With Mozilla deciding to allow the execution of arbitrary JavaScript via CSS,there is no other viable solution than the one we have undertaken.

从Caja’s attack vector wiki开始：

Crafted CSS stylesheets can execute unsanitized javascript in the global scope on some browsers.

Background

CSS includes several mechanisms for changing the surrounding markup and executing expressions.

IE has an extension that allows execution of arbitrary javascript. The expression property is described at 07002

Using the power of dynamic properties,it is now possible to declare property values not only as constants,but also as formulas. … For scripting,a dynamic property can be any legal JScript or Microsoft Visual Basic Scripting Edition (VBScript) statement.
07003

binding allows binding to externally specified scripts
07004 & 07005

-moz-binding allows binding via the XML interface (also using data: URLs)

Assumptions

Untrusted code can generate style elements or style attributes or otherwise add arbitrary CSS rules and create DOM elements that trigger those rules.

Versions

IE 5 and later (but not IE 8 or later in “standards mode”).

Mozilla/Firefox,versions not known.