Your test page has an XSS "bug" (on purpose, I realize) which needs to be fixed in the page. Some browsers attempt to detect and filter XSS payloads found in the URL but Firefox is not one of them. At the moment the only tool we offer to help sites prevent XSS is support for the Content-Security-Policy header. If your test site had a reasonable policy it would prevent all of these examples. Even the extremely lax policy "Content-Security-Policy: default-src *" would prevent this. I am not sure why your script didn't run in the first examples... I suspect it did run but threw errors which you might be able to see on the error console
Status: UNCONFIRMED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: xssfilter
You need to log in before you can comment on or make changes to this bug.