Without loss of generality, consider a page with the following PHP markup: <!DOCTYPE html> <html> <body> <?php echo $_GET["q"] ?><script>function dummy() {}</script> </body> </html> Take q := "<script>alert(/XSS/)". Then the page displays a JavaScript alert with message "/XSS/".
<https://code.google.com/p/chromium/issues/detail?id=354109>
<rdar://problem/16348414>
Created attachment 227218 [details] Layout tests DRT layout tests. We may also want to supplement these tests with Thomas Sepez's tests in <https://codereview.chromium.org/205243002/>.
(In reply to comment #3) > Created an attachment (id=227218) [details] > Layout tests > > DRT layout tests. We may also want to supplement these tests with Thomas Sepez's tests in <https://codereview.chromium.org/205243002/>. I should add that the contents of the included -expected.txt files need to be updated.
Fixed in Blink: <http://src.chromium.org/viewvc/blink?view=rev&rev=169697>
Committed r166202: <http://trac.webkit.org/changeset/166202>