|
8 | 8 | { |
9 | 9 | "name": "IE_Comments_2", |
10 | 10 | "input": "<![if !IE 5]><script>alert('XSS');</script><![endif]>", |
11 | | - "output": "<script>alert('XSS');</script>", |
| 11 | + "output": "<script>alert('XSS');</script>" |
12 | 12 | }, |
13 | 13 |
|
14 | 14 | { |
|
20 | 20 | { |
21 | 21 | "name": "background_attribute", |
22 | 22 | "input": "<div background=\"javascript:alert('XSS')\"></div>", |
23 | | - "output": "<div/>", |
| 23 | + "output": "<div/>" |
24 | 24 | }, |
25 | 25 |
|
26 | 26 | { |
27 | 27 | "name": "bgsound", |
28 | 28 | "input": "<bgsound src=\"javascript:alert('XSS');\" />", |
29 | | - "output": "<bgsound src=\"javascript:alert('XSS');\"/>", |
| 29 | + "output": "<bgsound src=\"javascript:alert('XSS');\"/>" |
30 | 30 | }, |
31 | 31 |
|
32 | 32 | { |
|
44 | 44 | { |
45 | 45 | "name": "double_open_angle_brackets", |
46 | 46 | "input": "<img src=http://ha.ckers.org/scriptlet.html <", |
47 | | - "output": "<img src='http://ha.ckers.org/scriptlet.html'>", |
| 47 | + "output": "<img src='http://ha.ckers.org/scriptlet.html'>" |
48 | 48 | }, |
49 | 49 |
|
50 | 50 | { |
51 | 51 | "name": "double_open_angle_brackets_2", |
52 | 52 | "input": "<script src=http://ha.ckers.org/scriptlet.html <", |
53 | | - "output": "<script src=\"http://ha.ckers.org/scriptlet.html\" <=\"\">", |
| 53 | + "output": "<script src=\"http://ha.ckers.org/scriptlet.html\" <=\"\">" |
54 | 54 | }, |
55 | 55 |
|
56 | 56 | { |
57 | 57 | "name": "grave_accents", |
58 | 58 | "input": "<img src=`javascript:alert('XSS')` />", |
59 | | - "output": "<img/>", |
| 59 | + "output": "<img/>" |
60 | 60 | }, |
61 | 61 |
|
62 | 62 | { |
63 | 63 | "name": "img_dynsrc_lowsrc", |
64 | 64 | "input": "<img dynsrc=\"javascript:alert('XSS')\" />", |
65 | | - "output": "<img/>", |
| 65 | + "output": "<img/>" |
66 | 66 | }, |
67 | 67 |
|
68 | 68 | { |
69 | 69 | "name": "img_vbscript", |
70 | 70 | "input": "<img src='vbscript:msgbox(\"XSS\")' />", |
71 | | - "output": "<img/>", |
| 71 | + "output": "<img/>" |
72 | 72 | }, |
73 | 73 |
|
74 | 74 | { |
75 | 75 | "name": "input_image", |
76 | 76 | "input": "<input type=\"image\" src=\"javascript:alert('XSS');\" />", |
77 | | - "output": "<input type='image'/>", |
| 77 | + "output": "<input type='image'/>" |
78 | 78 | }, |
79 | 79 |
|
80 | 80 | { |
81 | 81 | "name": "link_stylesheets", |
82 | 82 | "input": "<link rel=\"stylesheet\" href=\"javascript:alert('XSS');\" />", |
83 | | - "output": "<link rel=\"stylesheet\" href=\"javascript:alert('XSS');\"/>", |
| 83 | + "output": "<link rel=\"stylesheet\" href=\"javascript:alert('XSS');\"/>" |
84 | 84 | }, |
85 | 85 |
|
86 | 86 | { |
87 | 87 | "name": "link_stylesheets_2", |
88 | 88 | "input": "<link rel=\"stylesheet\" href=\"http://ha.ckers.org/xss.css\" />", |
89 | | - "output": "<link rel=\"stylesheet\" href=\"http://ha.ckers.org/xss.css\"/>", |
| 89 | + "output": "<link rel=\"stylesheet\" href=\"http://ha.ckers.org/xss.css\"/>" |
90 | 90 | }, |
91 | 91 |
|
92 | 92 | { |
|
98 | 98 | { |
99 | 99 | "name": "no_closing_script_tags", |
100 | 100 | "input": "<script src=http://ha.ckers.org/xss.js?<b>", |
101 | | - "output": "<script src=\"http://ha.ckers.org/xss.js?&lt;b\">", |
| 101 | + "output": "<script src=\"http://ha.ckers.org/xss.js?&lt;b\">" |
102 | 102 | }, |
103 | 103 |
|
104 | 104 | { |
105 | 105 | "name": "non_alpha_non_digit", |
106 | 106 | "input": "<script/XSS src=\"http://ha.ckers.org/xss.js\"></script>", |
107 | | - "output": "<script XSS=\"\" src=\"http://ha.ckers.org/xss.js\"></script>", |
| 107 | + "output": "<script XSS=\"\" src=\"http://ha.ckers.org/xss.js\"></script>" |
108 | 108 | }, |
109 | 109 |
|
110 | 110 | { |
111 | 111 | "name": "non_alpha_non_digit_2", |
112 | 112 | "input": "<a onclick!\\#$%&()*~+-_.,:;?@[/|\\]^`=alert(\"XSS\")>foo</a>", |
113 | | - "output": "<a>foo</a>", |
| 113 | + "output": "<a>foo</a>" |
114 | 114 | }, |
115 | 115 |
|
116 | 116 | { |
117 | 117 | "name": "non_alpha_non_digit_3", |
118 | 118 | "input": "<img/src=\"http://ha.ckers.org/xss.js\"/>", |
119 | | - "output": "<img src='http://ha.ckers.org/xss.js'/>", |
| 119 | + "output": "<img src='http://ha.ckers.org/xss.js'/>" |
120 | 120 | }, |
121 | 121 |
|
122 | 122 | { |
123 | 123 | "name": "non_alpha_non_digit_II", |
124 | 124 | "input": "<a href!\\#$%&()*~+-_.,:;?@[/|]^`=alert('XSS')>foo</a>", |
125 | | - "output": "<a>foo</a>", |
| 125 | + "output": "<a>foo</a>" |
126 | 126 | }, |
127 | 127 |
|
128 | 128 | { |
129 | 129 | "name": "non_alpha_non_digit_III", |
130 | 130 | "input": "<a/href=\"javascript:alert('XSS');\">foo</a>", |
131 | | - "output": "<a>foo</a>", |
| 131 | + "output": "<a>foo</a>" |
132 | 132 | }, |
133 | 133 |
|
134 | 134 | { |
|
140 | 140 | { |
141 | 141 | "name": "protocol_resolution_in_script_tag", |
142 | 142 | "input": "<script src=//ha.ckers.org/.j></script>", |
143 | | - "output": "<script src=\"//ha.ckers.org/.j\"></script>", |
| 143 | + "output": "<script src=\"//ha.ckers.org/.j\"></script>" |
144 | 144 | }, |
145 | 145 |
|
146 | 146 | { |
|
152 | 152 | { |
153 | 153 | "name": "should_allow_image_alt_attribute", |
154 | 154 | "input": "<img alt='foo' onclick='bar' />", |
155 | | - "output": "<img alt='foo'/>", |
| 155 | + "output": "<img alt='foo'/>" |
156 | 156 | }, |
157 | 157 |
|
158 | 158 | { |
159 | 159 | "name": "should_allow_image_height_attribute", |
160 | 160 | "input": "<img height='foo' onclick='bar' />", |
161 | | - "output": "<img height='foo'/>", |
| 161 | + "output": "<img height='foo'/>" |
162 | 162 | }, |
163 | 163 |
|
164 | 164 | { |
165 | 165 | "name": "should_allow_image_src_attribute", |
166 | 166 | "input": "<img src='foo' onclick='bar' />", |
167 | | - "output": "<img src='foo'/>", |
| 167 | + "output": "<img src='foo'/>" |
168 | 168 | }, |
169 | 169 |
|
170 | 170 | { |
171 | 171 | "name": "should_allow_image_width_attribute", |
172 | 172 | "input": "<img width='foo' onclick='bar' />", |
173 | | - "output": "<img width='foo'/>", |
| 173 | + "output": "<img width='foo'/>" |
174 | 174 | }, |
175 | 175 |
|
176 | 176 | { |
|
182 | 182 | { |
183 | 183 | "name": "should_handle_malformed_image_tags", |
184 | 184 | "input": "<img \"\"\"><script>alert(\"XSS\")</script>\">", |
185 | | - "output": "<img/><script>alert(\"XSS\")</script>\">", |
| 185 | + "output": "<img/><script>alert(\"XSS\")</script>\">" |
186 | 186 | }, |
187 | 187 |
|
188 | 188 | { |
|
194 | 194 | { |
195 | 195 | "name": "should_not_fall_for_ridiculous_hack", |
196 | 196 | "input": "<img\nsrc\n=\n\"\nj\na\nv\na\ns\nc\nr\ni\np\nt\n:\na\nl\ne\nr\nt\n(\n'\nX\nS\nS\n'\n)\n\"\n />", |
197 | | - "output": "<img/>", |
| 197 | + "output": "<img/>" |
198 | 198 | }, |
199 | 199 |
|
200 | 200 | { |
201 | 201 | "name": "should_not_fall_for_xss_image_hack_0", |
202 | 202 | "input": "<img src=\"javascript:alert('XSS');\" />", |
203 | | - "output": "<img/>", |
| 203 | + "output": "<img/>" |
204 | 204 | }, |
205 | 205 |
|
206 | 206 | { |
207 | 207 | "name": "should_not_fall_for_xss_image_hack_1", |
208 | 208 | "input": "<img src=javascript:alert('XSS') />", |
209 | | - "output": "<img/>", |
| 209 | + "output": "<img/>" |
210 | 210 | }, |
211 | 211 |
|
212 | 212 | { |
213 | 213 | "name": "should_not_fall_for_xss_image_hack_10", |
214 | 214 | "input": "<img src=\"jav
ascript:alert('XSS');\" />", |
215 | | - "output": "<img/>", |
| 215 | + "output": "<img/>" |
216 | 216 | }, |
217 | 217 |
|
218 | 218 | { |
219 | 219 | "name": "should_not_fall_for_xss_image_hack_11", |
220 | 220 | "input": "<img src=\"jav
ascript:alert('XSS');\" />", |
221 | | - "output": "<img/>", |
| 221 | + "output": "<img/>" |
222 | 222 | }, |
223 | 223 |
|
224 | 224 | { |
225 | 225 | "name": "should_not_fall_for_xss_image_hack_12", |
226 | 226 | "input": "<img src=\"  javascript:alert('XSS');\" />", |
227 | | - "output": "<img/>", |
| 227 | + "output": "<img/>" |
228 | 228 | }, |
229 | 229 |
|
230 | 230 | { |
231 | 231 | "name": "should_not_fall_for_xss_image_hack_13", |
232 | 232 | "input": "<img src=\" javascript:alert('XSS');\" />", |
233 | | - "output": "<img/>", |
| 233 | + "output": "<img/>" |
234 | 234 | }, |
235 | 235 |
|
236 | 236 | { |
237 | 237 | "name": "should_not_fall_for_xss_image_hack_14", |
238 | 238 | "input": "<img src=\" javascript:alert('XSS');\" />", |
239 | | - "output": "<img/>", |
| 239 | + "output": "<img/>" |
240 | 240 | }, |
241 | 241 |
|
242 | 242 | { |
243 | 243 | "name": "should_not_fall_for_xss_image_hack_2", |
244 | 244 | "input": "<img src=\"JaVaScRiPt:alert('XSS')\" />", |
245 | | - "output": "<img/>", |
| 245 | + "output": "<img/>" |
246 | 246 | }, |
247 | 247 |
|
248 | 248 | { |
249 | 249 | "name": "should_not_fall_for_xss_image_hack_3", |
250 | 250 | "input": "<img src='javascript:alert("XSS")' />", |
251 | | - "output": "<img/>", |
| 251 | + "output": "<img/>" |
252 | 252 | }, |
253 | 253 |
|
254 | 254 | { |
255 | 255 | "name": "should_not_fall_for_xss_image_hack_4", |
256 | 256 | "input": "<img src='javascript:alert(String.fromCharCode(88,83,83))' />", |
257 | | - "output": "<img/>", |
| 257 | + "output": "<img/>" |
258 | 258 | }, |
259 | 259 |
|
260 | 260 | { |
261 | 261 | "name": "should_not_fall_for_xss_image_hack_5", |
262 | 262 | "input": "<img src='javascript:alert('XSS')' />", |
263 | | - "output": "<img/>", |
| 263 | + "output": "<img/>" |
264 | 264 | }, |
265 | 265 |
|
266 | 266 | { |
267 | 267 | "name": "should_not_fall_for_xss_image_hack_6", |
268 | 268 | "input": "<img src='javascript:alert('XSS')' />", |
269 | | - "output": "<img/>", |
| 269 | + "output": "<img/>" |
270 | 270 | }, |
271 | 271 |
|
272 | 272 | { |
273 | 273 | "name": "should_not_fall_for_xss_image_hack_7", |
274 | 274 | "input": "<img src='javascript:alert('XSS')' />", |
275 | | - "output": "<img/>", |
| 275 | + "output": "<img/>" |
276 | 276 | }, |
277 | 277 |
|
278 | 278 | { |
279 | 279 | "name": "should_not_fall_for_xss_image_hack_8", |
280 | 280 | "input": "<img src=\"jav\tascript:alert('XSS');\" />", |
281 | | - "output": "<img/>", |
| 281 | + "output": "<img/>" |
282 | 282 | }, |
283 | 283 |
|
284 | 284 | { |
285 | 285 | "name": "should_not_fall_for_xss_image_hack_9", |
286 | 286 | "input": "<img src=\"jav	ascript:alert('XSS');\" />", |
287 | | - "output": "<img/>", |
| 287 | + "output": "<img/>" |
288 | 288 | }, |
289 | 289 |
|
290 | 290 | { |
291 | 291 | "name": "should_sanitize_half_open_scripts", |
292 | 292 | "input": "<img src=\"javascript:alert('XSS')\"", |
293 | | - "output": "<img/>", |
| 293 | + "output": "<img/>" |
294 | 294 | }, |
295 | 295 |
|
296 | 296 | { |
297 | 297 | "name": "should_sanitize_invalid_script_tag", |
298 | 298 | "input": "<script/XSS SRC=\"http://ha.ckers.org/xss.js\"></script>", |
299 | | - "output": "<script XSS=\"\" SRC=\"http://ha.ckers.org/xss.js\"></script>", |
| 299 | + "output": "<script XSS=\"\" SRC=\"http://ha.ckers.org/xss.js\"></script>" |
300 | 300 | }, |
301 | 301 |
|
302 | 302 | { |
303 | 303 | "name": "should_sanitize_script_tag_with_multiple_open_brackets", |
304 | 304 | "input": "<<script>alert(\"XSS\");//<</script>", |
305 | | - "output": "<<script>alert(\"XSS\");//<</script>", |
| 305 | + "output": "<<script>alert(\"XSS\");//<</script>" |
306 | 306 | }, |
307 | 307 |
|
308 | 308 | { |
309 | 309 | "name": "should_sanitize_script_tag_with_multiple_open_brackets_2", |
310 | 310 | "input": "<iframe src=http://ha.ckers.org/scriptlet.html\n<", |
311 | | - "output": "<iframe src=\"http://ha.ckers.org/scriptlet.html\" <=\"\">", |
| 311 | + "output": "<iframe src=\"http://ha.ckers.org/scriptlet.html\" <=\"\">" |
312 | 312 | }, |
313 | 313 |
|
314 | 314 | { |
315 | 315 | "name": "should_sanitize_tag_broken_up_by_null", |
316 | 316 | "input": "<scr\u0000ipt>alert(\"XSS\")</scr\u0000ipt>", |
317 | | - "output": "<scr\ufffdipt>alert(\"XSS\")</scr\ufffdipt>", |
| 317 | + "output": "<scr\ufffdipt>alert(\"XSS\")</scr\ufffdipt>" |
318 | 318 | }, |
319 | 319 |
|
320 | 320 | { |
321 | 321 | "name": "should_sanitize_unclosed_script", |
322 | 322 | "input": "<script src=http://ha.ckers.org/xss.js?<b>", |
323 | | - "output": "<script src=\"http://ha.ckers.org/xss.js?&lt;b\">", |
| 323 | + "output": "<script src=\"http://ha.ckers.org/xss.js?&lt;b\">" |
324 | 324 | }, |
325 | 325 |
|
326 | 326 | { |
|
338 | 338 | { |
339 | 339 | "name": "should_strip_src_attribute_in_img_with_bad_protocols", |
340 | 340 | "input": "<img src=\"javascript:XSS\" title=\"1\">boo</img>", |
341 | | - "output": "<img title='1'/>boo", |
| 341 | + "output": "<img title='1'/>boo" |
342 | 342 | }, |
343 | 343 |
|
344 | 344 | { |
345 | 345 | "name": "should_strip_src_attribute_in_img_with_bad_protocols_and_whitespace", |
346 | 346 | "input": "<img src=\" javascript:XSS\" title=\"1\">boo</img>", |
347 | | - "output": "<img title='1'/>boo", |
| 347 | + "output": "<img title='1'/>boo" |
348 | 348 | }, |
349 | 349 |
|
350 | 350 | { |
|
398 | 398 | { |
399 | 399 | "name": "style_attr_end_with_nothing", |
400 | 400 | "input": "<div style=\"color: blue\" />", |
401 | | - "output": "<div style='color: blue;'/>", |
| 401 | + "output": "<div style='color: blue;'/>" |
402 | 402 | }, |
403 | 403 |
|
404 | 404 | { |
405 | 405 | "name": "style_attr_end_with_space", |
406 | 406 | "input": "<div style=\"color: blue \" />", |
407 | | - "output": "<div style='color: blue ;'/>", |
| 407 | + "output": "<div style='color: blue ;'/>" |
408 | 408 | }, |
409 | 409 |
|
410 | 410 | { |
411 | 411 | "name": "style_attr_end_with_semicolon", |
412 | 412 | "input": "<div style=\"color: blue;\" />", |
413 | | - "output": "<div style='color: blue;'/>", |
| 413 | + "output": "<div style='color: blue;'/>" |
414 | 414 | }, |
415 | 415 |
|
416 | 416 | { |
417 | 417 | "name": "style_attr_end_with_semicolon_space", |
418 | 418 | "input": "<div style=\"color: blue; \" />", |
419 | | - "output": "<div style='color: blue;'/>", |
| 419 | + "output": "<div style='color: blue;'/>" |
420 | 420 | }, |
421 | 421 |
|
422 | 422 | { |
423 | 423 | "name": "attributes_with_embedded_quotes", |
424 | 424 | "input": "<img src=doesntexist.jpg\"'onerror=\"alert(1) />", |
425 | | - "output": "<img src='doesntexist.jpg"'onerror="alert(1)'/>", |
| 425 | + "output": "<img src='doesntexist.jpg"'onerror="alert(1)'/>" |
426 | 426 | }, |
427 | 427 |
|
428 | 428 | { |
429 | 429 | "name": "attributes_with_embedded_quotes_II", |
430 | 430 | "input": "<img src=notthere.jpg\"\"onerror=\"alert(2) />", |
431 | | - "output": "<img src='notthere.jpg""onerror="alert(2)'/>", |
| 431 | + "output": "<img src='notthere.jpg""onerror="alert(2)'/>" |
432 | 432 | } |
433 | 433 | ] |
0 commit comments