4

IE is modifying my pages and puts # automatically to the hyperlinks when I redirect a page via JavaScript.

Here is the message I am seeing:

Internet Explorer has modified this page to help prevent cross-site scripting.
Click here for more information...

enter image description here

I tried the following two methods to programatically prevent IE from doing this.

<meta http-equiv="X-XSS-Protection" content="0">

Via Coldfusion:

<cfheader name="X-XSS-Protection" value="0">

But none of them worked for me. What I am doing wrong?

To redirect, I am doing simple javascript like this:

windows.location = "?param1=val_1&param2=val_2";

/* Sample URL to redirect:
?grp=3&set=1&KEYWORDS=&BADWORDS=&jt_BADWORDS=&OPT='or'&JOBTITLE=&searchType=full&zipcode=&radius=9999&EMPLOYER=&Edu_Keywords=&RDfrom=&RDto=01/07/2013&FULLNAME=test&EX_C=1&JT_C=1&JT_B=1&EMAIL=&BOOL1=1&BOOL2=1&stateField='All'&CountryField='All'&sourcenames=0&RemovePrev=&my_thumbsup=&prev_sent_clients=&is_bounce_back=&is_refused=&getmarketproducts=&experience=&JOBINDUSTRY=&Specialization=&SubDiscipline=&Certification=&EDUCATION=&bool=1&seniority=&Sen_cur=1&sort=score,max_res_date&RemoveEmailed=&Removeemailed_Anyone=&experimental=1&paging_clicked=1
*/
Adil Malik
  • 6,279
  • 7
  • 48
  • 77
  • Is it just javascript or does the same thing happen with meta refresh and cflocation? – Dan Bracuk Jan 07 '13 at 19:58
  • @DanBracuk My requirement is to redirect with javascript. I am not sure if it would happen with cflocation as well. – Adil Malik Jan 07 '13 at 20:04
  • 2
    Instead of disabling the browser protection, I would rather fix the problem. Do you know why IE is assuming a cross-site issue? Can you post some of your code? See this [IE8 XSS filter: what does it really do?](http://stackoverflow.com/questions/2051632/ie8-xss-filter-what-does-it-really-do). – Miguel-F Jan 07 '13 at 20:18
  • @Miguel-F That's where I am confused. I am redirecting within the domain. But still IE is applying `prevent cross-site scripting`. – Adil Malik Jan 07 '13 at 20:23
  • @Miguel-F I've added the code to OP. – Adil Malik Jan 07 '13 at 20:25
  • Is the purpose of your redirect simply to add query string params? Do those params contain javascript code? – Miguel-F Jan 07 '13 at 20:29
  • @Miguel-F On my page, I've pagination to show results. The purpose of redirect is to take user to the next page of the result. – Adil Malik Jan 07 '13 at 20:30
  • Is there any script (code) in that url? What are some example values for `val_1` and `val_2`? – Miguel-F Jan 07 '13 at 20:34
  • @Miguel-F .. I've added a sample URL in the Original Post. – Adil Malik Jan 07 '13 at 20:37
  • Have you tried encoding the string? Try something like this: `window.location = "index.html?" + encodeURIComponent("param1=val_1&param2=val_2");`. Here is a reference for you [Best practice: escape, or encodeURI / encodeURIComponent](http://stackoverflow.com/questions/75980/best-practice-escape-or-encodeuri-encodeuricomponent) – Miguel-F Jan 07 '13 at 20:43
  • 1
    @AdilMalik, even though your requirement is to relocate with js, trying other methods might help you isolate the problem. – Dan Bracuk Jan 07 '13 at 20:47
  • @Miguel-F encodeURIComponent converts & to hex as well. Because of this my server side language cannot parse the URL. I cannot decode the URL on server side. As the app is very big and the URL is being used on thousands of places. – Adil Malik Jan 07 '13 at 21:15
  • I think the issue is with the parameters that contain the single-quote character. In your example: `OPT='or'&stateField='All'&CountryField='All'`. Can you remove that character from your params? They should not be necessary in the URL. – Miguel-F Jan 07 '13 at 21:19
  • @Miguel-F I tried escaping those charactor and even removing those char .. but no luck. – Adil Malik Jan 07 '13 at 21:40
  • The same code is working on Chrome and FF. That's why I was trying to disable IE cross-site scripting check. I guess that would be the easiest and shortest solution. Any other solution will have to be done on my entire site. That is a nightmare of course. – Adil Malik Jan 07 '13 at 21:42
  • Dang! I thought for sure those single-quotes were the problem. Yes, IE is the only browser with that XSS check. Encoding the string might be the only answer but that will require decoding on the server. So back to your original question, from what I read the meta tag will not work but sending as a header should. Not sure why your `cfheader` did not work. Anyone else? – Miguel-F Jan 07 '13 at 21:49
  • Is just having the query string part of the URL - without any file part - actually valid? Or "valid as far as IE is concerned", anyhow? – Adam Cameron Jan 07 '13 at 21:53

0 Answers0