I’ve seen MS10-002 pop up a few times in discussion recently. This is a reference to the legendary issue that David Lindsay and Eduardo Vela Nava discovered, where neutering for a given heuristic actually enabled XSS, assuming attacker control of data inside a properly quoted HTML attribute. I'd like to share some detail about the tools the XSS Filter has at its disposal as they apply to defeating this sort of attack in a general sense.
Neutering is an attempt to cleverly target XSS as it may manifest on a given page. But one thing that often goes unnoticed is that the XSS Filter is actually empowered to take various different approaches to mitigate XSS. And it can do this on a per-heuristic basis. In other words, given any identified issue with the neutering approach for a heuristic, we are able to choose from various different possible mitigations (Eg: mode=block), specifically applied for that heuristic. In that way it is possible to disable attacks with a larger hammer as necessary, without forcing the XSS Filter to apply in any situations where it didn’t apply before.