String starting with "JavaScript:" would cause false alarm of IE XSS filter

Posted on Jun 12, 2015

Recently I was adding comment function to my blog article pages, IE always prompted message: "Internet Explorer has modified this page to help prevent cross-site scripting" when browsing a specific article page. After debugging by Fiddler, I found the reason was that the article title began with: JavaScript:, which triggered the XSS filter considering it as a javascript protocol string and blocking the web page. Actually the title was just a normal string without any script code. Read all