UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36

Steps to reproduce the problem:
While doing penetration test for one of the client i came across a web page where the parameter value was in the base 64 and the same value was getting reflected on the web page as plain text. As a part of my testing i created XSS payload and encoded that into base 64 and then XSS got executed.

1) lets say the URL is https://xyz.com/search.aspx?id="some base64 value which is reflecting back at response"
2) I converted that base 64 value and encoded XSS payload i.e  <script>alert("xss")</script> to PHNjcmlwdD5hbGVydCgieHNzIik8L3NjcmlwdD4=
3) Using this the XSS was getting executed.

Unfortunately i can not provide link to the URL as it is of my client. i have used Version 67.0.3396.87 (Official Build) (64-bit) for this testing. and Operation system is Windows 10. Let me know if i can provide you the redacted POC for your reference. 

What is the expected behavior?
i have gone through XSS auditor documentation and expected behavior is it should block the XSS execution as the plan payload of XSS is getting reflected into the response. 

What went wrong?
i am really not sure, but it seems the XSS failed to block it because the payload was given in the base 64 and web application converted that into real java script.

Did this work before? N/A 

Chrome version: 67.0.3396.87  Channel: n/a
OS Version: 10.0
Flash Version: