The flaw resides in a protection added by Microsoft developers that's designed to prevent XSS (cross-site scripting) attacks against sites. Mention feature is using a technique known as “output encoding” that replace harmful characters and values with safer ones. It's not clear how the protections can cause vulnerabilities but it is mention that attacker can exploit this problem to introduce XSS errors on safe webpage. To achieve successful attack, an attacker has to figure out a flaw in processing output encoding and then creates a specific string. Also, the XSS protections can bring other undesirable results because it flags perfectly acceptable characters as potentially harmful. When Microsoft introduced the protections, it also created a way to override the feature (by adding the response header "X-XSS-Protection: 0") but very small number of sites are using mention feature. Security experts are investigating claims of vulnerability, and for more information users can read original new at TheRegistar web site.