XSS Filter False Positive

I am receiving IE8's new "Internet Explorer has modified this page to help
prevent cross-site scripting" message in my web app. In addition, the only
response IE8 shows is "#", instead of putting "#"s in the offending tags.

We are doing a post to an external domain, and cannot use the
X-XSS-Protection tag.

My post does contain html in the parameters that is reflected back in the
response; however, it doesn't contain any <script> tags or javascript.

I've been playing around with the submission, and it seems like the problem
has something to do with nested or too many tables in the html, and maybe
something to do with style tags as well.

Anyone have any insight into why I'm triggering the filter?

IE Developer Center
http://msdn.microsoft.com/en-us/ie/default.aspx

Learn IE8
http://msdn.microsoft.com/en-us/ie/aa740473.aspx

MSDN IE Development Forums
http://social.msdn.microsoft.com/for...iedevelopment/


Josh Isaac wrote:
> I am receiving IE8's new "Internet Explorer has modified this page to help
> prevent cross-site scripting" message in my web app. In addition, the
> only
> response IE8 shows is "#", instead of putting "#"s in the offending tags.
>
> We are doing a post to an external domain, and cannot use the
> X-XSS-Protection tag.
>
> My post does contain html in the parameters that is reflected back in the
> response; however, it doesn't contain any <script> tags or javascript.
>
> I've been playing around with the submission, and it seems like the
> problem
> has something to do with nested or too many tables in the html, and maybe
> something to do with style tags as well.
>
> Anyone have any insight into why I'm triggering the filter?

I am seeing the message in the info bar. I clicked for more info and went
through all of the suggested steps to no avail. Is there any way to turn it
off or stop IE8 from modifying web pages? Please post responses in consumer
english.

"PA Bear [MS MVP]" wrote:

> IE Developer Center
> http://msdn.microsoft.com/en-us/ie/default.aspx
>
> Learn IE8
> http://msdn.microsoft.com/en-us/ie/aa740473.aspx
>
> MSDN IE Development Forums
> http://social.msdn.microsoft.com/for...iedevelopment/
>
>
> Josh Isaac wrote:
> > I am receiving IE8's new "Internet Explorer has modified this page to help
> > prevent cross-site scripting" message in my web app. In addition, the
> > only
> > response IE8 shows is "#", instead of putting "#"s in the offending tags.
> >
> > We are doing a post to an external domain, and cannot use the
> > X-XSS-Protection tag.
> >
> > My post does contain html in the parameters that is reflected back in the
> > response; however, it doesn't contain any <script> tags or javascript.
> >
> > I've been playing around with the submission, and it seems like the
> > problem
> > has something to do with nested or too many tables in the html, and maybe
> > something to do with style tags as well.
> >
> > Anyone have any insight into why I'm triggering the filter?
>
>

Google Adsence or AddThis script injections..


"Mike" <Mike@discussions.microsoft.com> wrote in message
news:55B76A7B-B091-4BFE-83F0-B8AA5D5DE6A8@microsoft.com...
> I am seeing the message in the info bar. I clicked for more info and went
> through all of the suggested steps to no avail. Is there any way to turn
> it
> off or stop IE8 from modifying web pages? Please post responses in
> consumer
> english.
>
> "PA Bear [MS MVP]" wrote:
>
>> IE Developer Center
>> http://msdn.microsoft.com/en-us/ie/default.aspx
>>
>> Learn IE8
>> http://msdn.microsoft.com/en-us/ie/aa740473.aspx
>>
>> MSDN IE Development Forums
>> http://social.msdn.microsoft.com/for...iedevelopment/
>>
>>
>> Josh Isaac wrote:
>> > I am receiving IE8's new "Internet Explorer has modified this page to
>> > help
>> > prevent cross-site scripting" message in my web app. In addition, the
>> > only
>> > response IE8 shows is "#", instead of putting "#"s in the offending
>> > tags.
>> >
>> > We are doing a post to an external domain, and cannot use the
>> > X-XSS-Protection tag.
>> >
>> > My post does contain html in the parameters that is reflected back in
>> > the
>> > response; however, it doesn't contain any <script> tags or javascript.
>> >
>> > I've been playing around with the submission, and it seems like the
>> > problem
>> > has something to do with nested or too many tables in the html, and
>> > maybe
>> > something to do with style tags as well.
>> >
>> > Anyone have any insight into why I'm triggering the filter?
>>
>>
>