XSSAuditor doesn't handle full set of html5 entities for punctuation.

third_party/WebKit/Source/core/html/parser/XSSAuditor.cpp

 /*
  * Copyright (C) 2011 Adam Barth. All Rights Reserved.
  * Copyright (C) 2011 Daniel Bates (dbates@intudata.com).
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
@@ skipping 179 matching lines @@
 }
 
 static void truncateForSrcLikeAttribute(String& decodedSnippet)
 {
     // In HTTP URLs, characters following the first ?, #, or third slash may come from
     // the page itself and can be merely ignored by an attacker's server when a remote
     // script or script-like resource is requested. In DATA URLS, the payload starts at
     // the first comma, and the the first /*, //, or <!-- may introduce a comment. Also,
     // DATA URLs may use the same string literal tricks as with script content itself.
     // In either case, content following this may come from the page and may be ignored
-    // when the script is executed.
+    // when the script is executed. Also, any of these characters may now be represented
+    // by the (enlarged) set of html5 entities.
     // For simplicity, we don't differentiate based on URL scheme, and stop at the first
-    // # or ?, the third slash, or the first slash, <, ', or " once a comma is seen.
+    // & (since it might be part of an entity for any of the subsequent punctuation), the
+    // first # or ?, the third slash, or the first slash, <, ', or " once a comma is seen.
     int slashCount = 0;
     bool commaSeen = false;
     for (size_t currentLength = 0; currentLength < decodedSnippet.length(); ++currentLength) {
         UChar currentChar = decodedSnippet[currentLength];
-        if (currentChar == '?'
+        if (currentChar == '&'

[Mike West, 2016/04/26 08:10:38]

Hrm. This might end up being a little overagressive. *shrug* Let's land it and
find out.

+            || currentChar == '?'
             || currentChar == '#'
             || ((currentChar == '/' || currentChar == '\\') && (commaSeen || ++slashCount > 2))
             || (currentChar == '<' && commaSeen)
             || (currentChar == '\'' && commaSeen)
             || (currentChar == '"' && commaSeen)) {
             decodedSnippet.truncate(currentLength);
             return;
         }
         if (currentChar == ',')
             commaSeen = true;
@@ skipping 566 matching lines @@
         }
         result = canonicalize(string.substring(startPosition, foundPosition - startPosition), NoTruncation);
         startPosition = foundPosition + 1;
     }
 
     return result;
 }
 
 bool XSSAuditor::isContainedInRequest(const String& decodedSnippet)
 {
+

[Mike West, 2016/04/26 08:10:38]

Nit: Newline?

[Tom Sepez, 2016/04/26 16:00:09]

Done.

     if (decodedSnippet.isEmpty())
         return false;
     if (m_decodedURL.find(decodedSnippet, 0, TextCaseInsensitive) != kNotFound)
         return true;
     if (m_decodedHTTPBodySuffixTree && !m_decodedHTTPBodySuffixTree->mightContain(decodedSnippet))
         return false;
     return m_decodedHTTPBody.find(decodedSnippet, 0, TextCaseInsensitive) != kNotFound;
 }
 
 bool XSSAuditor::isLikelySafeResource(const String& url)
@@ skipping 19 matching lines @@
 
 bool XSSAuditor::isSafeToSendToAnotherThread() const
 {
     return m_documentURL.isSafeToSendToAnotherThread()
         && m_decodedURL.isSafeToSendToAnotherThread()
         && m_decodedHTTPBody.isSafeToSendToAnotherThread()
         && m_httpBodyAsString.isSafeToSendToAnotherThread();
 }
 
 } // namespace blink