Recently I was adding comment function to my blog article pages, IE always prompted message: "Internet Explorer has modified this page to help prevent cross-site scripting" when browsing a specific article page. After debugging by Fiddler, I found the reason was that the article title began with:
IE always prompted message: "Internet Explorer has modified this page to help prevent cross-site scripting" in a specific article page after adding Disqus comment module to all blog article pages.
By adding breakpoint to all HTTP requests from Disqus in Fiddler, I found that IE prompted the XSS warning once the following request finished.
I went a step further to locate the root cause by replacing the response content in Fiddler and found that it was caused by the article title:
It seems that the IE XSS filter simply checks whether the string starts with
- Disable the IE XSS filter in IE security zone setting. It's not a viable solution since it's a client side solution.
- Add HTTPS response header:
X-XSS-Protection: 0, however this solution is still infeasible as it needs to be done from Disqus server side.
- Currently I have to manually change the article title in Disqus management site to avoid the false alarm from IE XSS filter.
In the long term, I'm still hoping IE team can improve the XSS filter detect logic to fix this issue. I have already submitted the issue to IE feedback: IE11 needlessly prompts XSS warning for harmless web content with reproduce page: http://joji.me/test/ie-xss/.