Google Chrome Security: Multiple leading slashes in URLs may confuse some server-side XSS filters

Today i  reported a strange bug to the devs of the Chromium Project, look at the following lines of code :

<script src=http:\\\\\\\\\\\\\\\\\\\\\\\\\test.js> </script>


You see those leading slashes ? Do you think that this is an valid URL a Browser would process ? In fact it does not look like a valid one, but for Google  Chrome it is. As you can see in the picture the Url gets executed regardless of how many backslashes there were added.

Bildschirmfoto 2014-06-17 um 20.25.19
Feel free to try this out on your own, we set-up a site, head over to and  inspect the Javascript Console on your Google Chrome browser, you will see that the simple Javascript message (console.log(‘this is weird’);) has been executed. This technique also works if you only use one slash, a pretty weird szenario imho. If you check this on  Firefox the URL and the correspondig Javascript won’t get executed
Bildschirmfoto 2014-06-17 um 20.36.26
The questions arising at this point should be : Why does Google Chrome treats URL different then other Browsers ? Is this a security issue which could bypass XSS Filters ? With all this question marks in my head i went over to the Chromium site and requested a ne Issue, some hours later :
The repsonse from @tsepez from the chromium team was pretty clear :

“This is one of those cases where we’ve chosen to support broken pages rather than being strict about URL syntax.”

So in others words, it’s a wontfix.

What do you think about this issue ?

Let us know

All the best

Patrik Fehrenbach – IT-Securityguard


Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert

Diese Website verwendet Akismet, um Spam zu reduzieren. Erfahre mehr darüber, wie deine Kommentardaten verarbeitet werden.