Question

There's been a rash of strange HTML form elements showing up in javascript-based rich text editors all around the web. The first evidence I can find of this is in the joomla forums a little under a month ago. Since then there have also been reports from drupal users and wordpress users, and there's now evidence of this all over the web -- and finally, we've just had a report of this on a site I'm responsible for. It seems to be limited to firefox.

Any ideas where this is coming from, and how to stop it? There are some vague mentions of uninstalling firefox and running malware scanners, but nothing specific.

Was it helpful?

Solution

By chance do you have a Firefox add-on called 'Browser Highlighter' [1] installed? It might have been installed with a Skype add-on or independently (supposedly it has some connection to eBay).

I've seen two people [2], [3] post that uninstalling the 'Browser Highlighter' add-on does the trick. It's probably not a malicious widget, just a malfunctioning one. Uninstall it or disable it and let us know?

If that is the case, you can instruct your users on removing or disabling the add-on on their side (in their browser).

You will also have to remove it from posted data to your site. If you're using a third-party CMS (Wordpress, Joomla, etc) and you're not a programmer, you're going to have to get someone to watch for the offending text and strip it out.

[1] http://www.browserhighlighter.com/

[2] Case #1

[3] Case #2

OTHER TIPS

This line of code is definitively clear:

<input type="hidden" id="gwProxy" /><!--Session data--><input type="hidden" id="jsProxy" /><div id="refHTML">&nbsp;</div>

gwProxy / jsProxy code being embedded into posts

Weird gwProxy code is inserted in WYSIWYG textareas

iT seems that there is a proxy that's been embeeded into users code using a FCKeditor an JCE editor due to a malicious theme or add-on.

From support.mozilla.com:

You can start Firefox in Safe Mode to check if one of your add-ons is causing your problem (switch to the DEFAULT theme: Tools > Add-ons > Themes). See Troubleshooting extensions and themes If it does work in Safe-mode then disable all your extensions and then try to find which is causing it by enabling one at a time until the problem reappears. You can use "Disable all add-ons" on the Safe mode start window. You have to close and restart Firefox after each change (File > Exit).

Sorry about my english! Don't hesitate to comment over this post.

What do you mean by "stop it"? If you know that there is problem that is specific to a particular version of Firefox and you want to prevent it you either check for the issue when someone submits the field before you save it, you remove it from the data after its saved but before you load it, or you check for that version of Firefox and prevent users with it from making a submission on your site (which I wouldn't recommend).

I hardly think you can tell your users to uninstall Firefox, but you have these other options to deal with how the problem affects your site.

I believe you may be chasing a red herring with the rich text editor and Firefox add-in causes. This code is being injected into one of my pages that does not have a rich text editor and it is being injected into the page on IE, Chrome and Firefox. I did see a post that pointed to a Skype add-in.

From the links you gave, it doesn't sound too vague to me. It's some sort of malware that auto-inserts the javascript into things you post, probably to attack visitors to your site somehow. Having it set up to insert into common CMS editors will probably get a large number of people to post it unknowingly.

There were various instructions given for removing it, this post seems like it would probably work: Problem is in browsers - remove and reinstall

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top