The OWASP XSS Filter Evasion Cheat Sheet mentions "& JavaScript includes":
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#.26_JavaScript_includes
An example that he provides is as follows:
<BR SIZE="&{alert('XSS')}">
I tried this on jsfiddle with Chrome and Firefox and I am not getting a JS popup. So, on which browsers / versions should this work?
URL:
http://jsfiddle.net/rL1z32xb/
You will need to rip out a copy of Netscape 4 to play it.
Newer versions of Netscape (and any other browser) do not allow the & operator.
&