An IP addresses such as 74.125.19.99 can be written in ambiguous ways such as 74.0x7d.023.99 (mixing decimal, octal, and hexadecimal notation) or 74.8196963. This is a trick used in phishing exploits.
SVG natively permits embedded scripts and event handlers. Firefox, Safari, Opera, Chrome support SVG image format.
xssed.com, a site dedicated to tracking publicly reported issues about HTML injection flaws, amassed over 50,000 entries in under two years.
The recently released Browser Security Handbook has revelations like these and a thorough review of browser quirks that can affect security.
This 60-page document provides a comprehensive comparison of a broad set of security features and characteristics in commonly used browsers, along with (hopefully) useful commentary and implementation tips for application developers who need to rely on these mechanisms, as well as engineering teams working on future browser-side security enhancements.
This is a great resource for web developers keen on building secure cross-browser applications. Remember your web application is as secure as you make it and the browser that it runs on.
In the security interest of users and for better standards compliance, developers should encourage users to upgrade to newer browsers.
The Handbook is currently a kind of beta and I hope the final version of this handbook has numbers for the Browser Comparison Tables for better readability & reference and a way to download it as a PDF for offline use.
The Microsoft ACE (Application Consulting & Engineering) Team's blog is another good resource on security for ASP.NET developers.