We have just discovered a case where IE (8, 9, and 10) are deciding that a particular form in our application constitutes an XSS attack. This form is an "add detail to existing entity" sort of form. The exact same form, for a different entity, works perfectly. It is only when the customer attempts to add to entity "nnn" that IE sees an XSS attack.
I want to emphasize that this is occuring in a released version of the web application released two months ago - there have been no recent changes to the application, and the problem reproduces in the version of the application under development. The problem clearly is not due to a bug in our application.
The outcome is that IE adds a "#" into the middle of the form actionattribute. This causes the URL to be cut off, and our application fails.
If it matters, IE in this instance has added the "#" after a "/".
It will be difficult to troubleshoot this problem, since the same exact page is being sent to the browser hundreds of times a day, with no problems. There is something about the specifics that causes the problem. Maybe IE doesn't like the ViewState which is being sent.
Is there a way to get IE to display details of its XSS decision process, perhaps to the F12 Developer Tools console? Are there other suggestions on how to troubleshoot this?
John Saunders | Sr. Software Developer | TAPFIN ManpowerGroup Solutions | www.tapfin.com