New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 783618 link

Starred by 4 users

Issue metadata

Status: Fixed
Closed: Nov 2017
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug

Show other hotlists

Hotlists containing this issue:

Sign in to add a comment

XSSAuditor should filter "url" in IsURLParameter

Reported by, Nov 10 2017

Issue description

UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36

Steps to reproduce the problem:
1. open
2. open this url, shouldn't show the content of ""

What is the expected behavior?
shouldn't show the content of ""

What went wrong?
bool HTMLParamElement::IsURLParameter(const String& name) {
  return DeprecatedEqualIgnoringCase(name, "data") ||
         DeprecatedEqualIgnoringCase(name, "movie") ||
         DeprecatedEqualIgnoringCase(name, "src");

"url" should be filted too, because the object will get url from "'data','movie','src','url'".

    // HTML5 says that an object resource's URL is specified by the object's
    // data attribute, not by a param element. However, for compatibility, allow
    // the resource's URL to be given by a param named "src", "movie", "code" or
    // "url" if we know that resource points to a plugin.
    if (url_.IsEmpty() && (DeprecatedEqualIgnoringCase(name, "src") ||
                           DeprecatedEqualIgnoringCase(name, "movie") ||
                           DeprecatedEqualIgnoringCase(name, "code") ||
                           DeprecatedEqualIgnoringCase(name, "url"))) {
      url_ = StripLeadingAndTrailingHTMLSpaces(p->Value());

Did this work before? N/A 

Chrome version: 61.0.3163.100  Channel: n/a
OS Version: 61.0.3163.100
Flash Version: non
Components: Blink>SecurityFeature>XSSAuditor
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug
Summary: XSSAuditor should filter "url" in IsURLParameter (was: XSSAuditor ParamToken Filter)
Thanks for the report.

Comment 2 by, Nov 10 2017

Status: Assigned (was: Unconfirmed)

Comment 4 by, Nov 10 2017

Labels: Hotlist-EnamelAndFriendsFixIt

Comment 5 by, Nov 10 2017

 Issue 676992  has been merged into this issue.
Project Member

Comment 6 by, Nov 13 2017

The following revision refers to this bug:

commit 8e0a1f6fb882612ed184d114dac94daca2b856a8
Author: Tom Sepez <>
Date: Mon Nov 13 19:34:02 2017

Unify IsURLParameter() logic between HTML{Object,Param}Element.cpp

Add missing case of "url" param name that triggered XSSAuditor bypass.
Make one corresponding change to keep behaviour as stable as possible.

Bug:  783618 
Change-Id: Ic74bf385d3604e6ff71221ae4104e88c2201e118
Reviewed-by: Daniel Cheng <>
Reviewed-by: Charlie Harrison <>
Commit-Queue: Tom Sepez <>
Cr-Commit-Position: refs/heads/master@{#516003}

Comment 7 by, Nov 13 2017

Status: Fixed (was: Assigned)

Sign in to add a comment