New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 4 users
Status: WontFix
User never visited
Closed: Sep 2011
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 2
Type: Bug

  • Only users with Commit permission may comment.

Sign in to add a comment
Security: Google Chrome Anti-XSS filter circumvention
Reported by, Sep 14 2011 Back to list
Google Chrome's built-in anti-XSS filter fails to sanitize JavaScript present in a GET request when the script is broken-up into two, or more, GET parameters. 

E.g. :<script>alert(1);/*&b=*/</script>

Due to the multi-line comment delimiters, any HTML, JavaScript and text present between the two parameters, will be treated as comments of the injected script.

Chrome Version: 13.0.782.220 
Operating System: Windows 7

A demo PHP page that does not sanitize GET parameters and prints them out in its response is available at:

Attached is a screenshot of the XSS bug in action

149 KB View Download
Comment 1 by, Sep 14 2011
Status: WontFix
Tank yuo for your report, but the XSS auditor is not intended to prevent this case.
Comment 2 by, Sep 16 2011
Labels: -Restrict-View-SecurityTeam -Pri-0 -Area-Undefined SecSeverity-None Pri-2 Area-WebKit
We don't know of a way to defend against cases where the attacker can inject the page in two places.

I am under the impression that the way of bypassing the Anti-XSS that I submitted last September (discussed in this thread) is no longer working. It is definitely good news :) but I am a bit surprised since this was tagged as "WontFix". Has something changed?

Comment 4 by, Jan 14 2012
You should still be able to exploit this vulnerability via another vector.  The problem is that the site allows injection in two places, which isn't something we can defend against (although it appears we do catch this particular way of exploiting this site).
Hi Adam,

Thank you for your reply. I have already found two other ways around the current filter using the way of splitting the script in two variables. If the anti-xss mechanism however, is not meant to cope with two parameters I guess they are of little value to you.

Best Regards
Project Member Comment 6 by, Oct 13 2012
Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member Comment 7 by, Mar 10 2013
Labels: -SecSeverity-None -Type-Security -Area-WebKit Cr-Content Type-Bug-Security Security-Severity-None
Project Member Comment 8 by, Mar 21 2013
Labels: -Security-Severity-None Security_Severity-None
Project Member Comment 9 by, Apr 6 2013
Labels: -Cr-Content Cr-Blink
Labels: -Type-Bug-Security Type-Bug
Bulk unrestriction of Severity-none bugs.

Sign in to add a comment