W001 - Obsolete HTML Tags

Description: RayQC Advanced scans the web application for the use of obsolete HTML tags and JavaScript methods.

Background: There is a number of obsolete HTML tags and connected JavaScript methods in Windows Internet Explorer 11.

More Information: http://msdn.microsoft.com/en-us/library/ff806183%28v=vs.94%29.aspx

Manual Remediation: Re-engineer the web application not to use the obsolete HTML tags anymore. With CSS and JavaScript the same functionality can be achieved.

W002 - DHTML Editing Control Compatibility

Description: RayQC Advanced scans the web application for the use of the ActiveX DHTML Editing Control.

Background: Since Windows Internet Explorer 5, the DHTML Editing Control has been available for HTML, Active Server Pages (ASP), ASP.NET pages, and for other documents accessed with HTTP. Due to security reasons, the support for this control was dropped by Microsoft since Windows Vista, which was shipped with Windows Internet Explorer 7. Web applications might fail to load the control if they have the save-for-scripting DHTML Editing control implemented (<Object ID="editor">). If this is the case, an image placeholder will be displayed. Additionally, exceptions might be thrown by any script that refers to the control. Because the script evaluation is terminated by script exceptions, other functions which are controlled by the script might also stop working.

More Information: http://msdn.microsoft.com/en-us/library/aa663363.aspx

Manual Remediation: Re-engineer the web application not to use the DHTML Editing Control anymore. There is a downloadable original control in a signed Windows Installer package called DHTMLEd.msi provided by Microsoft, which could be used if re-engineering is not practicable. (Caution: This is a workaround! The security risks identified by Microsoft will remain since the application itself is left unchanged.)

W003 - CreateElement() Method Compatibility

Description: RayQC Advanced scans the web application for angle brackets which are used in arguments passed to the createElement() method.

Background: An element node in the Document Object Model (DOM) hierarchy is created by the createElement() method. Since Windows Internet Explorer 9, the support for the use of angle brackets (< >) within the createElement() method has been dropped by Microsoft. If those characters are contained within the argument of the createElement() method, parts of the web application might fail to work.

More Information: http://msdn.microsoft.com/en-us/library/ff986077(v=VS.85).aspx

Manual Remediation: Re-engineer the web application not to use angle brackets in the createElement() method anymore. Pass the element name and use the setAttribute() method to set the values of the required attributes instead.

W004 - Obsolete arguments.caller

Description: RayQC Advanced scans the web application for the arguments.caller property.

Background: Prior to Windows Internet Explorer 9, along with the creation of argument objects, a property named "caller" was created. The reference to the argument object of the function which originally called the argument object was stored inside the property. Since Windows Internet Explorer 9 the arguments.caller property is no longer supported by Microsoft. The script error "object is null or undefined" will occur if a script tries to use this property. Because of this, parts of the web application might fail to work.

More Information: http://msdn.microsoft.com/en-us/library/gg622933(v=VS.85).aspx

Manual Remediation: Re-engineer the web application not to use the arguments.caller property anymore. Use the Windows Internet Explorer 8 Compatibility View where this is not practicable. Trigger the view by using the meta attribute value "X-UA-Compatible".

W005 - Obsolete Document Object Model (DOM) Event Features

Description: RayQC Advanced scans the web application for the following DOM event features: attachEvent(), detachEvent(), createEventObject(), and fireEvent().

Background: The following DOM event features are no longer supported by Microsoft since Windows Internet Explorer 9: attachEvent(), detachEvent(), createEventObject(), and fireEvent().

More Information: http://msdn.microsoft.com/en-us/library/ff986080(v=vs.85).aspx

Manual Remediation: Re-engineer the web application not to use the outdated DOM event features. There are W3C standard conform replacements which should be used instead.

W006 - Conditional Comments Compatibility

Description: RayQC Advanced scans the web application for conditional comments which are used to detect the version number of the Windows Internet Explorer. (Take care: This rule might detect false positives for web applications which use conditional comments to fix some well-known visual glitches for older Windows Internet Explorer versions!)

Background: There are non-standard conditional comments provided by the Windows Internet Explorer which are used to provide content which is optimized for a specific browser, for example, the use of specific HTML, CSS, or JavaScript code(<!--[if IE 7]> <p>You are using Windows Internet Explorer 7.</p> <![endif]-->). Web applications using conditional comments might serve incompatible content due to not recognizing Windows Internet Explorer 11 since the major version number has been changed in Windows Internet Explorer 11.

More Information: http://msdn.microsoft.com/en-us/library/ms537512(v=vs.85).aspx

Manual Remediation: Re-engineer the web application not to use conditional comments. W3C proposals like JavaScript-based feature detection should be used instead.

W007 - Changed User-Agent String

Description: RayQC Advanded scans the web application for the use of the user-agent string for browser or system detection. The common Javascript frameworks jQuery, jQuery UI, Prototype, MooTools, and Cufon will not be scanned. (Take Care: This rule might detect false positives for web applications which use the user-agent string for adjunct purposes like statistical data collection)

Background: The user-agent string submits browser details, such as name, version number, running platform, etc., to the hosting server when accessing a web application (User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)). This information can be used to provide content which has been optimized for the specific browser. Some web applications might not recognize the user-agent string and therefore serve incompatible content, because the user-agent string has been changed in Windows Internet Explorer 11.

More Information: http://msdn.microsoft.com/en-us/library/cc848857%28v=vs.85%29.aspx

Manual Remediation: Re-engineer the web application not to use the user-agent string, but to use feature support detection instead. Use the Windows Internet Explorer 7 Compatibility View where this is not practicable. Trigger the view by using the meta attribute value "X-UA-Compatible".

W008 - Use of "onload" and "onreadystatechange" Event

Description: RayQC Advanced scans the web application for the attachment of both events ("onload" and "onreadystatechange") to one script element.

Background: The standard-based and interoperable load event for script elements has been introduced since Windows Internet Explorer 9. Before the introduction of Windows Internet Explorer 9, the only event for script elements that was supported was the non-interoperable "onreadystatechange" event. This event is still supported in Windows Internet Explorer to make sure existing websites are still compatible. For sites which register for both, "onload" and "onreadystatechange", events, there might be two callbacks now. This might lead to the production of unexpected results or failure of a part of the web application.

More Information http://msdn.microsoft.com/en-us/library/hh180173(v=VS.85).aspx

Manual Remediation: Re-engineer the web application to exclusively use the "onload" event for scripts that need a load event.

W009 - JavaScript Framework Compatibility

Description: RayQC Advanced scans the web application for the use of older versions of JavaScript frameworks which are not compatible with Windows Internet Explorer 11. jQuery (prior to 1.5.1), jQuery UI (prior to 1.6.8), MooTools (prior to 1.3), Prototype (prior to 1.7), and Cufon (prior to 1.09i) are the frameworks that will be scanned.

Background: Features to improve the standards for compliance and interoperability with other web browser were introduced and modified by Microsoft since Windows Internet Explorer 9. A lot of JavaScript frameworks have functions which rely on functions of earlier versions of Windows Internet Explorer. In Windows Internet Explorer 11, some well-known JavaScript frameworks might not work as they should. Most of these JavaScript frameworks already received updates to fix this. Nonetheless, there are still a lot of web applications where the older versions of these frameworks are still in use and which have not yet been updated.

More Information: http://msdn.microsoft.com/en-us/library/hh180175(v=VS.85).aspx

Manual Remediation: Ask the manufacturer to deliver a framework which is compatible to Microsoft Internet Explorer 11.

W010 - Unconventional Protocol Handlers

Description: RayQC Advanced scans the web application for the use of unconventional protocols in script redirections and hyperlinks.

Background: The prefix of the URL address refers to a protocol name (http://www.raynet.de for a HTTP protocol, javascript:alert('Welcome') for a JavaScript protocol). An application can be registered to a URL protocol. If this is the case, since Windows Internet Explorer 9, the Application Protocol Handler Dialog will be shown when the application is launched. This is a security feature which should protect users from executing an application containing dangerous or malicious content by accident. The dialog will be shown with each execution of the request until the dialog for this protocol has been disabled. The information, that a program which is not installed is required for the launch of the web application, will be shown if no application is registered to a URL protocol.

More Information: http://msdn.microsoft.com/en-us/library/dd565637(VS.85).aspx

Manual Remediation: Uncheck the Always ask before opening this type of address checkbox after using a link to prevent further displays of the Application Protocol Handler Dialog by Windows Internet Explorer 11. Portions of a web application might not work if no application is configured to handle a non-standard protocol.

W011 - Status Bar Text Changes

Description: RayQC Advanced scans the JavaScript properties window.status and window.defaultStatus for the use of scripts that change the status bar content.

Background: Since Windows Internet Explorer 7, web applications are no longer allowed to use scripts to configure the status bar in the internet or restricted zones. Because of this, calls to the JavaScript properties window.status or window.defaultStatus might silently fail. By this measure, attackers should no longer be able to spoof the status bar.

More Information: http://msdn.microsoft.com/en-us/ie/aa740486

Manual Remediation: Check the Allow status bar updates via script checkbox which you will find in the custom security level in the Internet Options setting in Windows Internet Explorer 11 to allow the configuration of the status bar by scripts which use the window.status and window.defaultStatus methods.

W012 - Obsolete Dynamic Properties

Description: RayQC Advanced scans the web application for obsolete dynamic properties in CSS or JavaScript code.

Background: Property values could be set as formulas, not only as constants, through the use of dynamic CSS properties since Windows Internet Explorer 5. Authors were provided with the ability to reference property values from other values by using a dynamic property and thereby offered an unparalleled flexibility when designing their webpages. But this also led to a damaging impact on standard compliance, performance, reliability, and security considerations. Dynamic properties are obsolete since Windows Internet Explorer 8.

More Information: http://msdn.microsoft.com/en-us/library/ms537634(v=vs.85).aspx

Manual Remediation: Replace the dynamic properties functionality with JavaScript event listeners.

W013 - Conformity to the Request for Comments (RFC) Guidelines

Description: RayQC Advanced scans the web application for the use of URLs that do not meet the requirements of the RFC 3986 and 3987 guidelines.

Background: To prevent malformed URLs from fooling Windows Internet Explorer, the URL is parsed to assure that it meets the RFC guidelines after being entered into the address bar since Windows Internet Explorer 7. The web application will be allowed to appear with a restricted functionality if it fails to pass the verification process. This might lead to an unexpected behavior of the web application.

More Information: https://msdn.microsoft.com/en-us/library/dd565653(v=vs.85).aspx

Manual Remediation: Re-engineer the web application and make sure that all URLs used in the web application meet the requirements of the RFC 3986 and 3987 guidelines.

W014 - CSS Compatibility

Description: RayQC Advanced scans the web application for the use of CSS features which are not supported by Windows Internet Explorer 11.

Background: The support for the W3C CSS standard has been improved with each new release of Windows Internet Explorer (:focus {sRules} is supported by Windows Internet Explorer 11, but it is not supported by Windows Internet Explorer 7). There is a full compliance with CSS 2.1 and many CSS 3 features are supported in Windows Internet Explorer 11.

More Information: http://msdn.microsoft.com/en-us/library/cc351024(v=vs.85).aspx

Manual Remediation: Re-engineer the web application to use only CSS features which are supported by Windows Explorer 11.

W015 - XSLT (Extensible Stylesheet Language Transformations) Changes

Description: RayQC Advanced scans the web application for the use of unsupported XSLT elements. Legacy XSL namespaces, legacy stylesheets processing instructions, and XSLT output directives are the features that will be scanned.

Background: XSLT is used for the modification of XML documents and is a declarative language based on XML. The processing of XML and XSLT files has been modified for the improvement of conformation to the standards of other browsers and the compatibility to other browsers since Windows Internet Explorer 9. Chiefly, there have been changes to some of the non-standard behaviors relating to the processing of XSLT files. These might cause web applications to show unexpected behavior or a limited functionality.

More Information: http://msdn.microsoft.com/en-us/library/hh180178(v=vs.85).aspx

Manual Remediation: Re-engineer the web application by migrating to a compatible and standardized XSLT namespace. Microsoft has prepared some migration scenarios.

W016 - Obsolete Document Modes

Description: RayQC Advanced scans the web application for the use of Document Compatibility Modes.

Background: With document modes, a tool to maintain features which were supported by earlier versions of the browser was provided by Microsoft since Windows Internet Explorer 8. The edge mode, representing the highest possible support for modern standards, is the preferred mode in Windows Internet Explorer 11. Therefore, document modes have become obsolete and they should not be used any longer.

More Information: http://msdn.microsoft.com/en-us/library/ie/dn384051(v=vs.85).aspx

Manual Remediation: Re-engineer the web application not to use Document Compatibility Modes.

W017 - Obsolete DirectX- based Filters and Transitions Reference

Description: RayQC Advanced scans the web application for the use of DirectX-based filters and transitions which are no longer supported in Windows Internet Explorer 11.

Background: Web developers were allowed to add multimedia-style effects to their webpages by the usage of a set of visual filters and transitions since Windows Internet Explorer 4.0. They are called DX filters because of their underlying implementation, DirectX, and their long-form syntax (filter:progid:DXImageTransform.Microsoft.Alpha(opacity=75)). There exists a standard-based alternative to common DX filters since Windows Internet Explorer 9.

More Information: http://msdn.microsoft.com/en-us/library/ms532853%28v=vs.85%29.aspx

Manual Remediation: Re-engineer the web application to use standard-based technologies.

W018 - Obsolete Vector Markup Language (VML) Elements

Description: RayQC Advanced scans the web application for the use of obsolete VML elements.

Background: VML, which was used to create vector graphics that were displayed in web applications, is no longer supported by Microsoft since Windows Internet Explorer 11.

More Information: http://msdn.microsoft.com/en-us/library/ie/hh801223%28v=vs.85%29.aspx

Manual Remediation: Re-engineer the web application to use standard-based technologies like e.g. Scalable Vector Graphics (SVG) format.

W019 - Microsoft Internet Explorer plug-in Compatibility in the Windows UI

Description: RayQC Advanced scans the web application for embedded content for which the use of external plug-ins is required.

Background: Windows Internet Explorer 11 offers two different ways of browsing. There is the Windows Internet Explorer in the Windows UI and there is the Windows Internet Explorer for the desktop, which are both using the same technology for the rendering of web applications. Even though, the behavior and feel might differ. For example, the Adobe Flash support is limited and other plug-ins, like Java applets, are not supported by the Windows Internet Explorer in the Windows UI. In the Windows internet Explorer 11 in the Windows UI web applications that use these technologies might not be able to work as anticipated.

More Information: https://msdn.microsoft.com/nl-be/library/hh920753(v=vs.85).aspx

Manual Remediation: Re-engineer the web application to use standard-based technologies, which include supported HTML5 features, to work properly in Windows Internet Explorer 11 in the Windows UI.

W020 - XML Data Islands Compatibility

Description: RayQC Advanced scans the web application for the use of obsolete XML data islands.

Background: The support for XML data islands has been dropped by Microsoft since Windows Internet Explorer 10. They are now parsed in HTML in order to improve compatibility and compliance with HTML5. Pages which are written for Windows Internet Explorer or pages that use browser sniffing to modify their behavior in Windows Internet Explorer will be influenced by this.

More Information: http://msdn.microsoft.com/en-us/library/ie/hh801224(v=vs.85).aspx

Manual Remediation: Re-engineer the web application not to use XML data islands but to use other technologies instead.

W021 - Obsolete VBScript Code

Description: RayQC Advanced scans the web application for the use of VBScript code.

Background: VBScript code is no longer supported as scripting language for Windows Internet Explorer since Windows Internet Explorer 11. If displayed in the edge mode, web applications will not execute VBScript code.

More Information: http://msdn.microsoft.com/en-us/library/ie/dn384057(v=vs.85).aspx

Manual Remediation: Re-engineer the web application to use JavaScript instead of VBScript.

W022 - JavaScript API Features

Description: RayQC Advanced scans the web application for the use of removed JavaScript API features.

Background: Some JavaScript API features have been removed by Microsoft since Windows Internet Explorer 11 (document.all, document.selection, etc.). This might lead to incorrect display or crashes if unhandled exceptions occur for applications which still rely on the removed standards.

More Information: http://msdn.microsoft.com/en-us/library/ie/bg182625(v=vs.85).aspx#legacyAPIs

Manual Remediation: Re-engineer the web application to use the replacements of the removed JavaScript features (Removed API feature: document.all; Replacement feature: document.getElementByld).

W023 - Obsolete Prefixed Pointer Events

Description: RayQC Advanced scans the web application for JavaScript and CSS code using Microsoft pointer events.

Background: Pointer events with vendor prefixes (MSPointerCancel event, etc.) were introduced as a replacement of W3C Pointer Events since Windows Internet Explorer 10. The support for the prefixed versions of the pointer events and APIs was dropped by Microsoft since Windows Internet Explorer 11. The Microsoft prefixed version of the pointer events may be removed completely in future releases.

More Information: http://msdn.microsoft.com/en-us/library/ie/dn304886(v=vs.85).aspx

Manual Remediation: Re-engineer the web application to use the W3C Pointer Events instead of the obsolete prefixed versions of the pointer events (Prefixed pointer event: MSPointerDown event; W3C Pointer Event: pointerdown event).

W024 - Flexible Box Changes in CSS Script

Description: RayQC Advanced scans the web application for obsolete vendor prefixes in CSS flexible boxes.

Background: Flexible boxes with vendor prefixes (The "-ms-flex-wrap" property, etc.) were introduced by Microsoft since Windows Internet Explorer 10. W3C CSS properties have replaced the vendor prefixes in the flexible boxes since Windows Internet Explorer 11 and the support for the prefixed version was dropped by Microsoft.

More Information: http://msdn.microsoft.com/en-us/library/ie/dn265027(v=vs.85)

Manual Remediation: Re-engineer the web application not to use the removed CSS properties anymore, but to use their replacements instead ("-ms-flex-pack" property use the "justify-content" property instead of the "-ms-flex-pack" property, etc.).

W025 - Cross-browser plug-in Detection Compatibility

Description: RayQC Advanced scans the web application for the use of the window.ActiveXObject property.

Background: plug-ins and Internet media type properties (mimeTypes) are supported by the navigator object since Windows Internet Explorer 11. Likewise, it is not possible to find a plug-in if it is using the window.ActiveXObject property, because this property is hidden from the document Object Model (DOM).

More Information: http://msdn.microsoft.com/en-us/library/ie/dn423948(v=vs.85).aspx

Manual Remediation: Re-engineer the web application so that a replacement for the window.ActiveXObject property will be used.

W026 - Binary Elements Behaviors Binding

Description: RayQC Advanced scans the web application for binary behaviors which are no longer bound automatically.

Background: To provide greater consistency with other popular browsers, Internet Explorer does not automatically bind binary element behaviors.

More Information: http://msdn.microsoft.com/en-us/library/ff986078(v=vs.85).aspx

Manual Remediation: Re-engineer the web application to not use manually binding controls.