Created attachment 222592 [details]
proof of concept of type-1 filter bypass
If there is a reflection in the attribute context of a <SOURCE> tag, it seems the taint is not inferred in the event handlers, and as a result, such a reflection case is not catched by your Type-1 XSS filter.
I understood that you only consider 1 parameter to be reflected, which is the case here.
tested on version: 32.0.1700.77
Thanks Fabien for the bug report.
Towards reducing the number of false positives, the XSS Auditor does not detect the injection of an inline event handler within a tag. "We believe that the majority of such injections occur as part of breaking out of a quoted property and thus a request that does not contain a single or double quote can be allowed." (comment 0, bug #29944)
This isn't a security bug. We should look to fix the following XSS Auditor tests: property-inject.html, property-escape-noquotes.html, and property-escape-noquotes-tab-slash-chars.html.
The XSS Auditor is removed in Bug 230499.