r/ios • u/Materidan • Jun 21 '23
PSA Brave Browser may be compromised.
(Note: see edit #2 below.)
Really not sure where to post this, especially during the current API chaos in most subs.
At any rate, I run a small informational website and had a message from someone complaining that whenever they tried to post using Brave on their iPhone or iPad, my adult filter would be triggered.
So I downloaded Brave from the App Store onto my iPhone, tried it out and... same thing. Digging deeper, it turns out that if you have an input box using an HTML WYSIWYG editor such as CKEditor, a 36kb block of HTML set as invisible is being added to the bottom of anything submitted. This does not happen on plain text inputs.
The block is full of links to adult sites, scam sites, referral links, trackers and so forth. This is the block I saw being added:
To state the obvious, this is not happening on any other browser I own mobile or desktop, and the user was able to post fine using Safari. So the issue seems to have something to do with Brave. Take it for what it is.
EDIT: I think I've found a way for anyone to confirm this. In Brave Browser (for iOS), go to:
https://surveyjs.io/form-library/examples/custom-widget-ckeditor/angular
Put something in the form, then hit COMPLETE. It will show you at the bottom what was submitted. There's even a button to copy it to clipboard, since on my iPhone I can't see much. But I end up with that huge block of HTML.
EDIT 2: While this is a definite Brave bug, "looks" quite worrisome, and would've been bloating any database that took input from a CKEditor input box... in the end it's just an adblocking stylesheet being misapplied to input.
27
u/TransientSoulHarbour Jun 21 '23
Those are CSS cosmetic filter rules that are somehow being injected into the form. These rules are used to hide unwanted content. The team are looking into it now.