Skip to content
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.

Commit ed2cd9f

Browse files
committedMay 8, 2016
fixup! Reintroduce the old sanitizer testsuite from html5lib-tests
1 parent 63a89d4 commit ed2cd9f

File tree

1 file changed

+53
-53
lines changed

1 file changed

+53
-53
lines changed
 

‎html5lib/tests/sanitizer-testdata/tests1.dat

Lines changed: 53 additions & 53 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@
88
{
99
"name": "IE_Comments_2",
1010
"input": "<![if !IE 5]><script>alert('XSS');</script><![endif]>",
11-
"output": "&lt;script&gt;alert('XSS');&lt;/script&gt;",
11+
"output": "&lt;script&gt;alert('XSS');&lt;/script&gt;"
1212
},
1313

1414
{
@@ -20,13 +20,13 @@
2020
{
2121
"name": "background_attribute",
2222
"input": "<div background=\"javascript:alert('XSS')\"></div>",
23-
"output": "<div/>",
23+
"output": "<div/>"
2424
},
2525

2626
{
2727
"name": "bgsound",
2828
"input": "<bgsound src=\"javascript:alert('XSS');\" />",
29-
"output": "&lt;bgsound src=\"javascript:alert('XSS');\"/&gt;",
29+
"output": "&lt;bgsound src=\"javascript:alert('XSS');\"/&gt;"
3030
},
3131

3232
{
@@ -44,49 +44,49 @@
4444
{
4545
"name": "double_open_angle_brackets",
4646
"input": "<img src=http://ha.ckers.org/scriptlet.html <",
47-
"output": "<img src='http://ha.ckers.org/scriptlet.html'>",
47+
"output": "<img src='http://ha.ckers.org/scriptlet.html'>"
4848
},
4949

5050
{
5151
"name": "double_open_angle_brackets_2",
5252
"input": "<script src=http://ha.ckers.org/scriptlet.html <",
53-
"output": "&lt;script src=\"http://ha.ckers.org/scriptlet.html\" &lt;=\"\"&gt;",
53+
"output": "&lt;script src=\"http://ha.ckers.org/scriptlet.html\" &lt;=\"\"&gt;"
5454
},
5555

5656
{
5757
"name": "grave_accents",
5858
"input": "<img src=`javascript:alert('XSS')` />",
59-
"output": "<img/>",
59+
"output": "<img/>"
6060
},
6161

6262
{
6363
"name": "img_dynsrc_lowsrc",
6464
"input": "<img dynsrc=\"javascript:alert('XSS')\" />",
65-
"output": "<img/>",
65+
"output": "<img/>"
6666
},
6767

6868
{
6969
"name": "img_vbscript",
7070
"input": "<img src='vbscript:msgbox(\"XSS\")' />",
71-
"output": "<img/>",
71+
"output": "<img/>"
7272
},
7373

7474
{
7575
"name": "input_image",
7676
"input": "<input type=\"image\" src=\"javascript:alert('XSS');\" />",
77-
"output": "<input type='image'/>",
77+
"output": "<input type='image'/>"
7878
},
7979

8080
{
8181
"name": "link_stylesheets",
8282
"input": "<link rel=\"stylesheet\" href=\"javascript:alert('XSS');\" />",
83-
"output": "&lt;link rel=\"stylesheet\" href=\"javascript:alert('XSS');\"/&gt;",
83+
"output": "&lt;link rel=\"stylesheet\" href=\"javascript:alert('XSS');\"/&gt;"
8484
},
8585

8686
{
8787
"name": "link_stylesheets_2",
8888
"input": "<link rel=\"stylesheet\" href=\"http://ha.ckers.org/xss.css\" />",
89-
"output": "&lt;link rel=\"stylesheet\" href=\"http://ha.ckers.org/xss.css\"/&gt;",
89+
"output": "&lt;link rel=\"stylesheet\" href=\"http://ha.ckers.org/xss.css\"/&gt;"
9090
},
9191

9292
{
@@ -98,37 +98,37 @@
9898
{
9999
"name": "no_closing_script_tags",
100100
"input": "<script src=http://ha.ckers.org/xss.js?<b>",
101-
"output": "&lt;script src=\"http://ha.ckers.org/xss.js?&amp;lt;b\"&gt;",
101+
"output": "&lt;script src=\"http://ha.ckers.org/xss.js?&amp;lt;b\"&gt;"
102102
},
103103

104104
{
105105
"name": "non_alpha_non_digit",
106106
"input": "<script/XSS src=\"http://ha.ckers.org/xss.js\"></script>",
107-
"output": "&lt;script XSS=\"\" src=\"http://ha.ckers.org/xss.js\"&gt;&lt;/script&gt;",
107+
"output": "&lt;script XSS=\"\" src=\"http://ha.ckers.org/xss.js\"&gt;&lt;/script&gt;"
108108
},
109109

110110
{
111111
"name": "non_alpha_non_digit_2",
112112
"input": "<a onclick!\\#$%&()*~+-_.,:;?@[/|\\]^`=alert(\"XSS\")>foo</a>",
113-
"output": "<a>foo</a>",
113+
"output": "<a>foo</a>"
114114
},
115115

116116
{
117117
"name": "non_alpha_non_digit_3",
118118
"input": "<img/src=\"http://ha.ckers.org/xss.js\"/>",
119-
"output": "<img src='http://ha.ckers.org/xss.js'/>",
119+
"output": "<img src='http://ha.ckers.org/xss.js'/>"
120120
},
121121

122122
{
123123
"name": "non_alpha_non_digit_II",
124124
"input": "<a href!\\#$%&()*~+-_.,:;?@[/|]^`=alert('XSS')>foo</a>",
125-
"output": "<a>foo</a>",
125+
"output": "<a>foo</a>"
126126
},
127127

128128
{
129129
"name": "non_alpha_non_digit_III",
130130
"input": "<a/href=\"javascript:alert('XSS');\">foo</a>",
131-
"output": "<a>foo</a>",
131+
"output": "<a>foo</a>"
132132
},
133133

134134
{
@@ -140,7 +140,7 @@
140140
{
141141
"name": "protocol_resolution_in_script_tag",
142142
"input": "<script src=//ha.ckers.org/.j></script>",
143-
"output": "&lt;script src=\"//ha.ckers.org/.j\"&gt;&lt;/script&gt;",
143+
"output": "&lt;script src=\"//ha.ckers.org/.j\"&gt;&lt;/script&gt;"
144144
},
145145

146146
{
@@ -152,25 +152,25 @@
152152
{
153153
"name": "should_allow_image_alt_attribute",
154154
"input": "<img alt='foo' onclick='bar' />",
155-
"output": "<img alt='foo'/>",
155+
"output": "<img alt='foo'/>"
156156
},
157157

158158
{
159159
"name": "should_allow_image_height_attribute",
160160
"input": "<img height='foo' onclick='bar' />",
161-
"output": "<img height='foo'/>",
161+
"output": "<img height='foo'/>"
162162
},
163163

164164
{
165165
"name": "should_allow_image_src_attribute",
166166
"input": "<img src='foo' onclick='bar' />",
167-
"output": "<img src='foo'/>",
167+
"output": "<img src='foo'/>"
168168
},
169169

170170
{
171171
"name": "should_allow_image_width_attribute",
172172
"input": "<img width='foo' onclick='bar' />",
173-
"output": "<img width='foo'/>",
173+
"output": "<img width='foo'/>"
174174
},
175175

176176
{
@@ -182,7 +182,7 @@
182182
{
183183
"name": "should_handle_malformed_image_tags",
184184
"input": "<img \"\"\"><script>alert(\"XSS\")</script>\">",
185-
"output": "<img/>&lt;script&gt;alert(\"XSS\")&lt;/script&gt;\"&gt;",
185+
"output": "<img/>&lt;script&gt;alert(\"XSS\")&lt;/script&gt;\"&gt;"
186186
},
187187

188188
{
@@ -194,133 +194,133 @@
194194
{
195195
"name": "should_not_fall_for_ridiculous_hack",
196196
"input": "<img\nsrc\n=\n\"\nj\na\nv\na\ns\nc\nr\ni\np\nt\n:\na\nl\ne\nr\nt\n(\n'\nX\nS\nS\n'\n)\n\"\n />",
197-
"output": "<img/>",
197+
"output": "<img/>"
198198
},
199199

200200
{
201201
"name": "should_not_fall_for_xss_image_hack_0",
202202
"input": "<img src=\"javascript:alert('XSS');\" />",
203-
"output": "<img/>",
203+
"output": "<img/>"
204204
},
205205

206206
{
207207
"name": "should_not_fall_for_xss_image_hack_1",
208208
"input": "<img src=javascript:alert('XSS') />",
209-
"output": "<img/>",
209+
"output": "<img/>"
210210
},
211211

212212
{
213213
"name": "should_not_fall_for_xss_image_hack_10",
214214
"input": "<img src=\"jav&#x0A;ascript:alert('XSS');\" />",
215-
"output": "<img/>",
215+
"output": "<img/>"
216216
},
217217

218218
{
219219
"name": "should_not_fall_for_xss_image_hack_11",
220220
"input": "<img src=\"jav&#x0D;ascript:alert('XSS');\" />",
221-
"output": "<img/>",
221+
"output": "<img/>"
222222
},
223223

224224
{
225225
"name": "should_not_fall_for_xss_image_hack_12",
226226
"input": "<img src=\" &#14; javascript:alert('XSS');\" />",
227-
"output": "<img/>",
227+
"output": "<img/>"
228228
},
229229

230230
{
231231
"name": "should_not_fall_for_xss_image_hack_13",
232232
"input": "<img src=\"&#x20;javascript:alert('XSS');\" />",
233-
"output": "<img/>",
233+
"output": "<img/>"
234234
},
235235

236236
{
237237
"name": "should_not_fall_for_xss_image_hack_14",
238238
"input": "<img src=\"&#xA0;javascript:alert('XSS');\" />",
239-
"output": "<img/>",
239+
"output": "<img/>"
240240
},
241241

242242
{
243243
"name": "should_not_fall_for_xss_image_hack_2",
244244
"input": "<img src=\"JaVaScRiPt:alert('XSS')\" />",
245-
"output": "<img/>",
245+
"output": "<img/>"
246246
},
247247

248248
{
249249
"name": "should_not_fall_for_xss_image_hack_3",
250250
"input": "<img src='javascript:alert(&quot;XSS&quot;)' />",
251-
"output": "<img/>",
251+
"output": "<img/>"
252252
},
253253

254254
{
255255
"name": "should_not_fall_for_xss_image_hack_4",
256256
"input": "<img src='javascript:alert(String.fromCharCode(88,83,83))' />",
257-
"output": "<img/>",
257+
"output": "<img/>"
258258
},
259259

260260
{
261261
"name": "should_not_fall_for_xss_image_hack_5",
262262
"input": "<img src='&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;' />",
263-
"output": "<img/>",
263+
"output": "<img/>"
264264
},
265265

266266
{
267267
"name": "should_not_fall_for_xss_image_hack_6",
268268
"input": "<img src='&#0000106;&#0000097;&#0000118;&#0000097;&#0000115;&#0000099;&#0000114;&#0000105;&#0000112;&#0000116;&#0000058;&#0000097;&#0000108;&#0000101;&#0000114;&#0000116;&#0000040;&#0000039;&#0000088;&#0000083;&#0000083;&#0000039;&#0000041' />",
269-
"output": "<img/>",
269+
"output": "<img/>"
270270
},
271271

272272
{
273273
"name": "should_not_fall_for_xss_image_hack_7",
274274
"input": "<img src='&#x6A;&#x61;&#x76;&#x61;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x3A;&#x61;&#x6C;&#x65;&#x72;&#x74;&#x28;&#x27;&#x58;&#x53;&#x53;&#x27;&#x29' />",
275-
"output": "<img/>",
275+
"output": "<img/>"
276276
},
277277

278278
{
279279
"name": "should_not_fall_for_xss_image_hack_8",
280280
"input": "<img src=\"jav\tascript:alert('XSS');\" />",
281-
"output": "<img/>",
281+
"output": "<img/>"
282282
},
283283

284284
{
285285
"name": "should_not_fall_for_xss_image_hack_9",
286286
"input": "<img src=\"jav&#x09;ascript:alert('XSS');\" />",
287-
"output": "<img/>",
287+
"output": "<img/>"
288288
},
289289

290290
{
291291
"name": "should_sanitize_half_open_scripts",
292292
"input": "<img src=\"javascript:alert('XSS')\"",
293-
"output": "<img/>",
293+
"output": "<img/>"
294294
},
295295

296296
{
297297
"name": "should_sanitize_invalid_script_tag",
298298
"input": "<script/XSS SRC=\"http://ha.ckers.org/xss.js\"></script>",
299-
"output": "&lt;script XSS=\"\" SRC=\"http://ha.ckers.org/xss.js\"&gt;&lt;/script&gt;",
299+
"output": "&lt;script XSS=\"\" SRC=\"http://ha.ckers.org/xss.js\"&gt;&lt;/script&gt;"
300300
},
301301

302302
{
303303
"name": "should_sanitize_script_tag_with_multiple_open_brackets",
304304
"input": "<<script>alert(\"XSS\");//<</script>",
305-
"output": "&lt;&lt;script&gt;alert(\"XSS\");//&lt;&lt;/script&gt;",
305+
"output": "&lt;&lt;script&gt;alert(\"XSS\");//&lt;&lt;/script&gt;"
306306
},
307307

308308
{
309309
"name": "should_sanitize_script_tag_with_multiple_open_brackets_2",
310310
"input": "<iframe src=http://ha.ckers.org/scriptlet.html\n<",
311-
"output": "&lt;iframe src=\"http://ha.ckers.org/scriptlet.html\" &lt;=\"\"&gt;",
311+
"output": "&lt;iframe src=\"http://ha.ckers.org/scriptlet.html\" &lt;=\"\"&gt;"
312312
},
313313

314314
{
315315
"name": "should_sanitize_tag_broken_up_by_null",
316316
"input": "<scr\u0000ipt>alert(\"XSS\")</scr\u0000ipt>",
317-
"output": "&lt;scr\ufffdipt&gt;alert(\"XSS\")&lt;/scr\ufffdipt&gt;",
317+
"output": "&lt;scr\ufffdipt&gt;alert(\"XSS\")&lt;/scr\ufffdipt&gt;"
318318
},
319319

320320
{
321321
"name": "should_sanitize_unclosed_script",
322322
"input": "<script src=http://ha.ckers.org/xss.js?<b>",
323-
"output": "&lt;script src=\"http://ha.ckers.org/xss.js?&amp;lt;b\"&gt;",
323+
"output": "&lt;script src=\"http://ha.ckers.org/xss.js?&amp;lt;b\"&gt;"
324324
},
325325

326326
{
@@ -338,13 +338,13 @@
338338
{
339339
"name": "should_strip_src_attribute_in_img_with_bad_protocols",
340340
"input": "<img src=\"javascript:XSS\" title=\"1\">boo</img>",
341-
"output": "<img title='1'/>boo",
341+
"output": "<img title='1'/>boo"
342342
},
343343

344344
{
345345
"name": "should_strip_src_attribute_in_img_with_bad_protocols_and_whitespace",
346346
"input": "<img src=\" javascript:XSS\" title=\"1\">boo</img>",
347-
"output": "<img title='1'/>boo",
347+
"output": "<img title='1'/>boo"
348348
},
349349

350350
{
@@ -398,36 +398,36 @@
398398
{
399399
"name": "style_attr_end_with_nothing",
400400
"input": "<div style=\"color: blue\" />",
401-
"output": "<div style='color: blue;'/>",
401+
"output": "<div style='color: blue;'/>"
402402
},
403403

404404
{
405405
"name": "style_attr_end_with_space",
406406
"input": "<div style=\"color: blue \" />",
407-
"output": "<div style='color: blue ;'/>",
407+
"output": "<div style='color: blue ;'/>"
408408
},
409409

410410
{
411411
"name": "style_attr_end_with_semicolon",
412412
"input": "<div style=\"color: blue;\" />",
413-
"output": "<div style='color: blue;'/>",
413+
"output": "<div style='color: blue;'/>"
414414
},
415415

416416
{
417417
"name": "style_attr_end_with_semicolon_space",
418418
"input": "<div style=\"color: blue; \" />",
419-
"output": "<div style='color: blue;'/>",
419+
"output": "<div style='color: blue;'/>"
420420
},
421421

422422
{
423423
"name": "attributes_with_embedded_quotes",
424424
"input": "<img src=doesntexist.jpg\"'onerror=\"alert(1) />",
425-
"output": "<img src='doesntexist.jpg&quot;&apos;onerror=&quot;alert(1)'/>",
425+
"output": "<img src='doesntexist.jpg&quot;&apos;onerror=&quot;alert(1)'/>"
426426
},
427427

428428
{
429429
"name": "attributes_with_embedded_quotes_II",
430430
"input": "<img src=notthere.jpg\"\"onerror=\"alert(2) />",
431-
"output": "<img src='notthere.jpg&quot;&quot;onerror=&quot;alert(2)'/>",
431+
"output": "<img src='notthere.jpg&quot;&quot;onerror=&quot;alert(2)'/>"
432432
}
433433
]

0 commit comments

Comments
 (0)
Please sign in to comment.