On Chrome I'm getting an error Refused to execute a JavaScript script. Source code of script found within request. after posting data that contains the name of the domain (also note the lack of javascript on either page) .
<form action="/badpage2.html" method="post">
<input type="hidden" name="name" value="href=%22http://www.w3.org/%22"/>
<input type="submit" name="submit"/>
</form>
<!DOCTYPE html>
<html>
<head>
<base href="http://www.w3.org/"/>
</head>
<body>
<img src="Icons/w3c_home" alt="">
</body>
</html>
If you go directly to badpage2.html the image will show, but if you go to it via badpage1.html, the image will not show (base tag doesn't work).
Is this a bug in Chrome XSS detection? And if it's not, how would I bypass this? It seems silly to encode the posted data just to bypass this filter.
EDIT:
In my case, the post value sent is to update part of the content of the page. The problem comes if it contains happens to contain the domain name that is used in the <base> (as this example does) it will trigger the XSS detection which disables the <base> tag.
I found out that I can send the custom HTTP header X-XSS-Protection on the page that is being messed up due to the protection.
I use the below code for my PHP solution:
header( "X-XSS-Protection: 0" );