New issue
Advanced search Search tips
Starred by 4 users
Status: Fixed
Closed: Nov 13
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug

Show other hotlists

Hotlists containing this issue:

Sign in to add a comment
XSSAuditor should filter "url" in IsURLParameter
Reported by, Nov 10 Back to list
UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36

Steps to reproduce the problem:
1. open
2. open this url, shouldn't show the content of ""

What is the expected behavior?
shouldn't show the content of ""

What went wrong?
bool HTMLParamElement::IsURLParameter(const String& name) {
  return DeprecatedEqualIgnoringCase(name, "data") ||
         DeprecatedEqualIgnoringCase(name, "movie") ||
         DeprecatedEqualIgnoringCase(name, "src");

"url" should be filted too, because the object will get url from "'data','movie','src','url'".

    // HTML5 says that an object resource's URL is specified by the object's
    // data attribute, not by a param element. However, for compatibility, allow
    // the resource's URL to be given by a param named "src", "movie", "code" or
    // "url" if we know that resource points to a plugin.
    if (url_.IsEmpty() && (DeprecatedEqualIgnoringCase(name, "src") ||
                           DeprecatedEqualIgnoringCase(name, "movie") ||
                           DeprecatedEqualIgnoringCase(name, "code") ||
                           DeprecatedEqualIgnoringCase(name, "url"))) {
      url_ = StripLeadingAndTrailingHTMLSpaces(p->Value());

Did this work before? N/A 

Chrome version: 61.0.3163.100  Channel: n/a
OS Version: 61.0.3163.100
Flash Version: non
Components: Blink>SecurityFeature>XSSAuditor
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug
Summary: XSSAuditor should filter "url" in IsURLParameter (was: XSSAuditor ParamToken Filter)
Thanks for the report.
Status: Assigned
Labels: Hotlist-EnamelAndFriendsFixIt
 Issue 676992  has been merged into this issue.
Project Member Comment 6 by, Nov 13
The following revision refers to this bug:

commit 8e0a1f6fb882612ed184d114dac94daca2b856a8
Author: Tom Sepez <>
Date: Mon Nov 13 19:34:02 2017

Unify IsURLParameter() logic between HTML{Object,Param}Element.cpp

Add missing case of "url" param name that triggered XSSAuditor bypass.
Make one corresponding change to keep behaviour as stable as possible.

Bug:  783618 
Change-Id: Ic74bf385d3604e6ff71221ae4104e88c2201e118
Reviewed-by: Daniel Cheng <>
Reviewed-by: Charlie Harrison <>
Commit-Queue: Tom Sepez <>
Cr-Commit-Position: refs/heads/master@{#516003}

Status: Fixed
Sign in to add a comment