Patrick Toomey

Ambiguous RFC Leads to Cross Site Scripting

Over the years I have noticed that IE exhibits some strange behavior with regard to how it does or does not URL encode certain characters within a HTTP GET/POST request. Nearly every browser in existence encodes “,<, and the > characters, while IE doesn’t. This doesn’t tend to matter, expect for when it does. When a query string is used to directly create a URL one must be aware that IE does not automatically encode ”, <, and >. At first I thought this was Mircrosoft not following the RFC, but it turns out it is probably just a poorly worded RFC. You can read my full write-up on the topic here.