Created attachment 222592 [details] proof of concept of type-1 filter bypass Hi, If there is a reflection in the attribute context of a <SOURCE> tag, it seems the taint is not inferred in the event handlers, and as a result, such a reflection case is not catched by your Type-1 XSS filter. eg: <?php global $_GET; print('<video><source '.$_GET['arg'].'></source></video>'); ?> http://car-online.fr/en/CTF-tools/chrome_xss_2/?arg=onerror%3Dalert(1) I understood that you only consider 1 parameter to be reflected, which is the case here. Best,
tested on version: 32.0.1700.77
also tested: 32.0.1700.102
Thanks Fabien for the bug report. Towards reducing the number of false positives, the XSS Auditor does not detect the injection of an inline event handler within a tag. "We believe that the majority of such injections occur as part of breaking out of a quoted property and thus a request that does not contain a single or double quote can be allowed." (comment 0, bug #29944)
This isn't a security bug. We should look to fix the following XSS Auditor tests: property-inject.html, property-escape-noquotes.html, and property-escape-noquotes-tab-slash-chars.html.
The XSS Auditor is removed in Bug 230499.