Css Encoding doesn't escape expression() for IE 7


The Anti XSS library fails to encode expression() so that they don't work for IE 7/8/9. IE ignores \28 when it is used instead of ( but it treats \000028 as the same as ( which is what this library produces.
It would be nice if there was at least an option to use the \28 encoding for CSS so that IE didn't render expression() as CSS.
Closed Aug 2, 2011 at 6:15 PM by bdorrans
Close as duplicate


MehCFL wrote Jul 28, 2011 at 10:30 AM

wrote Aug 2, 2011 at 6:15 PM

wrote Feb 22, 2013 at 1:07 AM

wrote May 16, 2013 at 12:29 PM