The cross-site scripting enables malicious attackers to inject client-side script into web pages viewed by other users. As The Register reported in November, Internet explorer 8 contains a bug and can be exploited to introduce cross-site scripting. In other words the attacker can figure out a flaw in IE 8 as a result to create a specific string to tranformed into an actual attack on the web page.
For this reason Microsoft update IE 8 and contains a new feature to detect reflected cross-site scripting (XSS) vulnerabilities. This feature is the XSS filter that discovers likely XSS in a cross-site request, it identifies and neuters the attack if it is replayed in the server’s response. After that, the web page has been modified and the XSS attack is blocked. The user of IE 8 can control the XSS filter using the Internet Control Panel.
Last but not least, recently disclosed reserch has identified a flaw with the XSS filter included with IE 8 that allows for XSS attacks against sites that would otherwise not be vulnerable to that particular attack. Microsoft has responded that they are continually updating the filter to address the changing nature of XSS attack vectors.
