Internet Explorer & "Spartan"/"Edge" Cross Site Scripting Filter Bypass Proof-of-Concepts

All of the following Proof-of-Concepts are potentially vulnerable to a Cross Site Scripting injection via the "xss" parameter in the URL using the Internet Explorer (and "Spartan"/"Edge") browser (except for the "Exact Reflection" example).

Demos that only work pre-MS15-065 are marked as such.

Demos that only work pre-MS14-080 are marked as such.

An example external JavaScript file that will throw an alert() box is included for each demo.

If you wish to use your own external JavaScript file, each demo page has a tool that will properly encode its URL for you.

Not fixed

• Double URL Decode
  The injection is Double-URL-Decoded before being reflected. The injected JavaScript should execute automatically.
  Go to the Double URL Decode demo
  
  
• JavaScript Redirect (very rare)
  The injection lands inside a JavaScript redirect. The injected JavaScript should execute when the user is redirected.
  NOTE: This does not work in Internet Explorer 8, however it does work in Internet Explorer 9, 10, and 11.
  Go to the JavaScript Redirect demo
  
  

Fixed by MS15-065

• Vulnerable IFrame — pre-MS15-065-only
  The injection lands in an iframe definition that loads the vulnerable page. The injected JavaScript should execute automatically.
  Go to the Iframe demo
  
  
• Vulnerable Form — pre-MS15-065-only
  The injection lands in a form that is submitted to the vulnerable page. The injected JavaScript should execute when the form is submitted.
  Go to the Form demo
  
  
• Formaction — pre-MS15-065-only — Credit: @garethheyes from this blog post
  The injection lands inside a vulnerable form. The injection should execute when the injected <button> with a formaction="vulnerable page" attribute is clicked.
  Go to the Formaction demo
  
  

Fixed by MS14-080

These should still work on Internet Explorer 8 on Windows XP and Internet Explorer 9/10/11 browsers that have not been updated with MS14-080

• Vulnerable Page — pre-MS14-080-only
  The injection lands on a vulnerable page. The injected JavaScript should execute when the link is clicked.
  Go to the Page demo
  
  
• Exact Reflection — pre-MS14-080-only
  The webpage reflects the injection exactly without URL decoding any characters, thus preventing the use of the # character for decimal and hexadecimal injections. The injected JavaScript should execute when the user clicks on the link.
  Go to the Exact Reflection demo
  
  

Fixed by MS15-XXX

• UTF-7 Charset Definition — Credit: @garethheyes from this blog post
  The injection lands on a vulnerable page before the HTML 5 <meta charset="something"> or HTML 4.01 <meta http-equiv="content-type" content="text/html; charset=something"> definition, or on a page without one. The injection should execute automatically.
  Go to the Charset Definition demo