McAfee Anti-Phishing filter for Internet Explorer causes onclick events to not fire?

Posted: March 21st, 2008 | Author: Michael R. Murphy | Filed under: Javascript, Usability | 5 Comments »

I very often neglect writing here in favor of devoting that time to paying work. But recently I found something that might be helpful to somebody else so I thought I’d take advantage of that.

Over the last few months, a handful of our clients have had customers report issues with their websites. Online searches at the time didn’t turn up anything that sounded like the problem I was trying to fix so I figured writing about its resolution now might help someone else in the same boat I was.

The most common bug reported was that customers ended up on the site homepage when they clicked links that should go somewhere (or do something) else. For the few that reported it, clicking a tab on a Moosejaw product page to view additional details sent them to the homepage instead. Or clicking the Sign-In link up at the top of the same page sent them to the sign-in page instead of revealing a small inline sign-in form.

The sign-in link bug was more of a minor inconvenience since users still ended up at a sign-in page. They just missed the benefit of being able to do it without leaving their current page. The product tab issue was more critical however since users affected by the bug weren’t able to view information that may or may not affect their decision to buy.

All of the users who reported problems were using Internet Explorer 7 on either Windows XP or Vista. While the majority of the browsing public meets that criteria, we were still getting very few reports of problems. Unfortunately no one in our office or the clients’ could reproduce the problem. It had to be some setup unique enough that not every one using Windows/IE was experiencing it (thank god) but common enough among the half dozen people who took the time to report it.

Luckily we had a customer willing to help us diagnose the problem. He easily reproduced the error for us during a Go-To Meeting and also patiently labored through test pages that we tweaked on the fly to try to solve the problem. To no avail.

Without getting too bogged down in detail, the product tab links look like this:

<a href="#" onclick="somefunction();">tab text</a>

Normal behavior is that javascript code in somefunction is executed when the onclick event fires and the browser is prevented from changing its location to the value of the href attribute by a return false; statement at the end of somefunction. In this case, the content of each tab is written when the page is rendered and somefunction sets the display attribute of the clicked tab to block and the display attributes of the other tabs to none. Simple.

Except that for some users, clicking the tab was taking them to the location specified in the href attribute, #, the root of the site. At first we thought there was a scripting error that was causing the function to fail before the return false; could be executed. But Internet Explorer wasn’t reporting any errors on the page. We tried moving the return false; statement inside the onclick to be on the safe side.

<a href="#" onclick="somefunction();return false;">tab text</a>

That didn’t work either. Although with a return false; statement in the function itself and no script errors being generated, I didn’t really expect it to make any difference.

We tried changing the href attribute to

<a href="javascript: void();" onclick="somefunction();">tab text</a>

Which is a common technique for using a elements to execute code rather than changing locations. But all that did was stop the browser from going to the homepage. Our tab content still wasn’t showing. somefunction was still not being executed.

Eventually fixing the bug ended up on the back burner because of the extremely low volume of people reporting it. My heart sank recently when another complaint surfaced. What were we going to tell this customer when we had exhausted possible solutions before and come up with nothing?

Luckily the most recent complainant was pretty comfortable technically and started investigating possible causes on his own. The best news came when he reported that restoring Internet Explorer to its default settings and disabling all his add-ons solved the problem and the onclick events started behaving as expected again. Then he re-enabled his add-ons until he isolated the cause as the McAfee anti-phishing filter installed by his McAfee anti-virus suite.

At the time of this writing, a Google search for ‘McAfee anti-phishing filter’ has only turned up complaints of it causing sites to load slowly. Nothing regarding its effect on Javascript code. I couldn’t find any evidence on McAfee’s website that this is a known issue. Supposedly, the customer reported it to McAfee so hopefully I’ll have additional details soon. Such as a possible work-around. Other than simply disabling the filter. Interestingly, Internet Explorer’s built-in anti-phishing filter does not exhibit the same behavior.

On a side note, this bug draws attention to an interesting usability question. The product tabs, whose href attribute is set to #, completely failed for those users affected by the bug. While the Sign-In link, whose href attribute was set to a sign-in page URL, was still usable even though the onclick event’s failure to fire prevented the inline sign-in form from appearing.

Should the tab links have real values in their href attributes? Since each tab content doesn’t have its own URL, where should the link point to? Is it necessary to create server-side programming that accepts URL querystring parameters and uses it to show the appropriate tab in the event the onclick event fails and the page is redirected? I know in at least one case, the failure of the product tabs code caused a customer to order from a competitor where he could view the information he needed to make his decision.

Popular Posts:

Related Posts:

5 Comments on “McAfee Anti-Phishing filter for Internet Explorer causes onclick events to not fire?”

  1. 1 Al Sparber said at 10:52 pm on June 13th, 2008:

    Hi Michael,

    It’s not just links with explicit onclick events. Excrutiatingly correct DOM scripting techniques that programatically assign click events also fail in the same way with MacAfee phishing filter. Consider this link that fails:

    A user with MacAfee will see the HREF executed, which in this case opens an image, even though a script is dynamically assigning an onclick. MacAfee is doing its deed at a much deeper level than you might think. THe above link is taken from an image slide show application that we market and a good number of folks are reporting failures – all being traced to MacAfee’s filter. Here is the actual page:

    http://www.projectseven.com/products/galleries/ssm/ssm_03.htm

    What’s scary is that it looks like Dell is installing this filter on its new computers.

    If you here from MacAfee, please let us know. We will do the same.


    Al Sparbner

  2. 2 Michael said at 12:54 pm on July 14th, 2008:

    Al,

    Sorry for the delay. With so much spam, occassionally legit comments get overlooked.

    I’m glad to hear from you. I’ve posted this issue in a handful of forums but haven’t run into anybody experiencing the same problems. I haven’t turned up anything at MSDN or the McAfee site either.

    We were able to verify from one of our customers that new Dell laptops are shipping with McAfee by default. Yikes!

    The good news is that I did report this finding to McAfee (with some examples of failing sites) and they do plan a patch to be released sometime during summer 2008. Until then he recommends the javascript:void(0) fix that we’re using. Not sure how that will work with the problems you’re describing.

    Good luck!

  3. 3 Nick said at 1:37 pm on September 15th, 2008:

    I have experienced a very similar problem recently on a web application for my company. We have some form fields that have an onKeyPress event handler associated with them. They are either formatting a dollar amount or a date, but in both cases they are monitoring the key press event and doing some formatting.

    The problem we’re seeing is that numbers typed into these fields are being duplicated. For instance, when a 2 is typed it appears as 22. So far only three people have reported this problem. Two of them confirmed that disabling the McAfee anti-phishing filter stopped the double-digits.

    Do you have a link to any documentation on the upcoming fix?

  4. 4 Michael said at 5:47 pm on September 27th, 2008:

    @Nick,

    Interesting. No, I don’t have any documentation about the upcoming fix. I’ll email you info for my contact at McAfee and maybe he can help you.

  5. 5 Sergio said at 5:57 pm on December 9th, 2008:

    I have the same problem. Solution: Disable Mcafee Phishing Filter in browser complements!!!!

Leave a Reply