Internet Explorer has buffer overflow bug on 'location.replace()'. If the long string is specified at argument of 'location.replace()', buffer overflow will happen.