Jeff Williams wrong?
Granted I'm currently a dilettante in this field, but if I'm reading the blog entry you linked correctly, Mr. Williams is wrong. No javascript is being injected into Twitter, and whilst a small portion of text that looks like CSS is 'injected' (which is to say posted perfectly normally), escaping everything that looks like it might be CSS is going to be pretty hard and probably have some false positives - if it's not outright impossible. Notwithstanding, of course, that when viewed by itself in a browser it's utterly harmless. The posted text isn't in a "CSS context" as Mr. Williams put it until an attacker uses the twitter page as a stylesheet for his attack page. And the CSS doesn't have any javascript in it then, either.
The issue is that IE - when told that the twitter page in question is a CSS file - tries to parse the page, and despite any number of issues that should prevent it from doing so, sticks pretty much the entire thing into an easily-accessible CSS property. That property can then be parsed by javascript on the attacker's site.That's pretty clearly an IE bug to me.
Perhaps Mr. Williams should have examined the sample exploit more carefully before commenting?