的XSS称为 UTF-7 XSS 。

此编码 + ADw - 下呈现为< 和 + AD4 - 呈现为> 。这使攻击者可以注入

Under this encoding +ADw- renders as < and +AD4- renders as >. This makes it possible for an attacker to inject

+ADw-script+AD4-alert(document.location)+ADw-/script+AD4-

，并由浏览器呈现和解释为

and have it rendered and interpreted by the browser as

<script>alert(document.location)</script>

。
旧版本的Internet Explorer自动检测字符集。因此，如果在响应头或元标记中没有指定字符集，则输出诸如 + ADw trick的序列输出，Internet Explorer将使用UTF-7使任何这样注入的脚本执行。这会导致XSS漏洞。

. Old versions of Internet Explorer auto detect the charset. Therefore, if no charset is specified in a response header or a meta tag then the output of sequences such as +ADw "trick" Internet Explorer into rendering the page using UTF-7 making any such injected script execute. This gives rise to the XSS vulnerability.