"Cross-site scripting" message when previewing email templates in IE
|Knowledge Article Number||000199610|
|Description||NOTE: Beginning Summer ’15, we’ll discontinue support for Microsoft® Internet Explorer® versions 7 and 8. For these versions, this means that some functions may no longer work after this date. Salesforce Customer Support will not investigate issues related to Internet Explorer 7 and 8 after this date.
Cross-site scripting attacks are a type of online threat. They exploit vulnerabilities in web sites and the servers they rely on.
The attackers' aim is to inject malicious code into the web page in order to gain access to sensitive information entered by end-users. Information captured with this malicious code is then delivered to a server other than the one originally intended.
To prevent these attacks, IE8 and IE9 have a feature called "XSS Filter". This feature can stop one website from injecting code into a different website.
When this feature is enabled and email templates include content that appears suspicious, end-users trying to preview their email templates may see a message that reads "Internet Explorer has modified this page to help prevent cross site scripting". The preview may also be completely blank or include extraneous characters (#, @, etc.) that are not entered in the actual template. Other data (merge fields, etc. ) may also be missing.
To stop the message from appearing, and to get the preview to display correctly, try the following steps:
1. Open Internet Explorer, click on the gear icon (in IE9), then on "Internet Options"
2. In the "Internet Options" popup window, click on Security | Internet, then on the "Custom Level" button
3.- In the "Security Settings" popup window, look for "Enable XSS Filter' and select "Disable"
4.- Click Ok to close all the dialog windows
5.- Close and restart IE to apply your changes