Submit Your Article Forum Rules

Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Internet Explorer 8 Cross Site Scripting Filter

  1. #1
    WebProWorld MVP wige's Avatar
    Join Date
    Jun 2006
    Posts
    2,981

    Internet Explorer 8 Cross Site Scripting Filter

    Playing around with my new install of Internet Explorer 8, I got the following message in the information bar that shows page-related security alerts...

    Internet Explorer has modified this page to help prevent cross-site scripting. Click here for more information...
    As usual, clicking the information bar only opened a generic help window, with no information about what triggered the filter, or how to correct whatever problem was detected. This tells me that if such a message is encountered on one of my sites, tracking down the issue will be difficult to say the least.

    I have already encountered sites that have triggered the filter. Most of these issues were related to advertising code. Unfortunately, there is no easy way to diagnose these issues. A developer needs to install Microsoft's Compatibility Viewer to view the event log generated by the filter. This application can be downloaded from: Microsoft Application Compatibility Toolkit 5.0

    Information on the filter can be found here: IEBlog : IE8 Security Part IV: The XSS Filter
    The best way to learn anything, is to question everything.
    WigeDev - Freelance web and software development

  2. #2
    WebProWorld MVP kgun's Avatar
    Join Date
    May 2005
    Location
    Norway
    Posts
    7,684

    Re: Internet Explorer 8 Cross Site Scripting Filter

    Quote Originally Posted by wige View Post
    Internet Explorer has modified this page to help prevent cross-site scripting. Click here for more information...
    The devil is in the details. Is the correct message:

    "Internet Explorer has modified (encapsulated) the parsing of this page to help prevent cross-site scripting. Click here for more information..."

    Unless, I see some problems for Microsoft.

  3. #3
    WebProWorld MVP wige's Avatar
    Join Date
    Jun 2006
    Posts
    2,981

    Re: Internet Explorer 8 Cross Site Scripting Filter

    Well, I think there is more to it than that. The first blog post about this feature indicated that IE would monitor all incoming and outgoing traffic from the browser and modify the code to prevent possible attacks. So, for example, if a URL contained <script> in an attempt to inject javascript, the filter would mangle the outgoing request removing the script code. Similar functions would be performed on suspicious quotes in form fields that might indicate SQL injection, limitations on off-domain scripts, etc.

    Most of the pages where I have gotten the warning seem to trigger the filter because of scripting on embedded ads. As a result, the ad is not displayed to the user. Instead, just the javascript code is displayed on the page as plain text.
    The best way to learn anything, is to question everything.
    WigeDev - Freelance web and software development

  4. #4
    WebProWorld MVP kgun's Avatar
    Join Date
    May 2005
    Location
    Norway
    Posts
    7,684

    Re: Internet Explorer 8 Cross Site Scripting Filter

    Quote Originally Posted by wige View Post
    Most of the pages where I have gotten the warning seem to trigger the filter because of scripting on embedded ads. As a result, the ad is not displayed to the user. Instead, just the javascript code is displayed on the page as plain text.
    Well a new nail in the business model for small companies, even if the page is not changed, only what is presented to the surfer.

    It is a new argument for a static brand link model based on a clean link with rel="nofollow" to please Google.

    Personally I prefer a model where the surfer decides him / herself by setting the adfilter. It is as I have told very easy to set that even for the new user in Opera.

    So webmasters and surfers in all countris join and start using Opera to surf the web.

  5. #5
    Rest in Peace 1946 - 2013 deepsand's Avatar
    Join Date
    May 2004
    Location
    State College, PA
    Posts
    16,376

    Re: Internet Explorer 8 Cross Site Scripting Filter

    Am I to understand that this behavior is wholly independent of any user controllable browser settings?

  6. #6
    WebProWorld MVP DaveSawers's Avatar
    Join Date
    Dec 2006
    Location
    Lunenburg, Nova Scotia, Canada
    Posts
    704

    Re: Internet Explorer 8 Cross Site Scripting Filter

    I thought it was time to download this new IE8 to see what happens with my sites. These posts were getting me a little concerned.

    I'm running Vista Home Premium and the download was quick and problem free. However, IE8 overwrote IE7 without asking if I might want to keep the older version, just as it did when upgrading from IE6 to 7. This isn't a problem for me as I have other computers that I can use to check older versions of IE on and I use Firefox as my day to day developing tool.

    None of my sites needed compatibility mode and none of them produced any cross site scripting problems. Not all the HTML on my sites is standard as some of the sites are quite old. Some use Adsense and the newer ones make extensive use of AJAX.

    IE8 did pick up one coding error in the site I'm working on at the moment which is an AJAX implementation of an oil industry desktop application. I'd missed a '>' off the end of a div declaration which Firefox passed over. Since I only made that code change yesterday the error was unlikely to have made it through to even a test version. Finding the problem with the developer tools in IE8 was quick and easy, so easy in fact that I may consider switching over from Firefox for primary development. Never thought I'd hear myself saying that! If it's at least as good at picking up Javascript problems as Firefox I'll be tempted.
    Dynamic Software Development
    www.activeminds.ca

  7. #7
    WebProWorld MVP edhan's Avatar
    Join Date
    Aug 2003
    Posts
    895

    Re: Internet Explorer 8 Cross Site Scripting Filter

    I think I will wait before jumping into IE8 though the features seem to be good. I did tried the IE8 beta but it is displaying my sites with all the mis-alignment. Guess I will wait until more people are converting to IE8 and I will then be forced to use it. Or maybe I should be trying out with another system and slow make changes to be compatible?
    Find Out More About Renting Thai Amulets For Blessing Of Protection in Well Being & Wealth | Destiny of Fate | Exploring, Understanding & Learning The Basic Feng Shui Art Of Placement To Build Wealth & Harmony With Friends, Colleagues And Family Members In Relationships & Careers... Do you want a better lifestyle? Check it out today!

  8. #8
    Rest in Peace 1946 - 2013 deepsand's Avatar
    Join Date
    May 2004
    Location
    State College, PA
    Posts
    16,376

    Re: Internet Explorer 8 Cross Site Scripting Filter

    Quote Originally Posted by wige View Post
    Most of the pages where I have gotten the warning seem to trigger the filter because of scripting on embedded ads. As a result, the ad is not displayed to the user. Instead, just the javascript code is displayed on the page as plain text.
    Hm-mm. The ad wars version of The Empire Strikes Back?

  9. #9
    WebProWorld MVP kgun's Avatar
    Join Date
    May 2005
    Location
    Norway
    Posts
    7,684

    Re: Internet Explorer 8 Cross Site Scripting Filter

    Quote Originally Posted by deepsand View Post
    Hm-mm. The ad wars version of The Empire Strikes Back?
    One description of the Internet. "The world's biggest anarchy".

    Now the ad model is "forced upon" us by big companies. May be there has to be an over national agency like WTO | Welcome to the WTO website setting ad standards in cyber space.

    Timothy Geithner called for an new risk watchdog the day before yesterday. There is need for a new cyberspace business (more precisely digital advertising) watchdog, too.

  10. #10
    Rest in Peace 1946 - 2013 deepsand's Avatar
    Join Date
    May 2004
    Location
    State College, PA
    Posts
    16,376

    Re: Internet Explorer 8 Cross Site Scripting Filter

    Quote Originally Posted by kgun View Post
    May be there has to be an over national agency ...
    Even were there an international body with both jurisdiction and commensurate power, would you trust it?

    Quote Originally Posted by kgun View Post
    One description of the Internet. "The world's biggest anarchy".
    True; but, I prefer anarchy to despotism.

Similar Threads

  1. XSS: Cross site scripting. An update.
    By kgun in forum Internet Security Discussion Forum
    Replies: 3
    Last Post: 09-21-2008, 03:02 PM
  2. Site Display on Internet Explorer vs. Mozilla Firefox
    By fortune68 in forum Graphics & Design Discussion Forum
    Replies: 32
    Last Post: 02-25-2008, 11:04 AM
  3. XPS - Cross Printer Scripting Exploit
    By wige in forum Internet Security Discussion Forum
    Replies: 8
    Last Post: 01-26-2008, 12:21 PM
  4. It's time to tear down your Internet filter
    By dutter in forum Internet Industry
    Replies: 0
    Last Post: 08-23-2006, 08:01 PM
  5. Cross-Site Scripting and Spoofing Attacks in Windows ShareP
    By WPW_Feedbot in forum IT Discussion Forum
    Replies: 0
    Last Post: 02-09-2005, 06:31 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •