When adding the below style attribute on a popular website in IE7 emulator nothing happened, but when I execute it from a trivial website in IE7 emulator it does get executed.
<body style="width: expression(alert())">
How can you prevent the expression from being executed?
As a mitigation against JavaScript being injected in unexpected places in modern browsers, use a content security policy. For instance, a CSP of script-src: none; will deny all JavaScript execution within your page, regardless of where it originated. More nuanced policies can be designed to allow JavaScript only from specific URIs, or only scripts with specific hashes.
HTC nor expression to be executed since it only works from IE11. But I agree it is a good first level of defense! Does your Javascript code gets executed when you deny javascript execution from self or is the self option for a JSF app?The feature you are talking about is called Dynamic Properties and is no longer supported as of IE8.
Dynamic properties (also called "CSS expressions") are no longer supported in Internet Explorer 8 and later, in IE8 Standards mode and higher. This decision was made for standards compliance, browser performance, and security reasons. Dynamic properties are still available in Internet Explorer 8 in either IE7 mode or IE5 mode. (For more information about document compatibility modes, see Defining Document Compatibility.) Because Internet Explorer 8 in IE8 mode is fully compliant with the Cascading Style Sheets, Level 2 Revision 1 (CSS2.1) standard, most dynamic properties written to work around Cascading Style Sheets (CSS)-related shortcomings in previous versions of Internet Explorer should no longer be needed. Other dynamic properties with more specific uses can generally be replaced with standard JavaScript.
