XSS Filter neuters SameOrigin POST in Edge only

Fixed Issue #17659494


Wolfgang R.
May 25, 2018
This issue is public.
Found in
  • Microsoft Edge
Found in build #
Fixed in build #
Reported by 2 people

Sign in to watch or report this issue.

Steps to reproduce

With the newest update to Microsoft Edge 42.17134.1.0, i noted a strange behaviour with a simple webform
If the text in a textarea containes a link and the form ist submitted, in Edge, the “href” of the link is changed to “hr#f”

Demo: http://playground.meles.net/test_edge.php


2 attachments

Comments and activity

  • Code of the site should be an issue (just simple html + php):

    This is a Test containing a link. The Link doesn’t work aufter the post.

  • sorry… here ist the code:

    This ist a test with a link. The   [link](%e2%80%99https%3a//www.google.com%e2%80%99) doesn't work after the post.

    "; } ?>

  • Sorry, I’m not able to post my code (which is perfectly ok), so I uploaded a screenshot of my simple example “code.jpg”

  • The example works with all other Browser including previous Edge Versions.

  • Hi, I have the same issue… do you have some news about it?

  • Same problem here!

  • No, unfortunately not. Before posting here we have tried to contact the Microsoft support here, lost about half an hour on phone before they said we should post the issue here.

    For all that like to check it out: we have made a test page here:


  • Hi guys,I have solved it setting the header XSS

  • Microsoft Edge Team

    Changed Assigned To to “James M.”

    Changed Steps to Reproduce

    Changed Assigned To to “Mohamed S.”

    Changed Assigned To to “Amit J.”

    Changed Assigned To to “Arvind M.”

    Changed Assigned To from “Arvind M.” to “Rajat J.”

    Changed Status to “Confirmed”

    Changed Title from “href is changed into hr#f after submitting a form by post” to “XSS Filter neuters SameOrigin POST in Edge only”

    Changed Status from “Confirmed” to “In code review”

    Changed Status from “In code review” to “Fixed”

You need to sign in to your Microsoft account to add a comment.

Sign in