Hi! Just wanted to share my finding. I’ve found a way to bypass Chrome’s anti-xss filter. This bypass is universal, and it defeats Chrome’s XSSAuditor in all cases!
Title: Google Chrome Anti-XSS Filter Bypass Affected Products: Google Chrome 43.0.2357.124 m (letest stable version) Discovery Date: 16-06-15 Author: Yosi Ovadia (http://vulnerable.info/) Payload: <svg><script>/<1/>alert(document.domain)</script></svg>
The issue was reported to chromium security team, and was fixed within 5 hours. The team marked it as a significant bypass.