False Positive XSS Warning

[GµårÐïåñ]

Giorgio,

I just experienced an XSS warning on a page that I use regularly without any issue and has never been a problem until the latest dev build. So I was wondering if you could take a look and see what happened. The content of that XSS error are private and sensitive, so I am going to send that to you via PM to look at but if you can reply here, that would be great. If you need more than what you are getting in PM, then tell me through that and I will send you more. Thanks.

[GµårÐïåñ]

Giorgio, after I sent you the PM including the detailed message and you responded:

Thank you.

Unfortunately it is a case of "XSS by design", hence the only way to "fix" it is hard-coding a work-around for Facebook plugins.

I decided to test it with XSS disabled. However, now it won't generate the error as before but it also cripples and won't run the link/redirect either, so what is going on? If you tell NS not to screw with the XSS filtering and the options are disabled, shouldn't it allow it as-is? By not giving the error, it suggests that it is not checking, but from the aspect of functionality, it still leaves it broken.

Any ideas as to what's going on? Can this be fixed with an exception regex like the ones we use for google/wiki/etc?