vitalif-js
/
htmlawed
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

add custom eslint no-regex-dot plugin, fix htmLawed bugs (now passes XSS test)

master
Vitaliy Filippov 2016-07-04 17:05:22 +03:00
parent a3e0d66939
commit 4d40399849
8 changed files with 696 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
.eslintrc.js Normal file
View File

@ -0,0 +1,35 @@
module.exports = {
"env": {
"commonjs": true,
"es6": true
},
"extends": "eslint:recommended",
"parserOptions": {
"ecmaFeatures": {
"experimentalObjectRestSpread": true
}
},
"rules": {
"indent": [
"error",
4
],
"linebreak-style": [
"error",
"unix"
],
"semi": [
"error",
"always"
],
"no-control-regex": [
"off"
],
"no-empty": [
"off"
],
"no-regex-dot": [
"error"
]
}
};

80
eslint-plugin-no-regex-dot/no-regex-dot.js Normal file
View File

@ -0,0 +1,80 @@
/**
* @fileoverview Rule to forbid . in regular expressions (it doesn't match newlines, [\s\S] should be used instead)
* @author Vitaliy Filippov
*/
"use strict";
//------------------------------------------------------------------------------
// Rule Definition
//------------------------------------------------------------------------------
module.exports = {
meta: {
docs: {
description: "disallow . in regular expressions",
category: "Possible Errors",
recommended: true
},
schema: []
},
create: function(context) {
/**
* Get the regex expression
* @param {ASTNode} node node to evaluate
* @returns {*} Regex if found else null
* @private
*/
function getRegExp(node) {
if (node.value instanceof RegExp) {
return node.value;
} else if (typeof node.value === "string") {
var parent = context.getAncestors().pop();
if ((parent.type === "NewExpression" || parent.type === "CallExpression") &&
parent.callee.type === "Identifier" && parent.callee.name === "RegExp"
) {
// there could be an invalid regular expression string
try {
return new RegExp(node.value);
} catch (ex) {
return null;
}
}
}
return null;
}
/**
* Check if given regex string has . in it
* @param {String} regexStr regex as string to check
* @returns {Boolean} returns true if finds control characters on given string
* @private
*/
function hasDot(regexStr) {
return /(^|[^\\])(\\\\)*\./.test(regexStr);
}
return {
Literal: function(node) {
var computedValue,
regex = getRegExp(node);
if (regex) {
computedValue = regex.toString();
if (hasDot(computedValue)) {
context.report(node, "Unexpected . in regular expression, use [\\s\\S] instead");
}
}
}
};
}
};

3
htmLawed-test.js Normal file
View File

@ -0,0 +1,3 @@
const fs = require('fs');
const htmLawed = require('./htmLawed.c.js');
console.log(htmLawed.sanitize(fs.readFileSync(process.argv[2], { encoding: 'utf8' }), { safe: 1 }));

65
htmLawed.js
View File

@ -1,6 +1,7 @@
// JS rewrite of http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/
var htmLawed = {
var htmLawed = module.exports =
{
_flip: function(a)
{
var e = {};
@ -97,7 +98,7 @@ var htmLawed = {
if (C.safe && !C.schemes.style)
C.schemes.style = { '!': 1 };
C.abs_url = C.abs_url !== undefined ? C.abs_url : 0;
if (C.base_url === undefined || !/^[a-zA-Z\d.+\-]+:\/\/[^\/]+\/(.+?\/)?$/.exec(C.base_url))
if (C.base_url === undefined || !/^[a-zA-Z\d\.+\-]+:\/\/[^\/]+\/([\s\S]+?\/)?$/.exec(C.base_url))
C.base_url = C.abs_url = 0;
// config rest
C.and_mark = !C.and_mark ? 0 : 1;
@ -146,18 +147,18 @@ var htmLawed = {
t = htmLawed._strtr(t, x);
}
if (C.cdata || C.comment)
t = t.replace(/<!(?:(?:--.*?--)|(?:\[CDATA\[.*?\]\]))>/g, htmLawed.hl_cmtcd);
t = t.replace(/<!(?:(?:--[\s\S]*?--)|(?:\[CDATA\[[\s\S]*?\]\]))>/g, htmLawed.hl_cmtcd);
t = t.replace(/&/g, '&amp;').replace(/&amp;([A-Za-z][A-Za-z0-9]{1,30}|#(?:[0-9]{1,8}|[Xx][0-9A-Fa-f]{1,7}));/g, htmLawed.hl_ent);
if (C.unique_ids && !htmLawed.hl_Ids)
htmLawed.hl_Ids = {};
if (C.hook)
t = C.hook(t, C, S);
// main
t = t.replace(/<(?:(?:\s|$)|(?:[^>]*(?:>|$)))|>/m, htmLawed.hl_tag);
t = t.replace(/<(?:(?:\s|$)|(?:[^>]*(?:>|$)))|>/gm, htmLawed.hl_tag);
if (C.balance)
t = htmLawed.hl_bal(t, C.keep_bad, C.parent);
if ((C.cdata || C.comment) && t.indexOf("\x01") >= 0)
t = this._strtr({ "\x01": '', "\x02": '', "\x03": '&', "\x04": '<', "\x05": '>' });
t = htmLawed._strtr(t, { "\x01": '', "\x02": '', "\x03": '&', "\x04": '<', "\x05": '>' });
if (C.tidy)
t = htmLawed.hl_tidy(t, C.tidy, C.parent);
return t;
@ -235,7 +236,7 @@ var htmLawed = {
function getCont(intag)
{
var inOk;
var inOk = {};
if (cont.S[intag])
inOk = cont.S[intag];
else if (cont.I[intag])
@ -272,18 +273,19 @@ var htmLawed = {
if (cont.E[intag])
return (!perf ? '' : htmLawed.replace(/</g, '&lt;').replace(/>/g, '&gt;'));
var inOk = getCont(intag);
var ok = [], q = [], ql; // q = seq list of open non-empty ele
var ok = {}, q = [], ql; // q = seq list of open non-empty ele
var _ob = '';
var r, s, e, a, x, p;
t = t.split('<');
for (var i = 0, ci = t.length; i < ci; i++)
{
// get markup
r = /^(\/?)([a-z1-6]+)([^>]*)>(.*)/.exec(t[i]);
r = /^(\/?)([a-z1-6]+)([^>]*)>([\s\S]*)$/.exec(t[i]);
if (!r)
x = t[i];
else
{
//s = r[1]; e = r[2]; a = r[3]; x = r[4];
[ , s, e, a, x ] = r; // FIXME ES6
// close tag
if (s)
@ -350,7 +352,7 @@ var htmLawed = {
}
}
// specific parent-child
else if (cont.S[p][e])
else if (cont.S[p] && cont.S[p][e])
{
if (!cont.E[e])
q.push(e);
@ -419,7 +421,7 @@ var htmLawed = {
// bad tags, & ele content
if (e && (perf == 1 || (ok['#pcdata'] && (perf == 3 || perf == 5))))
_ob += '&lt;'+s+e+a+'&gt;';
if (x != '')
if (x !== '' && x !== null)
{
if (x.trim().length > 0 && ((ql && cont.B[p]) || (cont.B[intag] && !ql))) // FIXME trim
_ob += '<div>'+x+'</div>';
@ -448,9 +450,8 @@ var htmLawed = {
hl_cmtcd: function(t)
{
// comment/CDATA sec handler
t = t[0];
var n = t[3] == '-' ? 'comment' : 'cdata';
var v = v = htmLawed.C[n];
var v = htmLawed.C[n];
if (!v) return t;
if (v == 1) return '';
if (n == 'comment')
@ -468,11 +469,10 @@ var htmLawed = {
},
ENT: { 'fnof':'402', 'Alpha':'913', 'Beta':'914', 'Gamma':'915', 'Delta':'916', 'Epsilon':'917', 'Zeta':'918', 'Eta':'919', 'Theta':'920', 'Iota':'921', 'Kappa':'922', 'Lambda':'923', 'Mu':'924', 'Nu':'925', 'Xi':'926', 'Omicron':'927', 'Pi':'928', 'Rho':'929', 'Sigma':'931', 'Tau':'932', 'Upsilon':'933', 'Phi':'934', 'Chi':'935', 'Psi':'936', 'Omega':'937', 'alpha':'945', 'beta':'946', 'gamma':'947', 'delta':'948', 'epsilon':'949', 'zeta':'950', 'eta':'951', 'theta':'952', 'iota':'953', 'kappa':'954', 'lambda':'955', 'mu':'956', 'nu':'957', 'xi':'958', 'omicron':'959', 'pi':'960', 'rho':'961', 'sigmaf':'962', 'sigma':'963', 'tau':'964', 'upsilon':'965', 'phi':'966', 'chi':'967', 'psi':'968', 'omega':'969', 'thetasym':'977', 'upsih':'978', 'piv':'982', 'bull':'8226', 'hellip':'8230', 'prime':'8242', 'Prime':'8243', 'oline':'8254', 'frasl':'8260', 'weierp':'8472', 'image':'8465', 'real':'8476', 'trade':'8482', 'alefsym':'8501', 'larr':'8592', 'uarr':'8593', 'rarr':'8594', 'darr':'8595', 'harr':'8596', 'crarr':'8629', 'lArr':'8656', 'uArr':'8657', 'rArr':'8658', 'dArr':'8659', 'hArr':'8660', 'forall':'8704', 'part':'8706', 'exist':'8707', 'empty':'8709', 'nabla':'8711', 'isin':'8712', 'notin':'8713', 'ni':'8715', 'prod':'8719', 'sum':'8721', 'minus':'8722', 'lowast':'8727', 'radic':'8730', 'prop':'8733', 'infin':'8734', 'ang':'8736', 'and':'8743', 'or':'8744', 'cap':'8745', 'cup':'8746', 'int':'8747', 'there4':'8756', 'sim':'8764', 'cong':'8773', 'asymp':'8776', 'ne':'8800', 'equiv':'8801', 'le':'8804', 'ge':'8805', 'sub':'8834', 'sup':'8835', 'nsub':'8836', 'sube':'8838', 'supe':'8839', 'oplus':'8853', 'otimes':'8855', 'perp':'8869', 'sdot':'8901', 'lceil':'8968', 'rceil':'8969', 'lfloor':'8970', 'rfloor':'8971', 'lang':'9001', 'rang':'9002', 'loz':'9674', 'spades':'9824', 'clubs':'9827', 'hearts':'9829', 'diams':'9830', 'apos':'39', 'OElig':'338', 'oelig':'339', 'Scaron':'352', 'scaron':'353', 'Yuml':'376', 'circ':'710', 'tilde':'732', 'ensp':'8194', 'emsp':'8195', 'thinsp':'8201', 'zwnj':'8204', 'zwj':'8205', 'lrm':'8206', 'rlm':'8207', 'ndash':'8211', 'mdash':'8212', 'lsquo':'8216', 'rsquo':'8217', 'sbquo':'8218', 'ldquo':'8220', 'rdquo':'8221', 'bdquo':'8222', 'dagger':'8224', 'Dagger':'8225', 'permil':'8240', 'lsaquo':'8249', 'rsaquo':'8250', 'euro':'8364', 'nbsp':'160', 'iexcl':'161', 'cent':'162', 'pound':'163', 'curren':'164', 'yen':'165', 'brvbar':'166', 'sect':'167', 'uml':'168', 'copy':'169', 'ordf':'170', 'laquo':'171', 'not':'172', 'shy':'173', 'reg':'174', 'macr':'175', 'deg':'176', 'plusmn':'177', 'sup2':'178', 'sup3':'179', 'acute':'180', 'micro':'181', 'para':'182', 'middot':'183', 'cedil':'184', 'sup1':'185', 'ordm':'186', 'raquo':'187', 'frac14':'188', 'frac12':'189', 'frac34':'190', 'iquest':'191', 'Agrave':'192', 'Aacute':'193', 'Acirc':'194', 'Atilde':'195', 'Auml':'196', 'Aring':'197', 'AElig':'198', 'Ccedil':'199', 'Egrave':'200', 'Eacute':'201', 'Ecirc':'202', 'Euml':'203', 'Igrave':'204', 'Iacute':'205', 'Icirc':'206', 'Iuml':'207', 'ETH':'208', 'Ntilde':'209', 'Ograve':'210', 'Oacute':'211', 'Ocirc':'212', 'Otilde':'213', 'Ouml':'214', 'times':'215', 'Oslash':'216', 'Ugrave':'217', 'Uacute':'218', 'Ucirc':'219', 'Uuml':'220', 'Yacute':'221', 'THORN':'222', 'szlig':'223', 'agrave':'224', 'aacute':'225', 'acirc':'226', 'atilde':'227', 'auml':'228', 'aring':'229', 'aelig':'230', 'ccedil':'231', 'egrave':'232', 'eacute':'233', 'ecirc':'234', 'euml':'235', 'igrave':'236', 'iacute':'237', 'icirc':'238', 'iuml':'239', 'eth':'240', 'ntilde':'241', 'ograve':'242', 'oacute':'243', 'ocirc':'244', 'otilde':'245', 'ouml':'246', 'divide':'247', 'oslash':'248', 'ugrave':'249', 'uacute':'250', 'ucirc':'251', 'uuml':'252', 'yacute':'253', 'thorn':'254', 'yuml':'255' },
ENT_U: { 'quot':1, 'amp':1, 'lt':1, 'gt':1 },
hl_ent: function(t)
hl_ent: function(all, t)
{
// entity handler
var C = htmLawed.C;
t = t[1];
if (t[0] != '#')
{
return (C.and_mark ? "\x06" : '&')+(htmLawed.ENT_U[t] ? t : (htmLawed.ENT[t]
@ -507,7 +507,7 @@ var htmLawed = {
p = d+p;
if (c['*'] || /^[#;?]/.exec(p) || p.substr(0, 7) == d)
return b+p+a; // All ok, frag, query, param
var m = /^([^:?[@!$()*,=\/\'\]]+?)(:|&#(58|x3a);|%3a|\\\\0{0,4}3a)./i.exec(p); // '
var m = /^([^:?[@!$()*,=\/\'\]]+?)(:|&#(58|x3a);|%3a|\\0{0,4}3a)[\s\S]/i.exec(p); // '
if (m && !c[m[1].toLowerCase()]) // Denied prot
return b+d+p+a;
if (C.abs_url)
@ -523,15 +523,15 @@ var htmLawed = {
if (p.substr(0, 2) == '//')
p = C.base_url.substr(0, C.base_url.indexOf(':')+1)+p;
else if (p[0] == '/')
p = C.base_url.replace(/(^.+?:\/\/[^\/]+)(.*)/, '$1')+p;
p = C.base_url.replace(/(^[\s\S]+?:\/\/[^\/]+)([\s\S]*)/, '$1')+p;
else if (!/^[\.\/]/.exec(p))
p = C.base_url+p;
else
{
m = /^([a-zA-Z\d\-+.]+:\/\/[^\/]+)(.*)/.exec(C.base_url);
m = /^([a-zA-Z\d\-+\.]+:\/\/[^\/]+)([\s\S]*)/.exec(C.base_url);
p = (m[2]+p).replace(/\/\.\//g, '/');
while (/\/([^\/]{3,}|[^\/.]+?|\.[^\/.]|[^\/.]\.)\/\.\.\//.exec(p))
p = p.replace(/\/([^\/]{3,}|[^\/.]+?|\.[^\/.]|[^\/.]\.)\/\.\.\//g, '/');
while (/\/([^\/]{3,}|[^\/\.]+?|\.[^\/\.]|[^\/\.]\.)\/\.\.\//.exec(p))
p = p.replace(/\/([^\/]{3,}|[^\/\.]+?|\.[^\/\.]|[^\/\.]\.)\/\.\.\//g, '/');
p = m[1]+p;
}
}
@ -555,7 +555,7 @@ var htmLawed = {
{
// final $spec
var s = {};
t = t.trim().replace(/"(`.|[^\"])*"/g, function(m)
t = t.trim().replace(/"(`[\s\S]|[^\"])*"/g, function(m)
{
m = htmLawed._strtr(m[0], {';': "\x01", '|':"\x02", '~':"\x03", ' ':"\x04", ',':"\x05", '/':"\x06", '(':"\x07", ')':"\x08", '`"':'"'});
return m.substr(1, m.length-2);
@ -572,7 +572,7 @@ var htmLawed = {
for (_i = 0; _i < a.length; _i++)
{
v = a[_i];
m = /^([a-z:\-\*]+)(?:\((.*?)\))?/i.exec(v);
m = /^([a-z:\-\*]+)(?:\(([\s\S]*?)\))?/i.exec(v);
if (!m)
continue;
if (m[1] === '-*')
@ -929,7 +929,7 @@ var htmLawed = {
}
break;
case 2: // Val
m = /^((?:"[^\"]*")|(?:'[^\']*\')|(?:\s*[^\s"']+))(.*)/.exec(a);
m = /^((?:"[^\"]*")|(?:'[^\']*\')|(?:\s*[^\s"']+))([\s\S]*)/.exec(a);
if (m)
{
a = m[2].replace(/^\s+/, '');
@ -973,8 +973,11 @@ var htmLawed = {
{
if (v.indexOf('&#') >= 0)
v = htmLawed._strtr(v, htmLawed.STYLE_ENT);
v = v.replace(/(url(?:\()(?: )*(?:'|"|&(?:quot|apos);)?)(.+?)((?:"|'|&(?:quot|apos);)?(?: )*(?:\)))/gi, htmLawed.hl_prot);
v = C.css_expression ? v.replace(/\\\S|(\/|(%2f))(\*|(%2a))/gi).replace(/expression/gi, ' ') : v;
v = v.replace(/(url(?:\()(?: )*(?:'|"|&(?:quot|apos);)?)([\s\S]+?)((?:"|'|&(?:quot|apos);)?(?: )*(?:\)))/gi, function(m, m1, m2, m3)
{
return htmLawed.hl_prot([ m, m1, m2, m3 ]);
});
v = !C.css_expression ? v.replace(/\\\S|(\/|(%2f))(\*|(%2a))/gi, ' ').replace(/expression/gi, ' ') : v;
}
else if (TAG.NP[k] || k.indexOf('src') >= 0 || k[0] == 'o')
{
@ -1063,7 +1066,7 @@ var htmLawed = {
a.type = 'text/'+v.toLowerCase();
else if (k == 'name')
{
if (!a.id && /^[a-zA-Z][a-zA-Z\d.:_\-]*$/.exec(v))
if (!a.id && /^[a-zA-Z][a-zA-Z\d\.:_\-]*$/.exec(v))
a.id = v;
if (!(C.no_deprecated_attr == 2 || (e != 'a' && e != 'map')))
{
@ -1102,7 +1105,7 @@ var htmLawed = {
// unique ID
if (C.unique_ids && a.id)
{
if (!/^[A-Za-z][A-Za-z0-9_\-.:]*$/.exec(a.id) ||
if (!/^[A-Za-z][A-Za-z0-9_\-\.:]*$/.exec(a.id) ||
htmLawed.hl_Ids[a.id] && C.unique_ids == 1)
delete a.id;
else
@ -1153,7 +1156,7 @@ var htmLawed = {
{
var a2 = '';
var m;
while ((m = /(^|\s)(color|size)\s*=\s*('|")?(.+?)(\3|\s|$)/i.exec(a))) // '
while ((m = /(^|\s)(color|size)\s*=\s*('|")?([\s\S]+?)(\3|\s|$)/i.exec(a))) // '
{
a = a.replace(m[0], ' ');
m[4] = m[4].trim();
@ -1196,9 +1199,9 @@ var htmLawed = {
{
return m[1]+htmLawed._strtr(m[3], {'<': "\x01", '>':"\x02", "\n":"\x03", "\r":"\x04", "\t":"\x05", ' ':"\x07"})+m[4];
};
t = t.replace(/(<(!\[CDATA\[))(.+?)(\]\]>)/g, _repl)
.replace(/(<(!--))(.+?)(-->)/g, _repl)
.replace(/(<(pre|script|textarea)[^>]*?>)(.+?)(<\/\2>)/g, _repl)
t = t.replace(/(<(!\[CDATA\[))([\s\S]+?)(\]\]>)/g, _repl)
.replace(/(<(!--))([\s\S]+?)(-->)/g, _repl)
.replace(/(<(pre|script|textarea)[^>]*?>)([\s\S]+?)(<\/\2>)/g, _repl)
.replace(/\s+/g, ' ');
if (w == -1)
return htmLawed._strtr(t, {"\x01":'<', "\x02":'>', "\x03":"\n", "\x04":"\r", "\x05":"\t", "\x07":' '});
@ -1281,5 +1284,3 @@ var htmLawed = {
return '1.1.22';
}
};
console.log(htmLawed.sanitize('<a href="javascript:alert()">aahah</a>'));

454
htmLawed_TESTCASE.txt Normal file
View File

@ -0,0 +1,454 @@
/*
htmLawed_TESTCASE.txt, 27 February 2016
htmLawed 1.1.22, 5 March 2016
Copyright Santosh Patnaik
Dual licensed with LGPL 3 and GPL 2+
A PHP Labware internal utility - http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed
*/
This file has UTF-8-encoded text with both correct and incorrect/malformed HTML/XHTML code snippets to test htmLawed (test cases/samples). The entire text may also be used as a unit.
************************************************
when viewing this file in a web browser, set the
character encoding to Unicode/UTF-8
************************************************
--------------------- start --------------------
<em>Try different $config and $spec values. Some text even when filtered in will not be displayed in a rendered web-page</em><br />
<h6>Attributes</h6>
<strong>Xml:lang:</strong><a lang="en" xml:lang="en"></a>, <a lang="en"></a>, <a xml:lang="en"></a><br />
<strong>Standard, predefined value, or empty attribute:</strong> <input type="text" disabled />, <input type="text" disabled="DISABLED" />, <input type="text" disabled="1" /><br />
<strong>Required:</strong> <img />, <img alt="image" /><br />
<strong>Quote & space variation:</strong> <a id=id1 name=xy>a</a>, <a id='id2' name="xy">a</a>, <a id=' id3 ' name = "n" >a</a><br />
<strong>Invalid:</strong> <a id="id4" src="s">a</a><br />
<strong>Duplicated:</strong> <a id="id5" id="id6">a</a><br />
<strong>Deprecated:</strong> <a id="id7" target="self" name="n">a</a>, <hr noshade="noshade" /><br />
<strong>Casing:</strong> <a HREF=""></a><br />
<strong>Custom:</strong> <img alt="image" my:data="portrait" /><br />
<strong>Data-*:</strong> <a data-xml="x" data-xmnt="x" data-xmlnt="x" data-xmn:t="x" data-xmxm="x">a</a><br />
<strong>Admin-restricted?:</strong> <a href="x" onclick="alert();"></a>
<h6>Attribute values</h6>
<strong>Duplicate ID value:</strong><a id="id8"></a>, <a id="my_id8"></a>, <a id="id8"></a><br />
(try 'my_' for prefix)<br />
<strong>Double-quotes in value:</strong><a title=ab"c"></a>, <a title="ab"c"></a>, <a title='ab"c'></a><br />
(try filter for CSS expression)<br />
<strong>CSS expression</strong>: <div style="prop:expression();"></div><div style="prop:expression()"></div><div style="prop: expression();"></div><div style="prop : expression()"></div><div style="prop:expression(js);"></div><div style="prop:expression(js;)"></div><div style="prop: expression('js');"></div><div style="prop : expr ession('js':)"></div><div style="prop&#x3a;expression( 'js&#x40; );"></div><br />
<strong>Other:</strong> <input size="50" class="my" value="an input an input an input" />, <input size="5" class="your" value="an input" /><br />
(try 'maxlen', 'maxval', etc., for 'input' in '$spec')
<h6>Blockquotes</h6>
<blockquote>abc</blockquote><br />
<blockquote>abc<div>def</div></blockquote><br />
<blockquote><div>abc</div>def</blockquote><br />
<blockquote>abc<div>def</div>ghi</blockquote><br />
abc<div>def</div>ghi<br />
<blockquote>QQQ<div>x</div><!-- comment --></blockquote><br />
<blockquote><div>x</div><!-- comment -->QQQ</blockquote><br />
<blockquote><!-- comment --><div>x</div>QQQ<div>x</div></blockquote><br />
<blockquote><div>x<!-- comment --></div>QQQ</blockquote><p>x</p><br />
<br />
(try with blockquote parent)
<h6>CDATA sections</h6>
<strong>Special characters inside:</strong> <![CDATA[ ]]> ]]>, <![CDATA[ 3 < 4 > 3.5, & 4 &gt; 4 ]]><br />
<strong>Normal:</strong> <![CDATA[ check ]]>, <em>CDATA follows:<![CDATA[ check ]]></em><br />
<strong>Malformed:</strong> <![cdata check ]]>, < ![CDATA check ]]>, <![CDATA check ]]>, < ![CDATA check ] ]><br />
<strong>Invalid:</strong> <em <![CDATA[ check ]]>>CDATA in tag content</em>, <table><![CDATA[ check ]]><tr><td>text not allowed</td></tr></table>
<h6>Complex-1: deprecated elements</h6>
<center>
The PHP <s>software</s> script used for this <strike>web-page</strike> webpage is <font style="font-weight: bold " face=arial size='+3' color = "red ">htmLawedTest.php</font>, from <u style= 'color:green'>PHP Labware</u>.
</center>
<h6>Complex-2: deprecated attributes</h6>
<img src="s" alt="a" name="n" /><img src="s" alt="a" id="id9" name="n" />
<br clear="left" />
<hr noshade size="1" />
<img name="id10" src="s" align="left" alt="image" hspace="10" vspace="10" width="10em" height="20" border="1" style="padding:5px;" />
<table width="50em" align="center" bgcolor="red">
<tr>
<td width="20%">
<div align="center">
<h3 align="right">Section</h3>
<p align="right">Para</p>
<ol type="a" start="e"><li value="x"><a name="x">First</a> <a name="x" id="id11">item</a></li></ol>
</div>
</td>
<td width="*">
<ol type="1"><li>First item</li></ol>
</td>
</tr>
</table>
<br clear="all" />
<h6>Complex-3: embed, object, area</h6>
<object width="425" height="350"><param name="movie" value="http://www.youtube.com/v/ls7gi1VwdIQ"></param><embed src="http://www.youtube.com/v/ls7gi1VwdIQ" type="application/x-shockwave-flash" width="425" height="350"></embed></object><br />
<embed src="http://www.youtube.com/v/ls7gi1VwdIQ" type="application/x-shockwave-flash" width="425" height="350"></embed><br />
<object data="1.gif" type="image/gif" usemap="#map1"><map name="map1">
<p>navigate the site: <a href="1" shape="REct" coOrds="0,0,118,28">1</a> | <a href="3" shape="circle" coords="184,200,60">3</a> | <a href="4" shape="poly" coords="276,0,276,28,100,200,50,50,276,0">4</a></p>
<area href="5" shape="Rect" coords="0,0,118,28">
</map></object>
<param name="name">value</param>
<object id="obj1">
<param name="param1">
<object id="obj2">
<param name="param2">
</object>
</object>
<h6>Complex-4: nested and other tables</h6>
<table border="1" bgcolor="red"> <tr> <td> Cell </td> <td colspan="2" rowspan="2"> <table border="1" bgcolor="green"> <tr> <td> Cell </td> <td colspan="2" rowspan="2"> </td> </tr> <tr> <td> Cell </td> </tr> <tr> <td> Cell </td> <td> Cell </td> <td> Cell </td> </tr> </table> </td> </tr> <tr> <td> Cell </td> </tr> <tr> <td> Cell </td> <td> Cell </td> <td> Cell </td> </tr> </table><br />
<strong>PCDATA wrong:</strong> <table>Well<caption>Hello</caption></table><br />
<strong>Missing tr:</strong> <table><td>Well</td></table><br />
<h6>Complex-5: pseudo, disallowed or non-HTML tags</h6>
(Try different 'keep_bad' values)
<*> Pseudotags <*>
<xml>Non-HTML tag xml</xml>
<p>
Disallowed tag p
</p>
<ul>Bad<li>OK</li></ul>
<h6>Elements</h6>
<strong>Unbalanced:</strong> <a href="h"><em>check</a></em><br />
<strong>Non-XHTML:</strong> <div><center><dir></dir></center></div><br />
<strong>Malformed:</strong> < a href=""></a>, <a href="" ></a>, <a href="" ></a>, <a href=""
></a>, <a href="">< /a>, < a href=""></a >, <img src="s" alt="a" />, <img src="s" alt="a"/ >, <imgsrc="s" alt="a" /><br />
<strong>Invalid:</strong> <image src="s" alt="a" /><br />
<strong>Empty:</strong> <img src="s" alt="a" />, <img src="s" alt="a"></img>, <img src="s" alt="a">text</img><br />
<strong>Content invalid:</strong> <a href="h">1<a>2</a></a><br />
<strong>Content invalid?:</strong> <form></form><br /> (try setting 'form' as parent)<br />
<strong>Casing:</strong> <A href=""></a><br />
<strong>Check for tidy:</strong> <br /><hr /></div><hr /></div><hr /></div><div>hi</div>
<h6>Entities</h6>
<strong>Special:</strong> &amp; 3 < 2 & 5>4 and j >i >a & i<j>a<br />
<strong>Padding:</strong> &#00066; &#066; &#x00066; &#x066; &#x003; &#0003;<br />
<strong>Malformed:</strong> & #x27;, &x27;, &#x27; &TILDE;, &tilde<br />
<strong>Invalid:</strong> &#x3;, &#55296;, &#03;, &#1114112;, &#xffff, &bad;<br />
<strong>Discouraged characters:</strong> &#x7f;, &#132;, &#64992;, &#1114110;<br />
<strong>Context:</strong> '&gt;', &lt;?<br />
<strong>Casing:</strong> &#X27;, &#x27;, &TILDE;, &tilde;
<br />
(also check named-to-numeric and hexdec-to-decimal, and vice versa, conversions)
<h6>Format</h6>
<strong>Valid but ill-formatted:</strong> text <!-- comment -->
text <!--
A c o m m e n t -->
<script>
<![CDATA[
code
]]>
</script><!-- comment --><![CDATA[ cdata ]]> <a>text</b> text<pre id="none">p r e</pre>
<textarea>text</textarea> <textarea>
text text
</textarea> text text <br /><hr />
text <img src="none" alt="none" /> t<em class="none">e<strong>x</strong>t</em>
text <img src="none" alt="none" /> <b>t<em> e <strong> x </strong> t</em></b>
<a href="a"> text <img src="none" alt="none" /> <b>t <em> e <strong> x </strong> t</em></b>
</a>
<span style="background-color: yellow;">text <img src="none" alt="none" /> <b> <em> t e <strong> x </strong> t</em></b></span>
<script>script</script>
<div>
<pre id="none">p <a>r</a> e <!-- comment --> </pre>
<pre>
pre
</pre>
</div>
<div><div><table border="1" style="background-color: red;"><tr><td>Cell</td><td colspan="2" rowspan="2"><table border="1" style="background-color: green;"><tr><td>Cell</td><td colspan="2" rowspan="2"></td></tr><tr><td>Cell</td></tr><tr><td>Cell</td><td>Cell</td><td>Cell</td></tr></table></td></tr><tr><td>Cell</td></tr><tr><td>Cell</td><td>Cell</td><td>Cell</td></tr></table></div></div>
(try to compact or beautify)
<h6>Forms</h6>
(note nesting of 'form', missing required attributes, etc.)<br />
<form>
<script type="text/javascript">s</script>
<fieldset><legend>p</legend>l <input name="personal_lastname" type="text" tabindex="1"></fieldset>
<input name="h" type="checkbox" value="h" tabindex="20"> h
<textarea name="t">t</textarea>
<form action="a" method="get"></form></form><br />
<form action="b" method="get"><p><input type="text" value="i" /></form><br />
<form>B:<input type="text" value="b" />C:<input type="text" value="c" /></form><br />
(try each of these lines separately)<br />
<form action="a">what<br />
<form action="a">what
(try with container as div and as form)<br />
<form>c <a>a</a> <b>b</b><input /><script>s</script>
<h6>HTML comments (also CDATA)</h6>
<strong>Script inside:</strong> <!--[if gte IE 4]>
<SCRIPT>alert('XSS');</SCRIPT>
<![endif]--><br />
<strong>Special characters inside: <!-- <![CDATA check ]]> -->, <!-- 3 < 4 > 3.5, & 4 &gt; 4 -->, <!-- che--ck -->, <!--[if !IE]> <--><a>c</a><!--> <![endif]--><br />
<strong>Normal:</strong> <!-- check -->, <!--check -->, <em>comment:<!-- check --></em><!-- check -->, <table><!-- check --><tr><td>text not allowed</td></tr></table><br />
<strong>Malformed:</strong> <![cdata check ]]>, < ![CDATA check ]]>, < ![CDATA check ] ]><br />
Invalid:</strong> <em <!-- check -->>comment in tag content</em>, <!--check-->
<h6>HTML5</h6>
<strong>figure and figcaption:</strong> <figure><img src="picture.jpg" alt="picture"><figcaption>Caption for the awesome picture</figcaption></figure>
<strong>article:</strong> <h1>A</h1><p>B</p><article><h2>C</h2></article><article><h2>E</h2><p>F</p><p>G</p></article>
<strong>meter</strong>: <p>Heat <meter min="100" max="200" value="150">150</meter>.</p>
<strong>datalist</strong>: <input list="b" /><datalist id="b"><option value="c"><option value="d"></datalist>
<h6>Ins-Del</h6>
(depending on context, these elements can be of either block or inline type)<br />
<p><ins datetime="d" cite="c"><div>block</div></ins></p><br />
<p><del>d</del></p><br />
<p><ins><del>d</del></ins></p><div><ins><p><del><div>d</div></del></p></ins></div><ins><div>d</div></ins>
<h6>Lists</h6>
<strong>Invalid character data</strong>: <ul><li>(item</li>)</ul><br />
<strong>Definition list</strong>: <dl><dt>a</dt>bad<dd>first <em>one</em></dd><dt>b</dt><dd>second</dd></dl><br />
<strong>Definition list, close-tags omitted</strong>: <dl><dt>a</dt>bad<dd>first <em>one</em></dd><dt>b<dd>second</dl><br />
<strong>Definition lists, nested</strong>: <dl>
<dt>T1</dt>
<dd>D1</dd>
<dt>T2</dt>
<dd>D2<dl><dt>t1</dt><dd>d1</dd><dt>t2</dt><dd>d2</dd></dl></dd>
<dt>T3</dt>
<dd>D3</dd>
<dt>T4</dt>
<dd>D4<dl><dt>t1</dt><dd>d1</dd></dl></dd>
</dl><br />
<strong>Definition lists, nested, close-tags omitted</strong>: <dl>
<dt>T1
<dd>D1</dd>
<dt>T2</dt>
<dd>D2<dl><dt>t1<dd>d1<dt>t2</dt><dd>d2</dd></dl></dd>
<dt>T3
<dd>D3
<dt>T4
<dd>D4<dl><dt>t1<dd>d1</dl></dd>
</dl><br />
<strong>Nested</strong>: <ul>
<li>l1</li>
<li>l2<ol><li>lo1</li><li>lo2</li></ol></li>
<li>l3</li>
<li>l4<ol><li>lo3</li><li>lo4<ol><li>lo5</li></ol></li></ol></li>
</ul><br />
<strong>Nested, directly</strong>: <ul>
<li>l1</li>
<ol>l2</ol>
<li>l3</li>
</ul><br />
<strong>Nested, close-tags omitted</strong>: <ul>
<li>l1</li>
<li>l2<ol><li>lo1<li>lo2</ol>
<li>l3
<li>l4<ol><li>lo3<li>lo4<ol><li>lo5</ol></ol>
</ul><br />
<strong>Complex</strong>:
<ol><script></script><li><table><tr><td>
<ul><li id="search" class="widget widget_search"> <form id="searchform" method="get" action="http://kohei.us">
<div>
<input type="text" name="s" id="s" size="15" /><br />
<input type="submit" value="Search" />
</div>
</form>
</li></ul>
</td></tr></table></li></ol>
<strong>Menu</strong>: <menu type="toolbar"><li><menu label="File">
<button type="button" onclick="new()">New...</button>
</menu></li><li><menu label="Edit"><button type="button" onclick="cut()">Cut...</button></menu></li>
</menu>
<h6>Microdata</h6>
<div itemscope itemtype="http://data-vocabulary.org/Person">
I am <span itemprop="name">X</span> but people call me <span itemprop="nickname">Y</span>.
Find me at <a href="http://www.xy.com" itemprop="url">www.xy.com</a>
</div>
<h6>Microsoft Word</h6>
<strong>Proprietary tag</strong>: <p class=3DMsoNormal><o:p>&nbsp;</o:p></p><br />
<strong>XML declaration</strong>: <?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /><br />
<strong>XML-invalid character code-point (may not replicate)</strong>: <p class=3DMsoNormal>“Where is he?” asked both Mary the one so lovely and Jane.</p>
<h6>Nesting</h6>
<strong>Block or inline a</strong>: <p><a href="link">text</a></p><a href="link"><div>hi</div></a><br />
<h6>Non-English text-1</h6>
Inscrieţi-vă acum la a Zecea Conferinţă Internaţională<br />
გთხოვთ ახლავე გაიაროთ რეგისტრაცია<br />
večjezično računalništvo<br />
<a title="อ.อ่าง">อ.อ่าง</a><br />
<a title="הירשמו
כעת לכנס ">Зарегистрируйтесь сейчас
на Десятую Международную Конференцию по</a><br />
(this file should have utf-8 encoding; some characters may not be displayed because of missing fonts, etc.)
<h6>Non-English text-2: entities</h6>
&#29992;&#32479;&#19968;&#30721;<br />
&#4306;&#4311;&#4334;&#4317;&#4309;&#4311;<br />
Inscreva-se agora para a D&#233;cima Confer&#234;ncia Internacional Sobre O Unicode, realizada entre os dias 10 e 12 de mar&#231;o de 1997 em Mainz
na Alemanha.
<h6>Ruby</h6>
(need compatible browser)<br />
<ruby xml:lang="ja">
<rbc>
<rb>斎</rb>
<rb>藤</rb>
<rb>信</rb>
<rb>男</rb>
</rbc>
<rtc class="reading">
<rt>さい</rt>
<rt>とう</rt>
<rt>のぶ</rt>
<rt>お</rt>
</rtc>
<rtc class="annotation">
<rt rbspan="4" xml:lang="en">W3C Associate Chairman</rt>
</rtc>
</ruby><br />
<ruby>
<rb>WWW</rb>
<rp>(</rp><rt>World Wide Web</rt><rp>)</rp>
</ruby><br />
<ruby>
A
<rp>(</rp><rt>aaa</rt><rp>)</rp>
</ruby>
<h6>Tables</h6>
<strong>Omitted closing tags:</strong> <table>
<colgroup><col style="x" /><col style="y" />
<thead>
<tr><th>h1c1<th>h1c2
<tbody>
<tr><td>r1c1<td>r1c2
<tr><td>r2c1<td>r2c2
</table><br />
<strong>Nested, omitted closing tags:</strong> <table>
<colgroup><col style="x" /><col style="y" />
<thead>
<tr><th>h1c1<th>h1c2
<tbody>
<tr><td>r1c1<td>r1c2<table>
<colgroup><col style="x" /><col style="y" />
<thead>
<tr><th>h1c1<th>h1c2
<tbody>
<tr><td>r1c1<td>r1c2
<tr><td>r2c1<td>r2c2
</table>
<tr><td>r2c1<td>r2c2
</table><br />
<h6>Tag transformation</h6>
<strong>Font element intended as 'inline' element:</strong> <p><font color='red'>hi</font></p><br />
<strong>Font element intended as 'block' element:</strong> <div><font color='red'><div>hi</div></font></div><br />
<strong>Font element intended as 'block' element:</strong> <center><font color='red' face="serif, 'Times'"><div>hi</div><div>QQQ</div></font></center><br />
<h6>Tidy</h6>
<strong>White-space handling:</strong> abc<em> def </em> ghi abc <em>def</em> ghi
<h6>URLs</h6>
<strong>Relative and absolute:</strong> <a href="mailto:x"></a>, <a href="http://a.com/b/c/d.f"></a>, <a href="./../d.f"></a>, <a href="./d.f"></a>, <a href="d.f"></a>, <a href="#s"></a>, <a href="./../../d.f#s"></a><br />
(try base URL value of 'http://a.com/b/')<br />
<strong>CSS URLs:</strong> <div style="background-image: url('a.gif');"></div>, <div style="background-image: URL(&quot;a.gif&quot;);"></div>, <div style="background-image: url('http://a.com/a.gif');"></div>, <div style="background-image: url('./../a.gif');"></div>, <div style="background-image: &#117;r&#x6C;('js&#58;xss'&#x29;"></div><br />
<strong>Double URLs:</strong> <a style="behaviour: url(foo) url(http://example.com/xss.htc)">b</a><br />
<strong>Anti-spam:</strong> (try regex for 'http://a.com', etc.) <a href="mailto:x@y.com"></a>, <a href="http://a.com/b@d.f"></a>, <a href="a.com/d.f" rel="nofollow"></a>, <a href="a.com/d.f" rel="1, 2"></a>, <a href="a.com/d.f"></a>, <a href="b.com/d.f"></a>, <a href="c.com/d.f">, <a href="denied:http://c.com/d.f"></a><br />
<strong>Soft-hyphen:</strong> <a href="http://q=ídis­c">ídis­c</a>
<h6>XSS</h6>
<img alt="<img onmouseover=confirm(1)//"<"">
'';!--"<xss>=&{()}<br />
<img src="javascript%3Aalert('xss');" /><br />
<img src="javascript:alert('xss');" /><br />
<img src="java script:alert('xss');" /><br />
<img
src=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41; /><br />
<font color='#FF6699"onmouseover="alert(1)//'>test</font>
<font color='<img//onerror="alert`www.ptsecurity.com`"src=Psych0tr1a'>
<div style="javascript:alert('xss');"></div><br />
<div style="background-image:url(javascript:alert('xss'));"></div><br />
<div style="background-image:url(&quot;javascript:alert('xss')&quot; );"></div><br />
<!--[if gte IE 4]><script>alert('xss');</script><![endif]--><br />
<script a=">" src="http://ha.ckers.org/xss.js"></script><br />
<div style="background-image: &#117;r&#x6C;('js&#58;xss'&#x29;"></div><br />
<a style=";-moz-binding:url(http://lukasz.pilorz.net/xss/xss.xml#xss)" href="http://example.com">test</a><br />
<strong>Bad IE7:</strong> <a href="http://x&x=%22+style%3d%22background-image%3a+expression%28alert
%28%27xss%3f%29%29">x</a><br />
<strong>Opera:</strong> <a href="\xE2\x80\x83javascript:alert(123)">link</a>
<strong>Bad IE7:</strong> <a style=color:expr/*comment*/ession(alert(document.domain))>xxx</a><br />
<strong>Bad IE7:</strong> <a href="xxx" style="background: exp&#x72;ession(alert('xss'));">xxx</a><br />
<strong>Bad IE7:</strong> <a href="xxx" style="background: &#101;xpression(alert('xss'));">xxx</a><br />
<strong>Bad IE7:</strong> <a href="xxx" style="background: %45xpression(alert('xss'));">xxx</a><br />
<strong>Bad IE7:</strong> <a href="xxx" style="background:/**/expression(alert('xss'));">xxx</a><br />
<strong>Bad IE7:</strong> <a href="xxx" style="background:/**/&#69;xpression(alert('xss'));">xxx</a><br />
<strong>Bad IE7:</strong> <a href="xxx" style="background:/**/Exp&#x72;ession(alert('xss'));">xxx</a><br />
<strong>Bad IE7:</strong> <a href="xxx" style="background: expr%45ssion(alert('xss'));">xxx</a><br />
<strong>Bad IE7:</strong> <a href="xxx" style="background: exp/* */ression(alert('xss'));">xxx</a><br />
<strong>Bad IE7:</strong> <a href="xxx" style="background: exp /* */ression(alert('xss'));">xxx</a><br />
<strong>Bad IE7:</strong> <a href="xxx" style="background: exp/ * * /ression(alert('xss'));">xxx</a><br />
<strong>Bad IE7:</strong> <a href="xxx" style="background:/* x */expression(alert('xss'));">xxx</a><br />
<strong>Bad IE7:</strong> <a href="xxx" style="background:/* */ */expression(alert('xss'));">xxx</a><br />
<strong>Bad IE7:</strong> <a href="x" style="width: /****/**;;;;;;*/expression/**/(alert('xss'));">x</a><br />
<strong>Bad IE7:</strong> <a href="x" style="padding:10px; background:/**/expression(alert('xss'));">x</a><br />
<strong>Bad IE7:</strong> <a href="x" style="background: huh /* */ */expression(alert('xss'));">x</a><br />
<strong>Bad IE7:</strong> <a href="x" style="background:/**/expression(alert('xss'));background:/**/expression(alert('xss'));">x</a><br />
<strong>Bad IE7:</strong> exp/*<a style='no\xss:noxss("*//*");xss:&#101;x&#x2F;*XSS*//*/*/pression(alert("XSS"))'>x</a><br />
<strong>Bad IE7:</strong> <a style="background:&#69;xpre\ssion(alert('xss'));">hi</a><br />
<strong>Bad IE7:</strong> <a style="background:expre&#x5c;ssion(alert('xss'));">hi</a><br />
<strong>Bad IE7:</strong> <a style="color: \0065 \0078 \0070 \0072 \0065 \0073 \0073 \0069 \006f \006e \0028 \0061 \006c \0065 \0072 \0074 \0028 \0031 \0029 \0029">test</a><br />
<strong>Bad IE7:</strong> <a style="xss:e&#92;&#48;&#48;&#55;&#56;pression(window.x?0:(alert(/XSS/),window.x=1));">hi</a><br />
<strong>Bad IE7:</strong> <a style="background:url('java
script:eval(document.all.mycode.expr)')">hi</a><br />
<h6>Other</h6>
3 < 4 <br />
3 > 4 <br />
> 3 <br />
<._.> hi! <br />
<<< ALERT >>> <br />
<![if !vml]> some stuff <![endif]> <br />
<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /> <br />
<uml:ns ns = "urn:www"> <br />
<uml:ns ns = 'urn:www'> <br />
if(13<age AND 21>age){say 'teen'} <br />
age >51 and a smoking history of >51 pack-years <b>was</b> <br />
age > 51 and a smoking history of >51 pack-years <b>was</b> <br />
age <51 and a smoking history of <51 pack-years <b>was</b> <br />
age < 51 and a smoking history of < 51 pack-years <b>was</b> <br />
<b>age >51 and a smoking history of >51 pack-years</b> <br />
<b>age > 51 and a smoking history of >51 pack-years</b> <br />
<b>age <51 and a smoking history of <51 pack-years</b> <br />
<b>age < 51 and a smoking history of < 51 pack-years</b> <br />

5
test-htmLawed.sh Normal file
View File

@ -0,0 +1,5 @@
#!/bin/sh
# php -r 'require "htmLawed.php"; print htmLawed::sanitize(file_get_contents("test_xss.txt"), array("safe" => 1));' > test_php.htm
node_modules/.bin/eslint --rulesdir eslint-plugin-no-regex-dot htmLawed.js
node_modules/.bin/babel htmLawed.js > htmLawed.c.js
nodejs htmLawed-test.js test_xss.txt

42
test_php.htm Normal file
View File

@ -0,0 +1,42 @@
<img alt="&lt;img onmouseover=confirm(1)//" src="src" />
'';!--"=&amp;{()}<br />
<img src="denied:javascript%3Aalert('xss');" alt="image" /><br />
<img src="denied:javascript:alert('xss');" alt="image" /><br />
<img src="denied:java script:alert('xss');" alt="image" /><br />
<img src="denied:&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;" alt="image" /><br />
<span style="color: #FF6699'onmouseover='alert(1)//;">test</span>
<span style="color: img//onerror='alert`www.ptsecurity.com`'src=Psych0tr1a;">
<br />
<br />
<br />
&lt;!--[if gte IE 4]&gt;alert('xss');&lt;![endif]--&gt;<br />
" src="http://ha.ckers.org/xss.js"&gt;<br />
<strong>Bad in PHP version without safe:</strong> " ";alert(window.location.href);//&gt;<br />
<br />
<a style=";-moz-binding:url(denied:http://lukasz.pilorz.net/xss/xss.xml#xss)" href="http://example.com">test</a><br />
<strong>Bad IE7:</strong> <a href="http://x&amp;x=%22+style%3d%22background-image%3a+expression%28alert %28%27xss%3f%29%29">x</a><br />
<strong>Opera:</strong> <a href="denied:\xE2\x80\x83javascript:alert(123)">link</a>
<strong>Bad IE7:</strong> <a style="color:expr comment*/ession(alert(document.domain))">xxx</a><br />
<strong>Bad IE7:</strong> <a href="xxx" style="background: (alert('xss'));">xxx</a><br />
<strong>Bad IE7:</strong> <a href="xxx" style="background: (alert('xss'));">xxx</a><br />
<strong>Bad IE7:</strong> <a href="xxx" style="background: %45xpression(alert('xss'));">xxx</a><br />
<strong>Bad IE7:</strong> <a href="xxx" style="background: */ (alert('xss'));">xxx</a><br />
<strong>Bad IE7:</strong> <a href="xxx" style="background: */ (alert('xss'));">xxx</a><br />
<strong>Bad IE7:</strong> <a href="xxx" style="background: */ (alert('xss'));">xxx</a><br />
<strong>Bad IE7:</strong> <a href="xxx" style="background: expr%45ssion(alert('xss'));">xxx</a><br />
<strong>Bad IE7:</strong> <a href="xxx" style="background: exp */ression(alert('xss'));">xxx</a><br />
<strong>Bad IE7:</strong> <a href="xxx" style="background: exp */ression(alert('xss'));">xxx</a><br />
<strong>Bad IE7:</strong> <a href="xxx" style="background: exp/ * * /ression(alert('xss'));">xxx</a><br />
<strong>Bad IE7:</strong> <a href="xxx" style="background: x */ (alert('xss'));">xxx</a><br />
<strong>Bad IE7:</strong> <a href="xxx" style="background: */ */ (alert('xss'));">xxx</a><br />
<strong>Bad IE7:</strong> <a href="x" style="width: *** *;;;;;;*/ */(alert('xss'));">x</a><br />
<strong>Bad IE7:</strong> <a href="x" style="padding:10px; background: */ (alert('xss'));">x</a><br />
<strong>Bad IE7:</strong> <a href="x" style="background: huh */ */ (alert('xss'));">x</a><br />
<strong>Bad IE7:</strong> <a href="x" style="background: */ (alert('xss'));background: */ (alert('xss'));">x</a><br />
<strong>Bad IE7:</strong> exp/*<a style="no ss:noxss(&quot;*/ &quot;);xss:ex XSS*/ /pression(alert(&quot;XSS&quot;))">x</a><br />
<strong>Bad IE7:</strong> <a style="background:expre sion(alert('xss'));">hi</a><br />
<strong>Bad IE7:</strong> <a style="background:expre sion(alert('xss'));">hi</a><br />
<strong>Bad IE7:</strong> <a style="color: 065 078 070 072 065 073 073 069 06f 06e 028 061 06c 065 072 074 028 031 029 029">test</a><br />
<strong>Bad IE7:</strong> <a style="xss:e #48;&#48;&#55;&#56;pression(window.x?0:(alert(/XSS/),window.x=1));">hi</a><br />
<strong>Bad IE7:</strong> <a style="background:url('denied:java script:eval(document.all.mycode.expr)')">hi</a><br />
</span>

44
test_xss.txt Normal file
View File

@ -0,0 +1,44 @@
<img alt="<img onmouseover=confirm(1)//"<"">
'';!--"<xss>=&{()}<br />
<img src="javascript%3Aalert('xss');" /><br />
<img src="javascript:alert('xss');" /><br />
<img src="java script:alert('xss');" /><br />
<img
src=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41; /><br />
<font color='#FF6699"onmouseover="alert(1)//'>test</font>
<font color='<img//onerror="alert`www.ptsecurity.com`"src=Psych0tr1a'>
<div style="javascript:alert('xss');"></div><br />
<div style="background-image:url(javascript:alert('xss'));"></div><br />
<div style="background-image:url(&quot;javascript:alert('xss')&quot; );"></div><br />
<!--[if gte IE 4]><script>alert('xss');</script><![endif]--><br />
<script a=">" src="http://ha.ckers.org/xss.js"></script><br />
<strong>Bad in PHP version without safe:</strong> <script a=">" ";alert(window.location.href);//></script><br />
<div style="background-image: &#117;r&#x6C;('js&#58;xss'&#x29;"></div><br />
<a style=";-moz-binding:url(http://lukasz.pilorz.net/xss/xss.xml#xss)" href="http://example.com">test</a><br />
<strong>Bad IE7:</strong> <a href="http://x&x=%22+style%3d%22background-image%3a+expression%28alert
%28%27xss%3f%29%29">x</a><br />
<strong>Opera:</strong> <a href="\xE2\x80\x83javascript:alert(123)">link</a>
<strong>Bad IE7:</strong> <a style=color:expr/*comment*/ession(alert(document.domain))>xxx</a><br />
<strong>Bad IE7:</strong> <a href="xxx" style="background: exp&#x72;ession(alert('xss'));">xxx</a><br />
<strong>Bad IE7:</strong> <a href="xxx" style="background: &#101;xpression(alert('xss'));">xxx</a><br />
<strong>Bad IE7:</strong> <a href="xxx" style="background: %45xpression(alert('xss'));">xxx</a><br />
<strong>Bad IE7:</strong> <a href="xxx" style="background:/**/expression(alert('xss'));">xxx</a><br />
<strong>Bad IE7:</strong> <a href="xxx" style="background:/**/&#69;xpression(alert('xss'));">xxx</a><br />
<strong>Bad IE7:</strong> <a href="xxx" style="background:/**/Exp&#x72;ession(alert('xss'));">xxx</a><br />
<strong>Bad IE7:</strong> <a href="xxx" style="background: expr%45ssion(alert('xss'));">xxx</a><br />
<strong>Bad IE7:</strong> <a href="xxx" style="background: exp/* */ression(alert('xss'));">xxx</a><br />
<strong>Bad IE7:</strong> <a href="xxx" style="background: exp /* */ression(alert('xss'));">xxx</a><br />
<strong>Bad IE7:</strong> <a href="xxx" style="background: exp/ * * /ression(alert('xss'));">xxx</a><br />
<strong>Bad IE7:</strong> <a href="xxx" style="background:/* x */expression(alert('xss'));">xxx</a><br />
<strong>Bad IE7:</strong> <a href="xxx" style="background:/* */ */expression(alert('xss'));">xxx</a><br />
<strong>Bad IE7:</strong> <a href="x" style="width: /****/**;;;;;;*/expression/**/(alert('xss'));">x</a><br />
<strong>Bad IE7:</strong> <a href="x" style="padding:10px; background:/**/expression(alert('xss'));">x</a><br />
<strong>Bad IE7:</strong> <a href="x" style="background: huh /* */ */expression(alert('xss'));">x</a><br />
<strong>Bad IE7:</strong> <a href="x" style="background:/**/expression(alert('xss'));background:/**/expression(alert('xss'));">x</a><br />
<strong>Bad IE7:</strong> exp/*<a style='no\xss:noxss("*//*");xss:&#101;x&#x2F;*XSS*//*/*/pression(alert("XSS"))'>x</a><br />
<strong>Bad IE7:</strong> <a style="background:&#69;xpre\ssion(alert('xss'));">hi</a><br />
<strong>Bad IE7:</strong> <a style="background:expre&#x5c;ssion(alert('xss'));">hi</a><br />
<strong>Bad IE7:</strong> <a style="color: \0065 \0078 \0070 \0072 \0065 \0073 \0073 \0069 \006f \006e \0028 \0061 \006c \0065 \0072 \0074 \0028 \0031 \0029 \0029">test</a><br />
<strong>Bad IE7:</strong> <a style="xss:e&#92;&#48;&#48;&#55;&#56;pression(window.x?0:(alert(/XSS/),window.x=1));">hi</a><br />
<strong>Bad IE7:</strong> <a style="background:url('java
script:eval(document.all.mycode.expr)')">hi</a><br />