Support

Admin Tools

#10056 My custom component triggers XSSShield

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Wednesday, 12 October 2011 14:52 CDT

Monday, 10 October 2011 13:25 CDT

user357
Mandatory information about my setup:

Have I read the related troubleshooter articles above before posting (which pages?)? yes
Have I searched the forum before posting? Yes
Have I read the documentation before posting (which pages?)? No
Joomla! version: 1.7.1
PHP version: 5.3.5
MySQL version: 5.1.54
Host: Media Temple
Admin Tools version: 2.1.10


Description of my issue:

I've written a custom component that opens a .pdf file in a new tab when the user presses a button on a form. I've just noticed that AT reported that function as an XSSShield attack.

Is there anything I can do to fix that? I wouldn't want any virus/trojan checkers to be triggered on my users PC's.

regards,
Royce

Monday, 10 October 2011 16:28 CDT

nicholas
Hi Royce,

Admin Tools keeps a log of all of the details of each detected attack in logs/admintools_breaches.log. Can you please copy the last entry's lines from the log right after you trigger it with your own component? This will allow me to understand why the XSSShield is triggered and tell you what's the workaround.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Wednesday, 12 October 2011 14:35 CDT

user357
Hi there, I sent you the snippit in a private message.

regards,
Royce

Wednesday, 12 October 2011 14:52 CDT

nicholas
Hi Royce,

I took a look at the component and saw all that raw HTML in there. The density of the images is what's ticking off the XSSShield. For now, you'll have to turn it off. In the near future (1-2 weeks) I'm going to release a new version of Admin Tools which will include the WAF Exceptions feature again. This way you'll be able to tell WAF to ignore the XSSShield protection for that particular variable which is giving it trouble.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!