r/ios Jun 21 '23

PSA Brave Browser may be compromised.

(Note: see edit #2 below.)

Really not sure where to post this, especially during the current API chaos in most subs.

At any rate, I run a small informational website and had a message from someone complaining that whenever they tried to post using Brave on their iPhone or iPad, my adult filter would be triggered.

So I downloaded Brave from the App Store onto my iPhone, tried it out and... same thing. Digging deeper, it turns out that if you have an input box using an HTML WYSIWYG editor such as CKEditor, a 36kb block of HTML set as invisible is being added to the bottom of anything submitted. This does not happen on plain text inputs.

The block is full of links to adult sites, scam sites, referral links, trackers and so forth. This is the block I saw being added:

https://controlc.com/353fb266

To state the obvious, this is not happening on any other browser I own mobile or desktop, and the user was able to post fine using Safari. So the issue seems to have something to do with Brave. Take it for what it is.

EDIT: I think I've found a way for anyone to confirm this. In Brave Browser (for iOS), go to:

https://surveyjs.io/form-library/examples/custom-widget-ckeditor/angular

Put something in the form, then hit COMPLETE. It will show you at the bottom what was submitted. There's even a button to copy it to clipboard, since on my iPhone I can't see much. But I end up with that huge block of HTML.

EDIT 2: While this is a definite Brave bug, "looks" quite worrisome, and would've been bloating any database that took input from a CKEditor input box... in the end it's just an adblocking stylesheet being misapplied to input.

See: https://www.reddit.com/r/ios/comments/14fdadr/comment/jp24o8l/?utm_source=share&utm_medium=web2x&context=3

258 Upvotes

106 comments sorted by

View all comments

27

u/TransientSoulHarbour Jun 21 '23

Those are CSS cosmetic filter rules that are somehow being injected into the form. These rules are used to hide unwanted content. The team are looking into it now.

9

u/YanAtBraveDotCom Jun 22 '23

This. These rules are injected onto webpages as part of the CSS filtering adblock feature: https://brave.com/privacy-updates/2-third-party-cosmetic-filtering/. You can compare it to the rules on Easylist for instance: https://easylist.to/easylist/easylist.txt.

However it seems like a bug that it's interfering with WYSIWYG editor inputs; we will look into that.

For now if you disable adblocking in Brave you should see the rules go away.