Posting on behalf of User:Dispenser:
When POSTing data from the Toolserver to foundation wikis the cross-domain POSTing triggers the XSS Filter in Internet Explorer 8 and 9. [1] When the filter is triggered, usually with a Preview or Diff, it sanitatises the edit box of many non-alphanumeric characters as seen in [2]. A regular user is unaware the edit box's contents were changed from those present in the diff. Additionally, earlier flaws in the mangling heuristics introduced a "universal XSS" venerability. [3][4]
The suggested solution is disalbing the filter by setting the HTTP header X-XSS-Protection: 0 when submitting a form.
[1] http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-iv-the-xss-filter.aspx
[2] http://en.wikipedia.org/w/index.php?diff=454843408
[3] http://p42.us/ie8xss/Abusing_IE8s_XSS_Filters.pdf
[4] http://p42.us/ie8xss/wikipedia.png
Version: 1.17.x
Severity: normal