As described by Cesar's post, javascript: URIs in image tags and other elments still work in IE7/8 if the page you are xss-ing is contained within an iframe like so: