I'm sorry, but can you please post your report in English rather than Chinese? Ideally the writeup would be in the bug tracker rather than in a .docx file, with your PoC files attached as .html or as a .zip.

The claim here appears to be that the XSS Auditor can be bypassed if the injection point is at the end of the page and represents a partial HTML tag, the Auditor will ignore the tag as invalid/incomplete, but that invalid/incomplete tag will get "fixed up" by the HTML normalization process later, creating valid HTML that leads to script execution. 

Getting raw POC files would probably be even more useful than an English-language document.

I roughly google translated the document. The situation being described involves a document.write. If I understand correctly, XSS Auditor does not attempt to protect against DOM based XSS, right? If so, then this bug is probably WontFix.

Right, can we find out if it's a document fragment (document.write) vs a full page load?

The injected script is via document.write in the example.

reporter - if you can give us an example that doesn't use document.write, please feel free to re-open.

Yes, it could be a false report.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot