third_party/blink/web_tests/http/tests/security/xssAuditor/script-tag-with-comma-01.html - chromium/src.git - Git at Google

 <!DOCTYPE html>
 <html>
 <head>
     <script>
         if (window.testRunner) {
             testRunner.dumpAsText();
             testRunner.setXSSAuditorEnabled(true);
         }
     </script>
 </head>
 <body>
     <iframe src="http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?clutter=,&q=<script%20x='1&>&q2=1'>alert(String.fromCharCode(0x58,0x53,0x53,0x31))</script>"></iframe>
     <p>Test that the XSSAuditor catches the specific case where the IIS webserver resovles multiply occuring query parameters by
     concatenating them before passing the result to the application.  Conceptually, its as if ?a=1&a=2 becomes ?a=1,2. The test
     passes if the XSSAuditor logs console messages and no alerts fire.</p>
 </body>
 </html>
	<!DOCTYPE html>
	<html>
	<head>
	<script>
	if (window.testRunner) {
	testRunner.dumpAsText();
	testRunner.setXSSAuditorEnabled(true);
	}
	</script>
	</head>
	<body>
	<iframe src="http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?clutter=,&q=<script%20x='1&>&q2=1'>alert(String.fromCharCode(0x58,0x53,0x53,0x31))</script>"></iframe>
	<p>Test that the XSSAuditor catches the specific case where the IIS webserver resovles multiply occuring query parameters by
	concatenating them before passing the result to the application. Conceptually, its as if ?a=1&a=2 becomes ?a=1,2. The test
	passes if the XSSAuditor logs console messages and no alerts fire.</p>
	</body>
	</html>