False postive "Behavior:"

#### What is this feature about (expected vs actual behaviour)?

A false postive detection of an XSS.

#### How can I reproduce it?

Input: `a research paper Behavior: subtitle`

Actual: `a research paper `

Expected: `a research paper Behavior: subtitle` (no change to input)

#### Does it take minutes, hours or days to fix?

#### Any additional information?

Relates to https://html5sec.org/#behavior (`AntiXSS::$_never_allowed_call_strings`)

Workaround: `$antiXss->removeNeverAllowedCallStrings(['behavior']);`
If I understand html5sec correctly, this can be safely done if IE <= 8 are not supported?

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

False postive "Behavior:" #129

What is this feature about (expected vs actual behaviour)?

How can I reproduce it?

Does it take minutes, hours or days to fix?

Any additional information?

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Uh oh!

False postive "Behavior:" #129

Description

What is this feature about (expected vs actual behaviour)?

How can I reproduce it?

Does it take minutes, hours or days to fix?

Any additional information?

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions