Today i reported a strange bug to the devs of the Chromium Project, look at the following lines of code :
<html> <script src="http:\\\\\\\\\\\\monitor.it-securityguard.com\\\\\\\\\\\\\test.js"> </script> </html>
You see those leading slashes ? Do you think that this is an valid URL a Browser would process ? In fact it does not look like a valid one, but for Google Chrome it is. As you can see in the picture the Url gets executed regardless of how many backslashes there were added.
Feel free to try this out on your own, we set-up a site, head over to monitor.it-securityguard.com/test2.html and inspect the Javascript Console on your Google Chrome browser, you will see that the simple Javascript message (console.log(‘this is weird’);) has been executed. This technique also works if you only use one slash, a pretty weird szenario imho. If you check this on Firefox the URL and the correspondig Javascript won’t get executed
The questions arising at this point should be : Why does Google Chrome treats URL different then other Browsers ? Is this a security issue which could bypass XSS Filters ? With all this question marks in my head i went over to the Chromium site and requested a ne Issue, some hours later :
The repsonse from @tsepez from the chromium team was pretty clear :
“This is one of those cases where we’ve chosen to support broken pages rather than being strict about URL syntax.”
So in others words, it’s a wontfix.
What do you think about this issue ?
Let us know
All the best
Patrik Fehrenbach – IT-Securityguard
German 
English