The sort answer is no.
The long answer is that the main issue is being able to detect XSS attacks in the first place. Doing so means that you have to scan incoming data which you don't know how it's going to be used for the presence of Javascript. The former makes it extremely hard to figure out what should be called XSS and what not (e.g. this forum's posts which undergo severe sanitisation before being sent to the database and before rendered do not have much to fear from most common cases of injected Javascript). The latter is a major issue all by itself. Thanks to browsers tolerating with totally crappy Javascript constructs (not just non-standard, but outright broken!!) for almost two decades and the fuzzy nature of the language itself (anyone said "eval"?) detecting with certainty what is Javascript and what's not is a monumental task. Combined with the lack of knowledge as to where the data will be used makes it nigh impossible to have any degree of certainty.
The XSSShield is this kind of completely fuzzy filter. It could either be made very tolerant (offering no protection) or very strict (throwing a lot of false positives). Ultimately, it became very strict in order to be useful. But this also made it throw too many false positives, making it a hindrance on sites with a forum. This is why we suggest turning it off.
Since logging can only be performed for attacks being blocked, you can't log XSS attacks without blocking them. Moreover, even if you could, would you be certain they are XSS attacks and not some legitimate request throwing a false positive?
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!