Sunday, July 19, 2009

IE 8 Anti-XSS A Bit Overblown

IE 8's anti-xss filters may help protect users. However, its pretty strict and catches all sorts of random things. It looks like it functions on GETs only - POSTS are excluded. Based on this it would protect users against reflected XSS issues only. Any sort of stored XSS would not be mitigated by this browser control.

Here is an interesting look at some of the false positives:

See

check also WebScarab - BeanShell to Disable IE8 XSS

No comments: