CMS Made Simple Forums

I have an error message when submitting my form

FormBuilder submit error: XSS attempt!

I have another site using FB version 0.8.1.6 with no issues at all.

If I uninstall 1.1.1 and replace with 0.8.1.6, will it work with the newer version of CMSMS?
I'm only looking for basic form fields: Test Input. Test Area, Image File Upload.

I know about CGBetterForms. I'm not a dev and find it too complex to use. I know my way around FB sufficiently for the degree of use required.

My current site info is below

https://idocanals.co.uk/contact.html

CMSMS Version 2.2.15

Installed Modules
AdminSearch 1.0.5
Album 1.11
CGBetterForms 1.10.4
CGExtensions 1.65.2
CGFeedback 1.8.3
CGSimpleSmarty 2.2.1
CMSContentManager 1.1.9
CMSMSExt 1.0.1
CMSMailer 6.2.14
Captcha 1.0
CmsJobManager 0.1.3
DesignManager 1.1.9
FileManager 1.6.12
FilePicker 1.0.5
FormBuilder 1.1.1
LISE 1.5.b.13
LISEdirectory 1.5.b.13
LISEwaterways 1.5.b.13
MenuManager 1.50.3
MicroTiny 2.2.5
ModuleManager 2.1.8
Navigator 1.0.9
News 2.51.11
Search 1.52

You've read the help and added the CSRF token field definition to the form too?

Hi Velden.

Yes the CSRF token field is in and is the first field in the list.

Could not resolve so removed v. 1.1.1 and installed 0.8.1.6
Used SMTP method of sending.
SUCCESS.

A little wary of upgrading to 1.1.1

CapereSpiritum wrote: ↑Sat May 01, 2021 1:44 pm I have an error message when submitting my form

FormBuilder submit error: XSS attempt!

I have another site using FB version 0.8.1.6 with no issues at all.

If I uninstall 1.1.1 and replace with 0.8.1.6, will it work with the newer version of CMSMS?
I'm only looking for basic form fields: Test Input. Test Area, Image File Upload.

CapereSpiritum wrote: ↑Sun May 02, 2021 11:51 am A little wary of upgrading to 1.1.1

FormBuilder 1.1.1 is safer than its predecessors in that it solves a known vulnerability. It may need clearing the cache after upgrade but it does not require the CSRF token field although it is recommended. The CSRF token field is a separate security measure not directly related to the previous message. In all my tests and in different server settings I didn't get that error ever unless the session had expired and only once, after which the form would submit without issues. So I have to assume that it may be something very specific to your environment or an upgrade gone wrong at some point.
For security sake I would advise you to do some more testing before entirely dismissing the issue without an upgrade.

Did you set the page as not cacheable..?

For the sake of others and maybe as a contribution to a solution in one form or an other..


I got the same error, xss attempt, but only on the initial loaded page on android devices (in chrome).
If you open the (home)page and refreshed the page the form worked perfect..

On the desktop in chrome or firefox there was never a issue.

The situation happened on 2 different sites, in the end I made a backup of the forms and removed formbuilder and installed formbuilder version 1.0.2 via xml and restored the forms. And voila they worked also on mobile first time around.


I tried different things, loading the desktop version in chrome on android also did not worked,
added code to force a refresh after the paged loaded the first time but nothing helped,

<meta http-equiv="cache-control" content="no-cache, must-revalidate, post-check=0, pre-check=0" />
<meta http-equiv="cache-control" content="max-age=0" />
<meta http-equiv="expires" content="0" />
<meta http-equiv="expires" content="Tue, 01 Jan 1980 1:00:00 GMT" />
<meta http-equiv="pragma" content="no-cache" />

<__script__ type='text/javascript'>
window.onload = function() {
if(!window.location.hash) {
window.location = window.location + '#loaded';
window.location.reload();
}
}
</__script>