UTF-7 XSS attacks in modern browsers
This exploit is only possible in old versions of Internet Explorer. Modern browsers will not auto detect the encoding as UTF-7.
OWASP:-
This does not work in any modern browser without changing the encoding type which is why it is marked as completely unsupported.
Wikipedia:-
To mitigate this problem systems should perform decoding before validation and should avoid attempting to autodetect UTF-7. Older versions of Internet Explorer can be tricked into interpreting the page as UTF-7.
Chrome and Firefox seem to no longer support UTF-7 in any format. The HTML5 specification says:
User agents must support the encodings defined in the WHATWG Encoding standard. User agents should not support other encodings.
User agents must not support the CESU-8, UTF-7, BOCU-1 and SCSU encodings. [CESU8] [UTF7] [BOCU1] [SCSU]
Support for encodings based on EBCDIC is especially discouraged. This encoding is rarely used for publicly-facing Web content. Support for UTF-32 is also especially discouraged. This encoding is rarely used, and frequently implemented incorrectly.