1

Closed

Css Encoding doesn't escape expression() for IE 7

description

The Anti XSS library fails to encode expression() so that they don't work for IE 7/8/9. IE ignores \28 when it is used instead of ( but it treats \000028 as the same as ( which is what this library produces.
 
It would be nice if there was at least an option to use the \28 encoding for CSS so that IE didn't render expression() as CSS.
Closed Aug 2, 2011 at 5:15 PM by bdorrans
Close as duplicate

comments

MehCFL wrote Jul 28, 2011 at 9:30 AM