OWASP/owasp-java-encoder

Possible to inject expression property resulting XSS attack in IE browser by using certain document modes

vijaysn2702 opened this issue · 2 comments

if we use css expression property, client side code is getting executed even after applying css encoding.
Example: xss:expression(alert(1));
do we need to validate properties like 'expression' and url only only contains http and https before applying css encoding as per cheat sheet? or is it cheat sheet older one?

Politely closing this out, its a very old issue and IE is going away.