Internet Explorer & "Spartan"/"Edge" XSS Filter Bypass Playgound


Welcome to The Playground.

With the release of MS15-065, most of these no longer work, however I am keeping this open and available for historical purposes.

I've compiled some examples of real-world functionality I've encountered that can be used to bypass Internet Explorer's (as well as "Spartan"/"Edge"'s) anti-Reflective Cross Site Scripting filter.
Play around with the deliberately vulnerable pages, and see for yourself how you can chain together a site's own functionality to reproduce the bypass.
Append .html to any .php extension to see the source of the .php file.
Example:

With the MS14-080 update, using two of the following pages has become slightly more difficult, but still possible. Those two page are marked with an * character.


The main playground equipment:


Additional playground equipment: