The IE9 XSS filter blocked reflected <script> tags, but it did not account for the defer attribute. A <script defer> tag containing the injected payload was not matched by the filter’s pattern, allowing the script to execute.

http://www.example.com/xss.aspx?xss=<script%20defer>alert(location)</script>

The defer attribute causes script execution to be delayed until after the document has finished parsing. The XSS filter’s signature matching happened at parse time and did not re-examine deferred scripts at execution time. Adding defer was enough to slip past the pattern match entirely.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.