header as mentioned is an undesirable and potentially dangerous header to use on public sites especially).
So the only escape if you do not want to refresh the page after submitting it or you want to Preview it before submitting it is to switch to a different browser for editing such pages/blocks with <script> tags in the content.