I came across a strange snippet of code in the rich-text editor on one of the websites I manage. It looks like this:
<scribe-shadow id="crxjs-ext" data-crx="okfkdaglfjjjfefdcppliegebpoegaii" style="position: fixed; width: 0px; height: 0px; top: 0px; left: 0px; z-index: 2147483647; overflow: visible; visibility: visible;></scribe-shadow>
Initially, I was worried it might be a hacking attempt, but it seems more likely to be caused by a buggy browser extension or a problematic website plugin. The odd part is, I haven't seen it show up on other sites I manage, even though many of them use the same rich text editor. There's a service called "ScribeShadow" that I found, but I'm not sure it's connected to this.
I do use a browser extension called Scribe occasionally, which creates web tutorials, but I haven't used it on this specific website. I also found a lot of similar code in forum posts while searching online, so it seems I'm not the only one experiencing this. Can anyone help me understand what this is?
4 Answers
That 'data-crx' value is actually an ID for a Chrome extension. If you go to chrome://extensions and enable developer mode, you can see if it matches any of your installed extensions. It likely belongs to the Scribe extension you mentioned and isn't a hacking attempt—just a little messy on the extension's part.
First off, try checking your website without any browser extensions turned on. You can do this by using incognito mode or temporarily disabling all extensions. If you still see the code, search through your website’s files to find where it’s coming from. That should help you identify the package or service adding it.
It seems like the 'scribe-shadow' element is definitely injected by the Scribe Chrome extension. This extension is designed for recording web tutorials and can appear on sites where it hasn't been actively used before. It’s not malware, just how the extension operates! If you want to avoid seeing it, disable the extension or try using a different browser profile.
The 'crxjs-ext' refers to a browser extension starter, which probably means that this code is being injected into your rich text editor by an extension. WYSIWYG editors work with a 'contenteditable' area, and it sounds like something isn't filtering this code out properly
Check how your editor is configured. If it allows custom elements, that's why it's getting in. Ensuring better content filtering rules will help too, plus consider implementing a Content Security Policy (CSP) to prevent these extensions from executing scripts.
I find it odd since I manage other websites with the same setup, and this is the only one affected. Plus, it’s adding new blocks of code with each save, which clutters everything up. Thanks for the info, though! I'll just disable it when it's not needed.