Issue 628598 link

Starred by 1 user

Issue metadata

Status:	Duplicate
Merged:	issue 257168
Owner:	----
Closed:	Jul 2016
EstimatedDays:	----
NextAction:	----
OS:	----
Pri:	----
Type:	Bug-Security
allpublic

Security: XSS Auditor doesn't work for XML

Reported by soroush....@gmail.com, Jul 15 2016

Issue description

XSS Auditor of Google Chrome doesn't block XSS attacks in XML.
An example is shown below:
http://0me.me/demo/xss/xml/vuln.xml.php?input=<script xmlns="http://www.w3.org/1999/xhtml">alert(1)</script>&//

An exploitation example has been shown here: 
http://sdl.me/XSSDemo/xss-xml-frames.html

Thanks
Soroush

Comment 1 by mbarbe...@chromium.org, Jul 15 2016

Labels: -Restrict-View-SecurityTeam
Mergedinto: 257168
Status: Duplicate (was: Unconfirmed)

Thanks for the report. The XSS auditor is part of the HTML parser, and there are no plans to support XML.

Project Member

Comment 2 by sheriffbot@chromium.org, Oct 22 2016

Labels: allpublic

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

►

Issue 628598 link

Issue metadata

Security: XSS Auditor doesn't work for XML

Issue description

Comment 1 by mbarbe...@chromium.org, Jul 15 2016

Comment 1 Deleted

Comment 2 by sheriffbot@chromium.org, Oct 22 2016

Comment 2 Deleted

Sign in to add a comment