Facebook Javascript SDK results in XSS block on IE8 during stream publish

We recently switched our facebook js code to use the new javascript SDK. Previously stream publish would share to the user's wall correctly in all browsers, but with the new js, any stream publish done in IE8 fires IE's XSS filter, and the 开发者_开发知识库post cannot be shared.

Are there any workarounds or known causes as to why IE8 acts this way during a stream publish?

I was able to fix this by using the deprecated attachment object when creating the stream publish. Weird...

It definitely depends on the data that gets passed in for the wall post. If there are too many "strange" characters, then IE believes it to be a cross-site scripting attack.

It seems that international characters are especially problematic: http://forum.developers.facebook.net/viewtopic.php?pid=324133

For me, there were no international characters and it was still failing. When I changed the URL to have no question marks or ampersands in it, the IE XSS warning stopped.

I would recommend avoiding any non-ascii-printable characters in the post title or description, and using as few non-alphanumeric characters as possible in your URLs.

Some developers say that Facebook could fix this if they added the header

X-XSS-Protection: 0

to some of their HTTP responses. You can vote for this bug if you'd like Facebook to address this issue on their end: http://bugs.developers.facebook.net/show_bug.cgi?id=12912