voku /
anti-xss
Duplicate code is one of the most pungent code smells. A rule that is often used is to re-structure code once it is duplicated in three or more places.
Common duplication problems, and corresponding solutions are:
| 1 | <?php |
||
| 7 | class XssTest extends PHPUnit_Framework_TestCase { |
||
|
|
|||
| 8 | |||
| 9 | // INFO: here you can find some more tests |
||
| 10 | // |
||
| 11 | // - https://www.xssposed.org/incidents/ |
||
| 12 | // - http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/htmLawed_TESTCASE.txt |
||
| 13 | // - http://htmlpurifier.org/live/smoketests/xssAttacks.php |
||
| 14 | // - http://hackingforsecurity.blogspot.de/2013/11/xss-cheat-sheet-huge-list.html |
||
| 15 | |||
| 16 | /** |
||
| 17 | * @var $security AntiXSS |
||
| 18 | */ |
||
| 19 | public $security; |
||
| 20 | |||
| 21 | public function setUp() |
||
| 25 | |||
| 26 | public function test_no_xss_url_with_json() |
||
| 27 | { |
||
| 28 | $testArray = array( |
||
| 29 | 'http://foo.bar/tpl_preview.php?pid=122&json=%7B%22recipe_id%22%3A-1%2C%22recipe_created%22%3A%22%22%2C%22recipe_title%22%3A%22vxcvxc%22%2C%22recipe_description%22%3A%22%22%2C%22recipe_yield%22%3A0%2C%22recipe_prepare_time%22%3A0%2C%22recipe_image%22%3A%22%22%2C%22recipe_legal%22%3A0%2C%22recipe_live%22%3A0%2C%22recipe_user_guid%22%3A%22%22%2C%22recipe_category_id%22%3A%5B%5D%2C%22recipe_category_name%22%3A%5B%5D%2C%22recipe_variety_id%22%3A%5B%5D%2C%22recipe_variety_name%22%3A%5B%5D%2C%22recipe_tag_id%22%3A%5B%5D%2C%22recipe_tag_name%22%3A%5B%5D%2C%22recipe_instruction_id%22%3A%5B%5D%2C%22recipe_instruction_text%22%3A%5B%5D%2C%22recipe_ingredient_id%22%3A%5B%5D%2C%22recipe_ingredient_name%22%3A%5B%5D%2C%22recipe_ingredient_amount%22%3A%5B%5D%2C%22recipe_ingredient_unit%22%3A%5B%5D%2C%22formMatchingArray%22%3A%7B%22unites%22%3A%5B%22Becher%22%2C%22Beete%22%2C%22Beutel%22%2C%22Blatt%22%2C%22Bl%5Cu00e4tter%22%2C%22Bund%22%2C%22B%5Cu00fcndel%22%2C%22cl%22%2C%22cm%22%2C%22dicke%22%2C%22dl%22%2C%22Dose%22%2C%22Dose%5C%2Fn%22%2C%22d%5Cu00fcnne%22%2C%22Ecke%28n%29%22%2C%22Eimer%22%2C%22einige%22%2C%22einige+Stiele%22%2C%22EL%22%2C%22EL%2C+geh%5Cu00e4uft%22%2C%22EL%2C+gestr.%22%2C%22etwas%22%2C%22evtl.%22%2C%22extra%22%2C%22Fl%5Cu00e4schchen%22%2C%22Flasche%22%2C%22Flaschen%22%2C%22g%22%2C%22Glas%22%2C%22Gl%5Cu00e4ser%22%2C%22gr.+Dose%5C%2Fn%22%2C%22gr.+Fl.%22%2C%22gro%5Cu00dfe%22%2C%22gro%5Cu00dfen%22%2C%22gro%5Cu00dfer%22%2C%22gro%5Cu00dfes%22%2C%22halbe%22%2C%22Halm%28e%29%22%2C%22Handvoll%22%2C%22K%5Cu00e4stchen%22%2C%22kg%22%2C%22kl.+Bund%22%2C%22kl.+Dose%5C%2Fn%22%2C%22kl.+Glas%22%2C%22kl.+Kopf%22%2C%22kl.+Scheibe%28n%29%22%2C%22kl.+St%5Cu00fcck%28e%29%22%2C%22kl.Flasche%5C%2Fn%22%2C%22kleine%22%2C%22kleinen%22%2C%22kleiner%22%2C%22kleines%22%2C%22Knolle%5C%2Fn%22%2C%22Kopf%22%2C%22K%5Cu00f6pfe%22%2C%22K%5Cu00f6rner%22%2C%22Kugel%22%2C%22Kugel%5C%2Fn%22%2C%22Kugeln%22%2C%22Liter%22%2C%22m.-gro%5Cu00dfe%22%2C%22m.-gro%5Cu00dfer%22%2C%22m.-gro%5Cu00dfes%22%2C%22mehr%22%2C%22mg%22%2C%22ml%22%2C%22Msp.%22%2C%22n.+B.%22%2C%22Paar%22%2C%22Paket%22%2C%22Pck.%22%2C%22Pkt.%22%2C%22Platte%5C%2Fn%22%2C%22Port.%22%2C%22Prise%28n%29%22%2C%22Prisen%22%2C%22Prozent+%25%22%2C%22Riegel%22%2C%22Ring%5C%2Fe%22%2C%22Rippe%5C%2Fn%22%2C%22Rolle%28n%29%22%2C%22Sch%5Cu00e4lchen%22%2C%22Scheibe%5C%2Fn%22%2C%22Schuss%22%2C%22Spritzer%22%2C%22Stange%5C%2Fn%22%2C%22St%5Cu00e4ngel%22%2C%22Stiel%5C%2Fe%22%2C%22Stiele%22%2C%22St%5Cu00fcck%28e%29%22%2C%22Tafel%22%2C%22Tafeln%22%2C%22Tasse%22%2C%22Tasse%5C%2Fn%22%2C%22Teil%5C%2Fe%22%2C%22TL%22%2C%22TL+%28geh%5Cu00e4uft%29%22%2C%22TL+%28gestr.%29%22%2C%22Topf%22%2C%22Tropfen%22%2C%22Tube%5C%2Fn%22%2C%22T%5Cu00fcte%5C%2Fn%22%2C%22viel%22%2C%22wenig%22%2C%22W%5Cu00fcrfel%22%2C%22Wurzel%22%2C%22Wurzel%5C%2Fn%22%2C%22Zehe%5C%2Fn%22%2C%22Zweig%5C%2Fe%22%5D%2C%22yield%22%3A%7B%221%22%3A%221+Portion%22%2C%222%22%3A%222+Portionen%22%2C%223%22%3A%223+Portionen%22%2C%224%22%3A%224+Portionen%22%2C%225%22%3A%225+Portionen%22%2C%226%22%3A%226+Portionen%22%2C%227%22%3A%227+Portionen%22%2C%228%22%3A%228+Portionen%22%2C%229%22%3A%229+Portionen%22%2C%2210%22%3A%2210+Portionen%22%2C%2211%22%3A%2211+Portionen%22%2C%2212%22%3A%2212+Portionen%22%7D%2C%22prepare_time%22%3A%7B%221%22%3A%22schnell%22%2C%222%22%3A%22mittel%22%2C%223%22%3A%22aufwendig%22%7D%2C%22category%22%3A%7B%221%22%3A%22Vorspeise%22%2C%222%22%3A%22Suppe%22%2C%223%22%3A%22Salat%22%2C%224%22%3A%22Hauptspeise%22%2C%225%22%3A%22Beilage%22%2C%226%22%3A%22Nachtisch%5C%2FDessert%22%2C%227%22%3A%22Getr%5Cu00e4nke%22%2C%228%22%3A%22B%5Cu00fcffet%22%2C%229%22%3A%22Fr%5Cu00fchst%5Cu00fcck%5C%2FBrunch%22%7D%2C%22variety%22%3A%7B%221%22%3A%22Basmati+Reis%22%2C%222%22%3A%22Basmati+%26amp%3B+Wild+Reis%22%2C%223%22%3A%22R%5Cu00e4ucherreis%22%2C%224%22%3A%22Jasmin+Reis%22%2C%225%22%3A%221121+Basmati+Wunderreis%22%2C%226%22%3A%22Spitzen+Langkorn+Reis%22%2C%227%22%3A%22Wildreis%22%2C%228%22%3A%22Naturreis%22%2C%229%22%3A%22Sushi+Reis%22%7D%2C%22tag--ingredient%22%3A%7B%221%22%3A%22Eier%22%2C%222%22%3A%22Gem%5Cu00fcse%22%2C%223%22%3A%22Getreide%22%2C%224%22%3A%22Fisch%22%2C%225%22%3A%22Fleisch%22%2C%226%22%3A%22Meeresfr%5Cu00fcchte%22%2C%227%22%3A%22Milchprodukte%22%2C%228%22%3A%22Obst%22%2C%229%22%3A%22Salat%22%7D%2C%22tag--preparation%22%3A%7B%2210%22%3A%22Backen%22%2C%2211%22%3A%22Blanchieren%22%2C%2212%22%3A%22Braten%5C%2FSchmoren%22%2C%2213%22%3A%22D%5Cu00e4mpfen%5C%2FD%5Cu00fcnsten%22%2C%2214%22%3A%22Einmachen%22%2C%2215%22%3A%22Frittieren%22%2C%2216%22%3A%22Gratinieren%5C%2F%5Cu00dcberbacken%22%2C%2217%22%3A%22Grillen%22%2C%2218%22%3A%22Kochen%22%7D%2C%22tag--kitchen%22%3A%7B%2219%22%3A%22Afrikanisch%22%2C%2220%22%3A%22Alpenk%5Cu00fcche%22%2C%2221%22%3A%22Asiatisch%22%2C%2222%22%3A%22Deutsch+%28regional%29%22%2C%2223%22%3A%22Franz%5Cu00f6sisch%22%2C%2224%22%3A%22Mediterran%22%2C%2225%22%3A%22Orientalisch%22%2C%2226%22%3A%22Osteurop%5Cu00e4isch%22%2C%2227%22%3A%22Skandinavisch%22%2C%2228%22%3A%22S%5Cu00fcdamerikanisch%22%2C%2229%22%3A%22US-Amerikanisch%22%2C%2230%22%3A%22%22%7D%2C%22tag--difficulty%22%3A%7B%2231%22%3A%22Einfach%22%2C%2232%22%3A%22Mittelschwer%22%2C%2233%22%3A%22Anspruchsvoll%22%7D%2C%22tag--feature%22%3A%7B%2234%22%3A%22Gut+vorzubereiten%22%2C%2235%22%3A%22Kalorienarm+%5C%2F+leicht%22%2C%2236%22%3A%22Klassiker%22%2C%2237%22%3A%22Preiswert%22%2C%2238%22%3A%22Raffiniert%22%2C%2239%22%3A%22Vegetarisch+%5C%2F+Vegan%22%2C%2240%22%3A%22Vitaminreich%22%2C%2241%22%3A%22Vollwert%22%2C%2242%22%3A%22%22%7D%2C%22tag%22%3A%7B%221%22%3A%22Eier%22%2C%222%22%3A%22Gem%5Cu00fcse%22%2C%223%22%3A%22Getreide%22%2C%224%22%3A%22Fisch%22%2C%225%22%3A%22Fleisch%22%2C%226%22%3A%22Meeresfr%5Cu00fcchte%22%2C%227%22%3A%22Milchprodukte%22%2C%228%22%3A%22Obst%22%2C%229%22%3A%22Salat%22%2C%2210%22%3A%22Backen%22%2C%2211%22%3A%22Blanchieren%22%2C%2212%22%3A%22Braten%5C%2FSchmoren%22%2C%2213%22%3A%22D%5Cu00e4mpfen%5C%2FD%5Cu00fcnsten%22%2C%2214%22%3A%22Einmachen%22%2C%2215%22%3A%22Frittieren%22%2C%2216%22%3A%22Gratinieren%5C%2F%5Cu00dcberbacken%22%2C%2217%22%3A%22Grillen%22%2C%2218%22%3A%22Kochen%22%2C%2219%22%3A%22Afrikanisch%22%2C%2220%22%3A%22Alpenk%5Cu00fcche%22%2C%2221%22%3A%22Asiatisch%22%2C%2222%22%3A%22Deutsch+%28regional%29%22%2C%2223%22%3A%22Franz%5Cu00f6sisch%22%2C%2224%22%3A%22Mediterran%22%2C%2225%22%3A%22Orientalisch%22%2C%2226%22%3A%22Osteurop%5Cu00e4isch%22%2C%2227%22%3A%22Skandinavisch%22%2C%2228%22%3A%22S%5Cu00fcdamerikanisch%22%2C%2229%22%3A%22US-Amerikanisch%22%2C%2230%22%3A%22%22%2C%2231%22%3A%22Einfach%22%2C%2232%22%3A%22Mittelschwer%22%2C%2233%22%3A%22Anspruchsvoll%22%2C%2234%22%3A%22Gut+vorzubereiten%22%2C%2235%22%3A%22Kalorienarm+%5C%2F+leicht%22%2C%2236%22%3A%22Klassiker%22%2C%2237%22%3A%22Preiswert%22%2C%2238%22%3A%22Raffiniert%22%2C%2239%22%3A%22Vegetarisch+%5C%2F+Vegan%22%2C%2240%22%3A%22Vitaminreich%22%2C%2241%22%3A%22Vollwert%22%2C%2242%22%3A%22%22%7D%7D%2C%22errorArray%22%3A%7B%22recipe_prepare_time%22%3A%22error%22%2C%22recipe_yield%22%3A%22error%22%2C%22recipe_category_name%22%3A%22error%22%2C%22recipe_tag_name%22%3A%22error%22%2C%22recipe_instruction_text%22%3A%22error%22%2C%22recipe_ingredient_name%22%3A%22error%22%7D%2C%22errorMessage%22%3A%22Bitte+f%5Cu00fclle+die+rot+markierten+Felder+korrekt+aus.%22%2C%22db%22%3A%7B%22query_count%22%3A20%7D%7D' => 'http://foo.bar/tpl_preview.php?pid=122&json={"recipe_id":-1,"recipe_created":"","recipe_title":"vxcvxc","recipe_description":"","recipe_yield":0,"recipe_prepare_time":0,"recipe_image":"","recipe_legal":0,"recipe_live":0,"recipe_user_guid":"","recipe_category_id":[],"recipe_category_name":[],"recipe_variety_id":[],"recipe_variety_name":[],"recipe_tag_id":[],"recipe_tag_name":[],"recipe_instruction_id":[],"recipe_instruction_text":[],"recipe_ingredient_id":[],"recipe_ingredient_name":[],"recipe_ingredient_amount":[],"recipe_ingredient_unit":[],"formMatchingArray":{"unites":["Becher","Beete","Beutel","Blatt","Blätter","Bund","Bündel","cl","cm","dicke","dl","Dose","Dose\/n","dünne","Ecke(n)","Eimer","einige","einige Stiele","EL","EL, gehäuft","EL, gestr.","etwas","evtl.","extra","Fläschchen","Flasche","Flaschen","g","Glas","Gläser","gr. Dose\/n","gr. Fl.","große","großen","großer","großes","halbe","Halm(e)","Handvoll","Kästchen","kg","kl. Bund","kl. Dose\/n","kl. Glas","kl. Kopf","kl. Scheibe(n)","kl. Stück(e)","kl.Flasche\/n","kleine","kleinen","kleiner","kleines","Knolle\/n","Kopf","Köpfe","Körner","Kugel","Kugel\/n","Kugeln","Liter","m.-große","m.-großer","m.-großes","mehr","mg","ml","Msp.","n. B.","Paar","Paket","Pck.","Pkt.","Platte\/n","Port.","Prise(n)","Prisen","Prozent %","Riegel","Ring\/e","Rippe\/n","Rolle(n)","Schälchen","Scheibe\/n","Schuss","Spritzer","Stange\/n","Stängel","Stiel\/e","Stiele","Stück(e)","Tafel","Tafeln","Tasse","Tasse\/n","Teil\/e","TL","TL (gehäuft)","TL (gestr.)","Topf","Tropfen","Tube\/n","Tüte\/n","viel","wenig","Würfel","Wurzel","Wurzel\/n","Zehe\/n","Zweig\/e"],"yield":{"1":"1 Portion","2":"2 Portionen","3":"3 Portionen","4":"4 Portionen","5":"5 Portionen","6":"6 Portionen","7":"7 Portionen","8":"8 Portionen","9":"9 Portionen","10":"10 Portionen","11":"11 Portionen","12":"12 Portionen"},"prepare_time":{"1":"schnell","2":"mittel","3":"aufwendig"},"category":{"1":"Vorspeise","2":"Suppe","3":"Salat","4":"Hauptspeise","5":"Beilage","6":"Nachtisch\/Dessert","7":"Getränke","8":"Büffet","9":"Frühstück\/Brunch"},"variety":{"1":"Basmati Reis","2":"Basmati & Wild Reis","3":"Räucherreis","4":"Jasmin Reis","5":"1121 Basmati Wunderreis","6":"Spitzen Langkorn Reis","7":"Wildreis","8":"Naturreis","9":"Sushi Reis"},"tag--ingredient":{"1":"Eier","2":"Gemüse","3":"Getreide","4":"Fisch","5":"Fleisch","6":"Meeresfrüchte","7":"Milchprodukte","8":"Obst","9":"Salat"},"tag--preparation":{"10":"Backen","11":"Blanchieren","12":"Braten\/Schmoren","13":"Dämpfen\/Dünsten","14":"Einmachen","15":"Frittieren","16":"Gratinieren\/Überbacken","17":"Grillen","18":"Kochen"},"tag--kitchen":{"19":"Afrikanisch","20":"Alpenküche","21":"Asiatisch","22":"Deutsch (regional)","23":"Französisch","24":"Mediterran","25":"Orientalisch","26":"Osteuropäisch","27":"Skandinavisch","28":"Südamerikanisch","29":"US-Amerikanisch","30":""},"tag--difficulty":{"31":"Einfach","32":"Mittelschwer","33":"Anspruchsvoll"},"tag--feature":{"34":"Gut vorzubereiten","35":"Kalorienarm \/ leicht","36":"Klassiker","37":"Preiswert","38":"Raffiniert","39":"Vegetarisch \/ Vegan","40":"Vitaminreich","41":"Vollwert","42":""},"tag":{"1":"Eier","2":"Gemüse","3":"Getreide","4":"Fisch","5":"Fleisch","6":"Meeresfrüchte","7":"Milchprodukte","8":"Obst","9":"Salat","10":"Backen","11":"Blanchieren","12":"Braten\/Schmoren","13":"Dämpfen\/Dünsten","14":"Einmachen","15":"Frittieren","16":"Gratinieren\/Überbacken","17":"Grillen","18":"Kochen","19":"Afrikanisch","20":"Alpenküche","21":"Asiatisch","22":"Deutsch (regional)","23":"Französisch","24":"Mediterran","25":"Orientalisch","26":"Osteuropäisch","27":"Skandinavisch","28":"Südamerikanisch","29":"US-Amerikanisch","30":"","31":"Einfach","32":"Mittelschwer","33":"Anspruchsvoll","34":"Gut vorzubereiten","35":"Kalorienarm \/ leicht","36":"Klassiker","37":"Preiswert","38":"Raffiniert","39":"Vegetarisch \/ Vegan","40":"Vitaminreich","41":"Vollwert","42":""}},"errorArray":{"recipe_prepare_time":"error","recipe_yield":"error","recipe_category_name":"error","recipe_tag_name":"error","recipe_instruction_text":"error","recipe_ingredient_name":"error"},"errorMessage":"Bitte fülle die rot markierten Felder korrekt aus.","db":{"query_count":20}}' |
||
| 30 | ); |
||
| 31 | |||
| 32 | foreach ($testArray as $before => $after) { |
||
| 33 | self::assertEquals($after, $this->security->xss_clean($before), 'testing: ' . $before); |
||
| 34 | } |
||
| 35 | } |
||
| 36 | |||
| 37 | public function test_no_xss() |
||
| 38 | { |
||
| 39 | $testArray = array( |
||
| 40 | '<meta name="viewport" content="width=device-width, initial-scale=1.0, minimal-ui">' => '<meta name="viewport" content="width=device-width, initial-scale=1.0, minimal-ui">', |
||
| 41 | '<meta property="og:description" content="Lars Moelleken: Webentwickler & Sysadmin aus Krefeld" />' => '<meta property="og:description" content="Lars Moelleken: Webentwickler & Sysadmin aus Krefeld" />', |
||
| 42 | '<style type="text/css">html{font-family:sans-serif;-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%}</style>' => '<style type="text/css">html{font-family:sans-serif;-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%}</style>', |
||
| 43 | '<nav class="top-bar" data-topbar data-options="back_text: Zurück"><ul><li>foo</li><li>bar</li></ul></nav>' => '<nav class="top-bar" data-topbar data-options="back_text: Zurück"><ul><li>foo</li><li>bar</li></ul></nav>', |
||
| 44 | '<link href="//fonts.googleapis.com/css?family=Open+Sans" rel="stylesheet" type="text/css"/>' => '<link href="//fonts.googleapis.com/css?family=Open Sans" rel="stylesheet" type="text/css"/>', |
||
| 45 | '<script src="//ajax.googleapis.com/ajax/libs/jquery/2.1.3/jquery.min.js"></script>' => '', |
||
| 46 | '<!--[if lt IE 9]><script src="http://moelleken.org/vendor/bower/nwmatcher/src/nwmatcher.js"></script><![endif]-->' => '<!--[if lt IE 9]><![endif]-->', |
||
| 47 | '<a href="http://suckup.de/about" target="_blank">About</a>' => '<a href="http://suckup.de/about" target="_blank">About</a>', |
||
| 48 | "<a href='http://suckup.de/about' target='_blank'>About</a>" => "<a href='http://suckup.de/about' target='_blank'>About</a>", |
||
| 49 | '<a href="http://moelleken.org/Kontakt/" class="mail"><i class="fa fa-envelope fa-3x"></i></a>' => '<a href="http://moelleken.org/Kontakt/" class="mail"><i class="fa fa-envelope fa-3x"></i></a>', |
||
| 50 | '<a href="https://plus.google.com/u/0/115714615799970937533/about" rel="me" target="_blank" title="Add Me To Your Circle"><i class="fa fa-google-plus fa-3x"></i></a>' => '<a href="https://plus.google.com/u/0/115714615799970937533/about" rel="me" target="_blank" title="Add Me To Your Circle"><i class="fa fa-google-plus fa-3x"></i></a>', |
||
| 51 | 'eval is evil and xss is bad, but this is only a string : onerror ...' => 'eval is evil and xss is bad, but this is only a string : onerror ...', |
||
| 52 | ); |
||
| 53 | |||
| 54 | foreach ($testArray as $before => $after) { |
||
| 55 | self::assertEquals($after, $this->security->xss_clean($before), 'testing: ' . $before); |
||
| 56 | } |
||
| 57 | } |
||
| 58 | |||
| 59 | public function test_xss_clean() |
||
| 60 | { |
||
| 61 | $harm_string = "Hello, i try to <script>alert('Hack');</script> your site"; |
||
| 62 | |||
| 63 | $harmless_string = $this->security->xss_clean($harm_string); |
||
| 64 | |||
| 65 | self::assertEquals("Hello, i try to alert('Hack'); your site", $harmless_string); |
||
| 66 | } |
||
| 67 | |||
| 68 | public function test_xss_clean_string_array() |
||
| 69 | { |
||
| 70 | $harmStrings = array( |
||
| 71 | "Hello, i try to <script>alert('Hack');</script> your site" => "Hello, i try to [removed]alert('Hack');[removed] your site", |
||
| 72 | 'Simple clean string' => 'Simple clean string', |
||
| 73 | "Hello, i try to <script>alert('Hack')</script> your site" => "Hello, i try to [removed]alert('Hack')[removed] your site", |
||
| 74 | '<a href="http://test.com?param1="+onMouseOver%3D"alert%281%29%3B&step=2¶m12=A">test</a>' => '<a href="http://test.com?param1=">test</a>', |
||
| 75 | '<a href="http://test.com?param1=lall&colon=foo;">test</a>' => '<a href="http://test.com?param1=lall&colon=foo;">test</a>', |
||
| 76 | '<a href="http://test.com?param1=lall:=foo;">test</a>' => '<a href="http://test.com?param1=lall:=foo;">test</a>', |
||
| 77 | ); |
||
| 78 | |||
| 79 | $this->security->setReplacement('[removed]'); |
||
| 80 | foreach ($harmStrings as $before => $after) { |
||
| 81 | self::assertEquals($after, $this->security->xss_clean($before), 'testing: ' . $before); |
||
| 82 | } |
||
| 83 | |||
| 84 | $this->security->setReplacement(''); |
||
| 85 | } |
||
| 86 | |||
| 87 | public function test_xss_clean_image_valid() |
||
| 88 | { |
||
| 89 | $harm_string = '<img src="test.png">'; |
||
| 90 | |||
| 91 | $xss_clean_return = $this->security->xss_clean($harm_string, true); |
||
| 92 | |||
| 93 | self::assertTrue($xss_clean_return); |
||
| 94 | } |
||
| 95 | |||
| 96 | public function test_xss_clean_image_invalid() |
||
| 97 | { |
||
| 98 | $harm_string = '<img src=javascript:alert(String.fromCharCode(88,83,83))>'; |
||
| 99 | |||
| 100 | $xss_clean_return = $this->security->xss_clean($harm_string, true); |
||
| 101 | |||
| 102 | self::assertFalse($xss_clean_return); |
||
| 103 | } |
||
| 104 | |||
| 105 | public function test_xss_hash() |
||
| 109 | |||
| 110 | public function testXssClean() |
||
| 111 | { |
||
| 112 | // \v (vertical whitespace) isn't working on travis-ci ? |
||
| 113 | |||
| 114 | $testArray = array( |
||
| 115 | '<div BACKGROUND="mocha:alert(\'XSS\')"> |
||
| 116 | <!-- image:xss --> |
||
| 117 | <IMG SRC=javascript:alert('XSS')> |
||
| 118 | <IMG SRC="jav	ascript:alert(\'XSS\');"> |
||
| 119 | <!-- file:xss --> |
||
| 120 | <script SRC="http://absynth.de/x.js"></script> |
||
| 121 | <layer SRC="http://absynth.de/x.js"></layer> |
||
| 122 | <!-- style:xss --> |
||
| 123 | <LINK REL="stylesheet" HREF="javascript:alert(\'XSS\');"> |
||
| 124 | <DIV STYLE="background-image: url(javascript:alert(\'XSS\')"> |
||
| 125 | <div style=background-image:expression(alert(\'XSS\'));">lall</div> |
||
| 126 | </div> |
||
| 127 | </div>' => '<div BACKGROUND="alert(\'XSS\')"> |
||
| 128 | <!-- image:xss --> |
||
| 129 | <IMG > |
||
| 130 | <> |
||
| 131 | & SRC="http://absynth.de/x.js"></layer> |
||
| 132 | <!-- style:xss --> |
||
| 133 | <LINK REL="stylesheet" HREF="alert(\'XSS\');"> |
||
| 134 | <DIV =background-image:alert(\'XSS\'));">lall</div> |
||
| 135 | </div> |
||
| 136 | </div>', |
||
| 137 | '<img/src=">" onerror=alert(1)> |
||
| 138 | <button/a=">" autofocus onfocus=alert(1(></button> |
||
| 139 | <button a=">" autofocus onfocus=alert(1(>' => '<img/>" > |
||
| 140 | <>" ></> |
||
| 141 | <>" >', // autofocus trick | https://html5sec.org/#7 |
||
| 142 | 'http://vulnerable.info/poc/poc.php?foo=%3Csvg%3E%3Cscript%3E/%3C1/%3Ealert(document.domain)%3C/script%3E%3C/svg%3E' => 'http://vulnerable.info/poc/poc.php?foo=<svg>/<1/>alert(document.domain)</svg>', |
||
| 143 | '"><svg><script>/<@/>alert(1337)</script>' => '"><svg>/<@/>alert(1337)', // Bypassing Chrome’s Anti-XSS Filter | 2015: http://vulnerable.info/bypassing-chromes-anti-xss-filter/ |
||
| 144 | 'Location: https://www.google.com%3a443%2fcse%2ftools%2fcreate_onthefly%3b%3c%2ftextarea%3e%3csvg%2fonload%3dalert%28document%2edomain%29%3e%3b%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f' => 'Location: https://www.google.com:443/cse/tools/create_onthefly;</textarea><svg/>;/../../../../../../../../../../../../../../', // Google XSS in IE | 2015: http://blog.bentkowski.info/2015/04/xss-via-host-header-cse.html |
||
| 145 | '<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><feImage> <set attributeName="xlink:href" to="data:image/svg+xml;charset=utf-8;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjxzY3JpcHQ%2BYWxlcnQoMSk8L3NjcmlwdD48L3N2Zz4NCg%3D%3D"/></feImage> </svg>' => '<svg :xlink="http://www.w3.org/1999/xlink"><feImage> <set attributeName="xlink:href" to=PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjxzY3JpcHQ+YWxlcnQoMSk8L3NjcmlwdD48L3N2Zz4NCg=="/></feImage> </svg>', // SVG-XSS | https://html5sec.org/#95 |
||
| 146 | '<a target="_blank" href="data:text/html;BASE64youdummy,PHNjcmlwdD5hbGVydCh3aW5kb3cub3BlbmVyLmRvY3VtZW50LmRvY3VtZW50RWxlbWVudC5pbm5lckhUTUwpPC9zY3JpcHQ+">clickme in firefox</a><a/\'\'\' target="_blank" href=data:text/html;;base64,PHNjcmlwdD5hbGVydChvcGVuZXIuZG9jdW1lbnQuYm9keS5pbm5lckhUTUwpPC9zY3JpcHQ+>firefox11</a>' => '<a target="_blank">clickme in firefox</a><a/\'\'\' target="_blank">firefox11</a>', // data: URI with base64 encoding bypass exploiting Firefox | 2012: https://bugzilla.mozilla.org/show_bug.cgi?id=255107 |
||
| 147 | 'http://securitee.tk/files/chrome_xss.php?a=<script>void(\'&b=\');alert(1);</script>' => 'http://securitee.tk/files/chrome_xss.php?a=void(\'&b=\');alert(1);', // Bypassing Chrome’s Anti-XSS filter | 2012: http://blog.securitee.org/?p=37 |
||
| 148 | 'with(document)body.appendChild(createElement(\'iframe onload=alert(1)>\')),body.innerHTML+=\'\'' => 'with(document)body.appendChild(createElement(\'iframe alert(1)>\')),body =\'\'', // IE11 in IE8 docmode #mxss | https://twitter.com/0x6D6172696F/status/626379000181596160 |
||
| 149 | 'http://www.nowvideo.sx/share.php?id=foobar&title=\'\';with(document)body.appendChild(createElement(\\\'iframe onload =alert(1)>\\\')),body.innerHTML+=\\\'\\\'//\\\';with(document)body.appendChild(createElement(\\\'iframe onload=alert(1)>\\\')),body.innerHTML+=\\\'\\\'//";with(document)body.appendChild(createElement(\\\'iframe onload=alert(1)>\\\')),body.innerHTML+=\\\'\\\'//\";with(document)body.appendChild(createElement(\\\'iframe onload=alert(1)>\\\')),body.innerHTML+=\\\'\\\'//--></SCRIPT>">\'><SCRIPT>with(document)body.appendChild(createElement(\\\'iframe onload=alert(1)>\\\')),body.innerHTML+=\\\'\\\'</SCRIPT>=&{}' => 'http://www.nowvideo.sx/share.php?id=foobar&title=\'\';with(document)body.appendChild(createElement(\\\'iframe alert(1)>\\\')),body+=\\\'\\\'//\\\';with(document)body.appendChild(createElement(\\\'iframe alert(1)>\\\')),body+=\\\'\\\'//";with(document)body.appendChild(createElement(\\\'iframe alert(1)>\\\')),body+=\\\'\\\'//\";with(document)body.appendChild(createElement(\\\'iframe alert(1)>\\\')),body+=\\\'\\\'//-->">\'>with(document)body.appendChild(createElement(\\\'iframe alert(1)>\\\')),body =\\\'\\\'=', |
||
| 150 | '<!DOCTYPE foo [<!ENTITY xxe7eb97 SYSTEM "file:///etc/passwd"> ]>' => '<!DOCTYPE foo [<!ENTITY xxe7eb97 SYSTEM "file:///etc/passwd"> ]>', // XXE injection | http://phpsecurity.readthedocs.org/en/latest/Injection-Attacks.html#xml-injection |
||
| 151 | '<!DOCTYPE foo [<!ENTITY xxe46471 SYSTEM "http://4mr71zbvk10c5vd1k074izfvbmhnxdi7xw.burpcollaborator.net"> ]>' => '<!DOCTYPE foo [<!ENTITY xxe46471 SYSTEM "http://4mr71zbvk10c5vd1k074izfvbmhnxdi7xw.burpcollaborator.net"> ]>', // XXE injection | 2015: http://blog.portswigger.net/2015/05/burp-suite-now-reports-blind-xxe.html |
||
| 152 | "<iframe name=alert(1) src=\"//somedomain?x=',__defineSetter__('x',eval),x=name,'\"></iframe>" => '<iframe name=alert(1) src="//somedomain?x=\',__defineSetter__(\'x\',eval),x=name,\'"></iframe>', |
||
| 153 | "<script>x = '',__defineSetter__('x',alert),x=1,'';</script>" => 'x = \'\',__defineSetter__(\'x\',alert),x=1,\'\';', // NoScript XSS filter bypass | 2015: http://blog.portswigger.net/2015/07/noscript-xss-filter-bypass.html |
||
| 154 | '"><a href="JAVASCRIPT:%E2%80%A8alert`1`">CLICKME' => '"><a href=" alert`1`">CLICKME', // NoScript XSS filter bypass | 2015: https://twitter.com/0x6D6172696F/status/623081477002014720?s=02 |
||
| 155 | '<div id="b" style="font-family:a/**/ression(alert(1))(\'\\\')exp\\\')">aa</div>' => '<div id="b" >aa</div>', // IE | 2014: http://wooyun.org/bugs/wooyun-2014-068564 |
||
| 156 | '<a href="jar:http://SEVER/flash3.bin!/flash3.swf">xss</a>' => '<a href="http://SEVER/flash3.bin!/flash3.swf">xss</a>', // Firefox | 2007: https://bugzilla.mozilla.org/show_bug.cgi?id=369814 |
||
| 157 | '<li><a href="?bypass=%3Clink%20rel=%22import%22%20href=%22?bypass=%3Cscript%3Ealert(document.domain)%3C/script%3E%22%3E">Now click to execute arbitrary JS</a></li>' => '<li><a href="?bypass=link rel=">alert(document.domain)">">Now click to execute arbitrary JS</a></li>', // Chrome 33 | 2015: view-source:https://html5sec.org/test/bypass |
||
| 158 | '<scr<script>ipt>alert(1)</sc<script>ri<script>pt>' => 'alert(1)', // 2015: https://frederic-hemberger.de/talks/froscon-xss/#/17 |
||
| 159 | '<svg </onload ="1> (_=alert,_(1337)) "">' => '<svg </> (_=alert,_(1337)) "">', |
||
| 160 | '<svg><script>/<@/>alert(1)</script>' => '<svg>/<@/>alert(1)', |
||
| 161 | '<svg/onload=alert`xss`>' => '<svg/>', // FF34+, Edge | 2015 | https://www.davidsopas.com/win-50-amazon-gift-card-with-a-xss-challenge/ |
||
| 162 | '<p/onclick=alert(/xss/)>a' => '<p/>a', |
||
| 163 | '<iframe/src=//14.rs>' => '<iframe/src=//14.rs>', |
||
| 164 | '<p/oncut=alert`xss`>x' => '<p/>x', |
||
| 165 | '<svg/onload=alert(/XSS/)>' => '<svg/>', // FF40 | 2015 | https://www.davidsopas.com/win-50-amazon-gift-card-with-a-xss-challenge/ |
||
| 166 | '<http://onclick%3d1/alert%601%60//' => '<http://', // 2015 | https://twitter.com/brutelogic/status/673098162635202560 |
||
| 167 | 'http://www.wolframalpha.com/input/?i=1&n=%22%3E%3Cscript%20src=//3237054390/1%3E' => 'http://www.wolframalpha.com/input/?i=1&n=">', // 2015 | https://twitter.com/brutelogic/status/671740844450426880 |
||
| 168 | '<svg onload=1?alert(9):0>' => '<svg >', // 2015 | https://twitter.com/brutelogic/status/669852435209416704 |
||
| 169 | '<brute contenteditable onblur=alert(1)>lose focus!<brute onclick=alert(1)>click this!<brute oncopy=alert(1)>copy this!<brute oncontextmenu=alert(1)>right click this!<brute oncut=alert(1)>copy this!<brute ondblclick=alert(1)>double click this!<brute ondrag=alert(1)>drag this!<brute contenteditable onfocus=alert(1)>focus this!<brute contenteditable oninput=alert(1)>input here!<brute contenteditable onkeydown=alert(1)>press any key!<brute contenteditable onkeypress=alert(1)>press any key!<brute contenteditable onkeyup=alert(1)>press any key!<brute onmousedown=alert(1)>click this!<brute onmousemove=alert(1)>hover this!<brute onmouseout=alert(1)>hover this!<brute onmouseover=alert(1)>hover this!<brute onmouseup=alert(1)>click this!<brute contenteditable onpaste=alert(1)>paste here!<brute style=font-size:500px onmouseover=alert(1)>0000' => '<brute contenteditable >lose focus!<brute >click this!<brute >copy this!<brute >right click this!<brute >copy this!<brute >double click this!<brute >drag this!<brute contenteditable >focus this!<brute contenteditable >input here!<brute contenteditable >press any key!<brute contenteditable >press any key!<brute contenteditable >press any key!<brute >click this!<brute >hover this!<brute >hover this!<brute >hover this!<brute >click this!<brute contenteditable >paste here!<brute >0000', // 2015 | http://brutelogic.com.br/blog/agnostic-event-handlers/ |
||
| 170 | '<x contextmenu=">"><acronym%0Cx=""%09oncut+=%09d=document;a=d.createElement("a");a.href="img/hacked1.jpg";a.download="open.me";d.body.appendChild(a);a.click()+><option><input type=submit>' => '<x contextmenu=">"><acronymx="" ><option><input type=submit>', // http://brutelogic.com.br/webgun/ |
||
| 171 | '<h1/onclick=alert(1)>a' => '<h1/>a', |
||
| 172 | '")}alert(/XSS/);{//' => '")}alert(/XSS/);{//', |
||
| 173 | '<svg onload=alert(1)>' => '<svgalert(1)>', // 2015: https://twitter.com/ret2libc/status/635923671681507328 |
||
| 174 | "<style onload='execScript(/**/\"\x61lert( 1)\",\"j\x61vascript\");'>" => '<style 1)","javascript");\'>', // IE | 2015: https://twitter.com/soaj1664ashar/status/635040931289370624 |
||
| 175 | '<script>alert `1`</script>' => '< script>alert `1`', |
||
| 176 | '<form id="test"></form><button form="test" formaction="javascript:alert(1)">X</button>' => '<form id="test"></form><button action="alert(1)">X</button>', |
||
| 177 | '<input onfocus=write(1) autofocus>' => '<input autofocus>', |
||
| 178 | '<input onblur=write(1) autofocus><input autofocus>' => '<input autofocus><input autofocus>', |
||
| 179 | '<video poster=javascript:alert(1)//></video>' => '<video poster=alert(1)//></video>', |
||
| 180 | '<body onscroll=alert(1)><br><br><br><br><br><br>...<br><br><br><br><input autofocus>' => '<body ><br><br><br><br><br><br>...<br><br><br><br><input autofocus>', |
||
| 181 | '<form id=test onforminput=alert(1)><input></form><button form=test onformchange=alert(2)>X</button>' => '<form id=test ><input></form><button >X</button>', |
||
| 182 | '<video><source onerror="alert(1)">' => '<video><source >', |
||
| 183 | '<video onerror="alert(1)"><source></source></video>' => '<video ><source></source></video>', |
||
| 184 | '<form><button formaction="javascript:alert(1)">X</button>' => '<form><button >X</button>', |
||
| 185 | '<body oninput=alert(1)><input autofocus>' => '<body ><input autofocus>', |
||
| 186 | '<math href="javascript:alert(1)">CLICKME</math>' => '<math href="alert(1)">CLICKME</math>', |
||
| 187 | '<math> <!-- up to FF 13 --> <maction actiontype="statusline#http://google.com" xlink:href="javascript:alert(2)">CLICKME</maction> <!-- FF 14+ --> <maction actiontype="statusline" xlink:href="javascript:alert(3)">CLICKME<mtext>http://http://google.com</mtext></maction> </math>' => '<math> <!-- up to FF 13 --> <maction actiontype="statusline#http://google.com" ="alert(3)">CLICKME<mtext>http://http://google.com</mtext></maction> </math>', |
||
| 188 | '<img[a][b]src=x[d]onerror[c]=[e]"alert(1)">' => '< img[a][b]src=x[d][e]"alert(1)">', |
||
| 189 | '<a href="[a]java[b]script[c]:alert(1)">XXX</a>' => '<a >XXX</a>', |
||
| 190 | '<form action="" method="post"> <input name="username" value="admin" /> <input name="password" type="password" value="secret" /> <input name="injected" value="injected" dirname="password" /> <input type="submit"> </form>' => '<form action="" method="post"> <input name="username" value="admin" /> <input name="password" type="password" value="secret" /> <input name="injected" value="injected" dirname="password" /> <input type="submit"> </form>', |
||
| 191 | '<link rel="import" href="test.svg" />' => '<link rel="import" href="test.svg" />', |
||
| 192 | '<iframe srcdoc="<img src=x:x onerror=alert(1)>" />' => '<iframe srcdoc="<img >" />', |
||
| 193 | '<picture><source srcset="x"><img onerror="alert(1)"></picture>' => '<picture><source srcset="x"><img ></>', |
||
| 194 | '<picture><img srcset="x" onerror="alert(1)"></picture>' => '<picture><img srcset="x" ></picture>', |
||
| 195 | '<img srcset=",,,,,x" onerror="alert(1)">' => '<img srcset=",,,,,x" >', |
||
| 196 | '<table background="javascript:alert(1)"></table>' => '<table background="alert(1)"></table>', |
||
| 197 | '<comment><img src="</comment><img src=x onerror=alert(1)//">' => '<comment>< >< >', |
||
| 198 | '<![><img src="]><img src=x onerror=alert(1)//">' => '<![>< >< >', // up to Opera 11.52, FF 3.6.28 |
||
| 199 | '<svg><![CDATA[><image xlink:href="]]><img src=xx:x onerror=alert(2)//"></svg>' => '<svg><![CDATA[><image ><img ></>', // IE9+, FF4+, Opera 11.60+, Safari 4.0.4+, GC7+ |
||
| 200 | '<img src onerror /" \'"= alt=alert(1)//">' => '<img >', |
||
| 201 | '<style><img src="</style><img src=x onerror=alert(1)//">' => '<style>< >< >', |
||
| 202 | '<head><base href="javascript://"/></head><body><a href="/. /,alert(1)//#">XXX</a></body>' => '<head><base href="//"/></head><body><a >XXX</a></body>', |
||
| 203 | '<SCRIPT FOR=document EVENT=onreadystatechange>alert(1)</SCRIPT>' => 'alert(1)', |
||
| 204 | '<OBJECT CLASSID="clsid:333C7BC4-460F-11D0-BC04-0080C7055A83"><PARAM NAME="DataURL" VALUE="javascript:alert(1)"></OBJECT>' => '<OBJECT CLASSID="clsid:333C7BC4-460F-11D0-BC04-0080C7055A83"><PARAM NAME="DataURL" VALUE="alert(1)"></OBJECT>', |
||
| 205 | '<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>' => '<object data=PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>', |
||
| 206 | '<embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></embed>' => '<embed src=PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></embed>', |
||
| 207 | '<b <script>alert(1)//</script>0</script></b>' => '<b alert(1)//0</b>', |
||
| 208 | '<// style=x:expression\28write(1)\29>' => '<// >', // IE7 |
||
| 209 | '<style>*{x:expression(write(1))}</style>' => '<style>*{x:expression(write(1))}</style>', // IE6 |
||
| 210 | '<div style="background:url(test5.svg)">PRESS ENTER</div>' => '<div >PRESS ENTER</div>', // Up to Opera 12.x |
||
| 211 | '<?xml-stylesheet type="text/css"?><root style="x:expression(write(1))"/>' => '<?xml-stylesheet type="text/css"?><root >', // IE7 |
||
| 212 | '<?xml-stylesheet type="text/css" href="data:,*%7bx:expression(write(2));%7d"?>' => '<?xml-stylesheet type="text/css" href="data:,*{x:write(2));}"?>', // IE8 -> IE10 |
||
| 213 | '<x xmlns:ev="http://www.w3.org/2001/xml-events" ev:event="load" ev:handler="javascript:alert(1)//#x"/>' => '<x xmlns:ev="http://www.w3.org/2001/xml-events" "load" "alert(1)//#x"/>', |
||
| 214 | '<iframe sandbox="allow-same-origin allow-forms allow-scripts" src="http://example.org/"></iframe>' => '<iframe sandbox="allow-same-origin allow-forms allow-scripts" src="http://example.org/"></iframe>', |
||
| 215 | '<!-- `<img/src=xx:xx onerror=alert(1)//--!>' => '<!-- `<img/>', |
||
| 216 | '<title onpropertychange=alert(1)></title><title title=></title>' => '<title ></title><title title=></title>', |
||
| 217 | '<iframe src="data:text/html,<iframe src=\'data:text/html,%26lt;iframe onload=alert(1)>\'>"></iframe>' => '< iframe src="data:text/html,<iframe src=\'data:text/html,<iframe >\'>"></iframe>', |
||
| 218 | '<!--<img src="--><img src=x onerror=alert(1)//">' => '<!--<img >', |
||
| 219 | '<frameset onload=alert(1)>' => '< frameset >', |
||
| 220 | '<body oninput=alert(1)><input autofocus>' => '< body >< input autofocus>', |
||
| 221 | '<video poster=javascript:alert(1)//></video>' => '< video poster=alert(1)//></video>', |
||
| 222 | '<a style="-o-link:\'javascript:alert(1)\';-o-link-source:current">X</a>' => '<a >X</a>', |
||
| 223 | '<a href="applescript://com.apple.scripteditor?action=new&script=display%20dialog%20%22Hello%2C%20World%21%22">applescript</a>' => '<a href="//com.apple.scripteditor?action=new&script=display%20dialog%20%22Hello%2C%20World%21%22">applescript</a>', |
||
| 224 | '<a onmouseover="alert(document.cookie)">xxs</a>' => '<a >xxs</a>', |
||
| 225 | '<a onmouseover=alert(document.cookie)>xxs</a>' => '<a >xxs</a>', |
||
| 226 | '<a onerror="alert(document.cookie)">xxs</a>' => '<a >xxs</a>', |
||
| 227 | '<a onerror=`alert(document.cookie)`>xxs</a>' => '<a >xxs</a>', |
||
| 228 | '<a href=http://foo.bar STYLE=xss:expression(alert("XSS"))>xxs style</a>' => '<a >xxs style</a>', |
||
| 229 | '<SCRIPT>alert(\'XSS\');</SCRIPT>' => 'alert(\'XSS\');', |
||
| 230 | '\'\';!--"<XSS>=&{()}' => '\'\';!--"=', |
||
| 231 | '<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>' => '', |
||
| 232 | '<IMG SRC="javascript:alert(\'XSS\');">' => '<IMG >', |
||
| 233 | '<IMG SRC=javascript:alert(\'XSS\')>' => '<IMG >', |
||
| 234 | '<IMG SRC=JaVaScRiPt:alert(\'XSS\')>' => '<IMG >', |
||
| 235 | '<IMG SRC=javascript:alert("XSS")>' => '<IMG >', |
||
| 236 | '<IMG SRC=`javascript:alert("RSnake says, \'XSS\'")`>' => '<IMG >', |
||
| 237 | '<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>' => '<IMG >', |
||
| 238 | 'SRC=
<IMG 6;avascript:alert('XSS')>' => 'SRC=
<IMG >', |
||
| 239 | '<IMG SRC=javascript:alert('XSS')>' => '<IMG >', |
||
| 240 | '<IMG SRC=javascript:alert('XSS')>' => '<IMG >', |
||
| 241 | '<IMG SRC="jav ascript:alert(\'XSS\');">' => '<IMG >', |
||
| 242 | '<IMG SRC="jav	ascript:alert(\'XSS\');">' => '<IMG >', |
||
| 243 | '<IMG SRC="jav
ascript:alert(\'XSS\');">' => '<IMG >', |
||
| 244 | '<IMG SRC="  javascript:alert(\'XSS\');">' => '<IMG >', |
||
| 245 | '<IMG%0aSRC%0a=%0a"%0aj%0aa%0av%0aa%0as%0ac%0ar%0ai%0ap%0at%0a:%0aa%0al%0ae%0ar%0at%0a(%0a\'%0aX%0aS%0aS%0a\'%0a)%0a"%0a>' => "<IMG\nSRC\n=\n\"\n\nalert\n(\n'\nX\nS\nS\n'\n)\n\"\n>", |
||
| 246 | '<IMG SRC=java%00script:alert(\"XSS\")>' => '<IMG >', |
||
| 247 | '<SCR%00IPT>alert(\"XSS\")</SCR%00IPT>' => 'alert(\"XSS\")', |
||
| 248 | '<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>' => '', |
||
| 249 | '<SCRIPT SRC=http://ha.ckers.org/xss.js?<B>' => '', |
||
| 250 | '<IMG SRC="javascript:alert(\'XSS\')"' => '<IMG ', |
||
| 251 | '<SCRIPT>a=/XSS/' => 'a=/XSS/', |
||
| 252 | '\";alert(\'XSS\');//' => '\";alert(\'XSS\');//', |
||
| 253 | '<INPUT TYPE="IMAGE" SRC="javascript:alert(\'XSS\');">' => '<INPUT TYPE="IMAGE" SRC="alert(\'XSS\');">', |
||
| 254 | '<BODY BACKGROUND="javascript:alert(\'XSS\')">' => '<BODY BACKGROUND="alert(\'XSS\')">', |
||
| 255 | '<BODY ONLOAD=alert(\'XSS\')>' => '<BODY >', |
||
| 256 | '<IMG DYNSRC="javascript:alert(\'XSS\')">' => '<IMG >', |
||
| 257 | '<IMG LOWSRC="javascript:alert(\'XSS\')">' => '<IMG >', |
||
| 258 | '<BGSOUND SRC="javascript:alert(\'XSS\');">' => '<IMG >', |
||
| 259 | '<BR SIZE="&{alert(\'XSS\')}">' => '', |
||
| 260 | '<DIV STYLE="width:' . "\n" . 'expression(alert(\'XSS\'));">' => '<DIV ' . "\n" . 'alert(\'XSS\'));">', |
||
| 261 | '<LAYER SRC="http://ha.ckers.org/scriptlet.html"></LAYER>' => '<LAYER SRC="http://ha.ckers.org/scriptlet.html"></LAYER>', |
||
| 262 | '<LINK REL="stylesheet" HREF="javascript:alert(\'XSS\');">' => '<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">', |
||
| 263 | '<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">' => '<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">', |
||
| 264 | '<link rel=stylesheet href=data:,*%7bx:expression(write(1))%7d' => '<link rel=stylesheet href=data:,*{x:write(1))}', |
||
| 265 | '<STYLE>@import\'http://ha.ckers.org/xss.css\';</STYLE>' => '<STYLE>@import\'http://ha.ckers.org/xss.css\';</STYLE>', |
||
| 266 | '<style>p[foo=bar{}*{-o-link:\'javascript:alert(1)\'}{}*{-o-link-source:current}*{background:red}]{background:green};</style>' => '<style>p[foo=bar{}*{-o-link:\'alert(1)\'}{}*{-o-link-source:current}*{background:red}]{background:green};</style>', |
||
| 267 | '<DIV STYLE="width: expression(alert(\'XSS\'));">lall</div>' => '<DIV alert(\'XSS\'));">lall</div>', |
||
| 268 | '<META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>; REL=stylesheet">' => '<META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>; REL=stylesheet">', |
||
| 269 | '<STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE>' => '<STYLE>BODY{:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE>', |
||
| 270 | '<IMG SRC=\'vbscript:msgbox("XSS")\'>' => '<IMG SRC=\'msgbox("XSS")\'>', |
||
| 271 | '<IMG SRC="mocha:[code]">' => '<IMG SRC="[code]">', |
||
| 272 | '<IMG SRC="livescript:[code]">' => '<IMG SRC="[code]">', |
||
| 273 | '<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(\'XSS\');">' => '<META HTTP-EQUIV="refresh" CONTENT="PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">', |
||
| 274 | '<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">' => '<META HTTP-EQUIV="refresh" CONTENT="PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">', |
||
| 275 | '<META HTTP-EQUIV="Link" Content="<javascript:alert(\'XSS\')>; REL=stylesheet">' => '<META HTTP-EQUIV="Link" Content="<alert(\'XSS\')>; REL=stylesheet">', |
||
| 276 | '<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert(\'XSS\');">' => '<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=alert(\'XSS\');">', |
||
| 277 | '<IFRAME SRC="javascript:alert(\'XSS\');"></IFRAME>' => '<FRAMESET><FRAME SRC="alert(\'XSS\');"></FRAMESET>', |
||
| 278 | '<FRAMESET><FRAME SRC="javascript:alert(\'XSS\');"></FRAMESET>' => '<FRAMESET><FRAME SRC="alert(\'XSS\');"></FRAMESET>', |
||
| 279 | '<TABLE BACKGROUND="javascript:alert(\'XSS\')">' => '<TABLE BACKGROUND="alert(\'XSS\')">', |
||
| 280 | '<DIV STYLE="background-image: url(javascript:alert(\'XSS\'))">' => '<DIV url(alert(\'XSS\'))">', |
||
| 281 | '<DIV STYLE="width: expression(alert(\'XSS\'));">' => '<DIV alert(\'XSS\'));">', |
||
| 282 | '<STYLE>@im\port\'\ja\vasc\ript:alert("XSS")\';</STYLE>' => '<STYLE>@im\port\'\ja\vasc\ript:alert("XSS")\';</STYLE>', |
||
| 283 | '<IMG STYLE="xss:expr/*XSS*/ession(alert(\'XSS\'))">' => '<IMG >', |
||
| 284 | '<XSS STYLE="xss:expression(alert(\'XSS\'))">' => '', |
||
| 285 | 'exp/*<XSS STYLE=\'no\xss:noxss("*//*");' => 'exp/*<XSS ', |
||
| 286 | '<STYLE TYPE="text/javascript">alert(\'XSS\');</STYLE>' => '<STYLE TYPE="text/javascript">alert(\'XSS\');</STYLE>', |
||
| 287 | '<STYLE>.XSS{background-image:url("javascript:alert(\'XSS\')");}</STYLE><A CLASS=XSS></A>' => '<STYLE TYPE="text/javascript">alert(\'XSS\');</STYLE>', |
||
| 288 | '<STYLE type="text/css">BODY{background:url("javascript:alert(\'XSS\')")}</STYLE>' => '<STYLE type="text/css">BODY{background:url("alert(\'XSS\')")}</STYLE>', |
||
| 289 | '<BASE HREF="javascript:alert(\'XSS\');//">' => '<BASE HREF="alert(\'XSS\');//">', |
||
| 290 | '<object allowscriptaccess="always" data="test.swf"></object>' => '<object allowscriptaccess="always" data="test.swf"></object>', |
||
| 291 | '<OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT>' => '<OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT>', |
||
| 292 | '<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert(\'XSS\')></OBJECT>' => '<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=alert(\'XSS\')></OBJECT>', |
||
| 293 | 'getURL("javascript:alert(\'XSS\')")' => 'getURL("alert(\'XSS\')")', |
||
| 294 | 'a="get";' => 'a="get";', |
||
| 295 | '<EMBED SRC="http://ha.ckers.Using an EMBED tag you can embed a Flash movie that contains XSS. Click here for a demo. If you add the attributes allowScriptAccess="never" and allownetworking="internal" it can mitigate this risk (thank you to Jonathan Vanasco for the info).: |
||
| 296 | org/xss.swf" AllowScriptAccess="always"></EMBED>' => '<EMBED SRC="http://ha.ckers.Using an EMBED tag you can embed a Flash movie that contains XSS. Click here for a demo. If you add the attributes allowScriptAccess="never" and allownetworking="internal" it can mitigate this risk (thank you to Jonathan Vanasco for the info).: |
||
| 297 | org/xss.swf" AllowScriptAccess="always"></EMBED>', |
||
| 298 | '<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>' => '<EMBED SRC=PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg xml" AllowScriptAccess="always"></EMBED>', |
||
| 299 | '<!--<value><![CDATA[<XML ID=I><X><C><![CDATA[<IMG SRC="javas<![CDATA[cript:alert(\'XSS\');">' => '<!--<value><![CDATA[<XML ID=I><X><C><![CDATA[<IMG >', |
||
| 300 | '<XML SRC="http://ha.ckers.org/xsstest.xml" ID=I></XML>' => '<XML SRC="http://ha.ckers.org/xsstest.xml" ID=I></XML>', |
||
| 301 | '<XML ID="xss"><I><B><IMG SRC="javas<!-- -->cript:alert(\'XSS\')"></B></I></XML>' => '<XML ID="xss"><I><B><MG ></></></XML>', |
||
| 302 | '<HTML><BODY>' => '<HTML><BODY>', |
||
| 303 | '<SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT>' => '', |
||
| 304 | '<!--#exec cmd="/bin/echo \'<SCRIPT SRC\'"--><!--#exec cmd="/bin/echo \'=http://ha.ckers.org/xss.js></SCRIPT>\'"-->' => '<!--#exec cmd="/bin/echo \'\'"-->', |
||
| 305 | '<? echo(\'<SCR)\';' => '<? echo(\'<SCR)\';', |
||
| 306 | '<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(\'XSS\')</SCRIPT>">' => '<META HTTP-EQUIV="Set-Cookie" Content="alert(\'XSS\')">', |
||
| 307 | '<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert(\'XSS\');+ADw-/SCRIPT+AD4-' => '<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD> ADw-SCRIPT AD4-alert(\'XSS\'); ADw-/SCRIPT AD4-', // UTF-7 |
||
| 308 | '<img src="http://test.de/[0xE0]"> |
||
| 309 | ... foo ... |
||
| 310 | ... bar ... |
||
| 311 | " onerror="alert(\'XSS\')" |
||
| 312 | <div>lall</div>' => '<img src="http://test.de/[0xE0]"> |
||
| 313 | ... foo ... |
||
| 314 | ... bar ... |
||
| 315 | " "alert(\'XSS\')" |
||
| 316 | <div>lall</div>', |
||
| 317 | '<script>+-+-1-+-+alert(1)</script>' => ' - -1- - alert(1)', |
||
| 318 | '<body/onload=<!-->
alert(1)>' => "<body/\nalert(1)>", |
||
| 319 | '<a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaa aaaaaaaaaa href=javascript:alert(1)>ClickMe' => '<a >ClickMe', |
||
| 320 | '<--`<img/src=` onerror=alert(1)> --!>' => '<--`<img/> --!>', |
||
| 321 | '<script/src=data:text/javascript,alert(1)></script> ' => ' ', |
||
| 322 | '<meta charset="x-imap4-modified-utf7">&<script&S1&TS&1>alert&A7&(1)&R&UA;&&<&A9&11/script&X&>' => '<meta charset="x-imap4-modified-utf7">&alert&A7&(1)&R&UA;&&<&A9&11/script&X&>', |
||
| 323 | '<div id=”3″><meta charset=”x-imap4-modified-utf7″>&<script&S1&TS&1>alert&A7&(1)&R&UA;&&<&A9&11/script&X&>//[“‘`–>]]>]</div>' => '<div id=”3″><meta charset=”x-imap4-modified-utf7″>&alert&A7&(1)&R&UA;&&<&A9&11/script&X&>//[“‘`–>]]>]</div>', |
||
| 324 | '<SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>' => '" SRC="http://ha.ckers.org/xss.js">', |
||
| 325 | '<SCRIPT a=">" \'\' SRC="http://ha.ckers.org/xss.js"></SCRIPT>' => '" \'\' SRC="http://ha.ckers.org/xss.js">', |
||
| 326 | '<SCRIPT "a=\'>\'" SRC="http://ha.ckers.org/xss.js"></SCRIPT>' => '\'" SRC="http://ha.ckers.org/xss.js">', |
||
| 327 | '<SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT>' => '` SRC="http://ha.ckers.org/xss.js">', |
||
| 328 | 'onAttribute="bar"' => '"bar"', |
||
| 329 | "onAttribute=\"<script>alert('bar')</script>\"" => "\"alert('bar')\"", |
||
| 330 | "<BGSOUND SRC=\"javascript:alert('XSS');\">" => "<BGSOUND SRC=\"alert('XSS');\">", // BGSOUND |
||
| 331 | "<BR SIZE=\"&{alert('XSS')}\">" => '<BR SIZE="">', // & JavaScript includes |
||
| 332 | "<LINK REL=\"stylesheet\" HREF=\"javascript:alert('XSS');\">" => "<LINK REL=\"stylesheet\" HREF=\"alert('XSS');\">", // STYLE sheet |
||
| 333 | '<STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</styel>foo' => '<STYLE>BODY{:url("http://ha.ckers.org/xssmoz.xml#xss")}</styel>foo', // Remote style sheet |
||
| 334 | "<STYLE>@im\\port'\\jaasc\ript:alert(\"XSS\")';</STYLE>" => "<STYLE>@im\port'\jaasc\ript:alert(\"XSS\")';</STYLE>", // STYLE tags with broken up JavaScript for XSS |
||
| 335 | "<XSS STYLE=\"xss:expression_r(alert('XSS'))\">" => '', // Anonymous HTML with STYLE attribute |
||
| 336 | '<XSS STYLE="behavior: url(xss.htc);">' => '', // Local htc file |
||
| 337 | '¼script¾alert(¢XSS¢)¼/script¾' => '¼script¾alert(¢XSS¢)¼/script¾', // US-ASCII encoding |
||
| 338 | "<IMG defang_SRC=javascript:alert\("XSS"\)>" => '<IMG >', // IMG |
||
| 339 | '<IMG SRC=javascript:alert('XSS')>' => '<IMG >', |
||
| 340 | '<img src =x onerror=confirm(document.cookie);>' => '<img >', |
||
| 341 | "<IMG SRC=\"jav ascript:alert('XSS');\">" => '<IMG >', |
||
| 342 | "<IMG SRC=\"jav	ascript:alert('XSS');\">" => '<IMG >', |
||
| 343 | "<IMG SRC=\"jav	ascript:alert)'XSS');\">" => '<IMG >', |
||
| 344 | "<IMG SRC=\"jav
ascript:alert('XSS');\">" => '<IMG >', |
||
| 345 | '<test lall=&amp;#039;jav
ascript:alert(\\&amp;#039;XSS\\&amp;#039;);&amp;#039;>' => "<test lall='alert(\'XSS\');'>", |
||
| 346 | "<IMG SRC\n=\n\"\nj\na\nv\n
a\ns\nc\nr\ni\np\nt\n:\na\nl\ne\nr\nt\n(\n'\nX\nS\nS\n'\n)\n;\">" => "<IMG SRC\n=\n\"\n\nalert\n(\n'\nX\nS\nS\n'\n)\n;\">", |
||
| 347 | "<IMG SRC=java�script:alert('XSS')>" => '<IMG >', |
||
| 348 | "<DIV STYLE=\"background-image:\\0075\\0072\\006C\\0028'\\006a\\0061\\0076\\0061\\0073\\0063\\0072\\0069\\0070\\0074\\003a\\0061\\006c\\0065\\0072\\0074\\0028\\0027\\0058\\0053\\0053\\0027\\0029'\\0029\">" => '<DIV >', |
||
| 349 | "<STYLE>.XSS{background-image:url(\"javascript:alert('XSS')\");}</STYLE><A CLASS=XSS></A>" => "<STYLE>.XSS{background-image:url(\"alert('XSS')\");}</STYLE><A ></A>", |
||
| 350 | "<META HTTP-EQUIV=\"refresh\" CONTENT=\"0;url=javascript:alert('XSS');\">" => "<META HTTP-EQUIV=\"refresh\" CONTENT=\"alert('XSS');\">", // META |
||
| 351 | "<IFRAME SRC=\"javascript:alert('XSS');\"></IFRAME>" => "<IFRAME SRC=\"alert('XSS');\"></IFRAME>", // IFRAME |
||
| 352 | '<applet code=A21 width=256 height=256 archive="toir.jar"></applet>' => '<applet code=A21 width=256 height=256 archive="toir.jar"></applet>', |
||
| 353 | '<script Language="JavaScript" event="FSCommand (command, args)" for="theMovie">...</script>' => '...', // <script> |
||
| 354 | '<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT>' => '("<SCRI");PT SRC="http://ha.ckers.org/xss.js">', // XSS using HTML quote encapsulation |
||
| 355 | '<SCR�IPT>alert("XSS")</SCR�IPT>' => 'alert("XSS")', |
||
| 356 | "Би шил идэй чадна,<STYLE>li {list-style-image: url(\"javascript:alert('XSS')\");}</STYLE><UL><LI>我能吞下玻璃而不傷身體</br>" => "Би шил идэй чадна,<STYLE>li {list-style-image: url(\"alert('XSS')\");}</STYLE><UL><LI>我能吞下玻璃而不傷身體</br>", |
||
| 357 | "';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//\"\; alert(String.fromCharCode(88,83,83))//\"\;alert(String.fromCharCode(88,83,83))//--></SCRIPT>\">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>" => "';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//\"\\; alert(String.fromCharCode(88,83,83))//\"\\;alert(String.fromCharCode(88,83,83))//-->\">'>alert(String.fromCharCode(88,83,83))", |
||
| 358 | 'म काँच खान सक्छू र मलाई केहि नी हुन्न् <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>।' => 'म काँच खान सक्छू र मलाई केहि नी हुन्न् <IMG >।', |
||
| 359 | "https://[host]/testing?foo=bar&tab=<script>alert('foobar')</script>" => "https://[host]/testing?foo=bar&tab=alert('foobar')", |
||
| 360 | 'https://[host]/diag_logs_filter.phpfilterlogentries_submit=1&filterlogentries_qty=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E' => "https://[host]/diag_logs_filter.phpfilterlogentries_submit=1&filterlogentries_qty='\">alert('ImmuniWeb');", // XSS to attack "pfSense" - https://www.htbridge.com/advisory/HTB23251 |
||
| 361 | 'https://[host]/diag_logs_filter.phpfilterlogentries_submit=1&filterlogentries_protocolflags=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E' => "https://[host]/diag_logs_filter.phpfilterlogentries_submit=1&filterlogentries_protocolflags='\">alert('ImmuniWeb');", |
||
| 362 | 'https://[host]/diag_logs_filter.php?filterlogentries_submit=1&filterlogentries_s ourceport=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E' => "https://[host]/diag_logs_filter.php?filterlogentries_submit=1&filterlogentries_s ourceport='\">alert('ImmuniWeb');", |
||
| 363 | 'https://[host]/diag_logs_filter.phpfilterlogentries_submit=1&filterlogentries_destinationport=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E' => "https://[host]/diag_logs_filter.phpfilterlogentries_submit=1&filterlogentries_destinationport='\">alert('ImmuniWeb');", |
||
| 364 | 'https://[host]/diag_logs_filter.phpfilterlogentries_submit=1&filterlogentries_destinationipaddress=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3 E' => "https://[host]/diag_logs_filter.phpfilterlogentries_submit=1&filterlogentries_destinationipaddress='\">alert('ImmuniWeb');</script%3 E", |
||
| 365 | 'https://[host]/diag_logs_filter.phpfilterlogentries_submit=1&filterlogentries_sourceport=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E' => "https://[host]/diag_logs_filter.phpfilterlogentries_submit=1&filterlogentries_sourceport='\">alert('ImmuniWeb');", |
||
| 366 | 'https://[host]/diag_logs_filter.phpfilterlogentries_submit=1&filterlogentries_sourceipaddress=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E' => "https://[host]/diag_logs_filter.phpfilterlogentries_submit=1&filterlogentries_sourceipaddress='\">alert('ImmuniWeb');", |
||
| 367 | 'https://[host]/diag_logs_filter.phpfilterlogentries_submit=1&filterlogentries_time=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E' => "https://[host]/diag_logs_filter.phpfilterlogentries_submit=1&filterlogentries_time='\">alert('ImmuniWeb');", |
||
| 368 | "http://www.amazon.com/review/R3FSGZJ3NBYZM/?id=brute'-alert('XSSPOSED' )-'logic" => "http://www.amazon.com/review/R3FSGZJ3NBYZM/?id=brute'-alert('XSSPOSED' )-'logic", // XSS from amazon -> https://www.xssposed.org/search/?search=amazon.com&type=host& |
||
| 369 | "User-Agent: </script><svg/onload=alert('xssposed')>" => 'User-Agent: <svg/>', |
||
| 370 | "https://www.amazon.com/gp/aw/ya/181-1583093-7256013/\"></form><script>a lert('Lohit Tummalapenta')</script>" => "https://www.amazon.com/gp/aw/ya/181-1583093-7256013/\"></form>alert('Lohit Tummalapenta')", |
||
| 371 | "https://aws.amazon.com/amis?ami_provider_id=4&architecture='\"--></ style></script><script>alert(0x015E00)</script>&selection=ami_prov ider_id+architecture" => "https://aws.amazon.com/amis?ami_provider_id=4&architecture='\"--></ style>alert(0x015E00)&selection=ami_prov ider_id architecture", |
||
| 372 | 'pipe=ssrProductAds&step=2&userName=1211&replyTo=test%40xssed.com&subjectEscape=&subject=Unable+to+re gister+for+Product+Ads&emailMessageEscape=&emailMessage=&displayName=%27%22%3E%3Ciframe+src%3Dhttp:% 2F%2Fxssed.com%3E&companyURL=&address1=&address2=&city=&state=&zipCode=&country=United+States&ccCard holderName=&ccIssuer=V&addCreditCardNumber=&ccExpMonth=10&ccExpYear=2010&businessAddressCheck=useBus inessAddress&billingAddress1=&billingAddress2=&billingCity=&billingState=&billingZipCode=&billingCou ntry=United+States&Continue=&_pi_legalName=121&_pi_tokenID=A1F3841M9ZHMMV&_pi_pipe=ssrProductAds&_pi _email=kf%40xssed.com&_pi_step=1&_pi_areaCode=112&_pi_phone1=121&_pi_userName=1211&_pi_ext=211221212 1&_pi_phone2=1221' => "pipe=ssrProductAds&step=2&userName=1211&[email protected]&subjectEscape=&subject=Unable to re gister for Product Ads&emailMessageEscape=&emailMessage=&displayName='\"><iframe src=http:% 2F/xssed.com>&companyURL=&address1=&address2=&city=&state=&zipCode=&country=United States&ccCard holderName=&ccIssuer=V&addCreditCardNumber=&ccExpMonth=10&ccExpYear=2010&businessAddressCheck=useBus inessAddress&billingAddress1=&billingAddress2=&billingCity=&billingState=&billingZipCode=&billingCou ntry=United States&Continue=&_pi_legalName=121&_pi_tokenID=A1F3841M9ZHMMV&_pi_pipe=ssrProductAds&_pi [email protected]&_pi_step=1&_pi_areaCode=112&_pi_phone1=121&_pi_userName=1211&_pi_ext=211221212 1&_pi_phone2=1221", |
||
| 373 | 'http://www.amazon.com/s?ie=UTF5&keywords="><script>alert(document. cookie)</script>' => 'http://www.amazon.com/s?ie=UTF5&keywords=">alert(document. cookie)', |
||
| 374 | 'http://www.amazon.com/gp/digital/rich-media/media-player.html?ie=UTF8& amp;location=javascript:alert(1)&ASIN=B000083JTS' => 'http://www.amazon.com/gp/digital/rich-media/media-player.html?ie=UTF8& amp;location=alert(1)&ASIN=B000083JTS', |
||
| 375 | 'http://r-images.amazon.com/s7ondemand/brochure/flash_brochure.jsp?comp any=ama1&sku=AtHome7&windowtitle=XSS</title><script/s rc=//z.l.to></script><plaintext>' => 'http://r-images.amazon.com/s7ondemand/brochure/flash_brochure.jsp?comp any=ama1&sku=AtHome7&windowtitle=XSS</title><plaintext>', |
||
| 376 | "https://sellercentral.amazon.com/gp/change-password/change-password-em ail.html?errorMessage=I'm%20sorry,%20the%20Password%20Assistance%20pag e%20is%20temporarily%20unavailable.%20%20Please%20try%20again%20in%201 5%2" => "https://sellercentral.amazon.com/gp/change-password/change-password-em ail.html?errorMessage=I'm sorry, the Password Assistance pag e is temporarily unavailable. Please try again in 1 5%2", |
||
| 377 | "http://www.amazon.com/s/ref=amb_link_7189562_72/002-2069697-5560831?ie =UTF8&node="/><script>alert('XSS');</script>&a mp;pct-off=25-&hidden-keywords=athletic|outdoor&pf_rd_m=ATVPDK IKX0DER&pf_rd_s=center-5&pf_r" => "http://www.amazon.com/s/ref=amb_link_7189562_72/002-2069697-5560831?ie =UTF8&node=\"/>alert('XSS');&a mp;pct-off=25-&hidden-keywords=athletic|outdoor&pf_rd_m=ATVPDK IKX0DER&pf_rd_s=center-5&pf_r", |
||
| 378 | 'https://sellercentral.amazon.com/gp/on-board/workflow/Registration/log in.html?passthrough/&passthrough/account=soa"><script>alert("XSS") </script>&passthrough/superSource=OAR&passthrough/marketplaceI D=ATVPDKI' => 'https://sellercentral.amazon.com/gp/on-board/workflow/Registration/log in.html?passthrough/&passthrough/account=soa">alert("XSS") &passthrough/superSource=OAR&passthrough/marketplaceI D=ATVPDKI', |
||
| 379 | 'http://sellercentral.amazon.com/gp/seller/product-ads/registration.htm l?ld="><script>alert(document.cookie)</script>' => 'http://sellercentral.amazon.com/gp/seller/product-ads/registration.htm l?ld=">alert()', |
||
| 380 | 'https://sellercentral.amazon.com/gp/change-password/-"><script>alert(d ocument.cookie)</script>-.html' => 'https://sellercentral.amazon.com/gp/change-password/-">alert()-.html', |
||
| 381 | 'http://www.amazon.com/script-alert-product-document-cookie/dp/B003H777 5E/ref=sr_1_3?s=gateway&ie=UTF8&qid=1285870078&sr=8-3' => 'http://www.amazon.com/script-alert-product-document-cookie/dp/B003H777 5E/ref=sr_1_3?s=gateway&ie=UTF8&qid=1285870078&sr=8-3', |
||
| 382 | 'http://www.amazon.com/s/ref=sr_a9ps_home/?url=search-alias=aps&tag =amzna9-1-20&field-keywords=-"><script>alert(document.cookie)</scr ipt>' => 'http://www.amazon.com/s/ref=sr_a9ps_home/?url=search-alias=aps&tag =amzna9-1-20&field-keywords=-">alert()', |
||
| 383 | 'http://www.amazon.com/s/ref=amb_link_7581132_5/102-9803838-3100108?ie= UTF8&node="/><script>alert("XSS");</scr ipt>&keywords=Lips&emi=A19ZEOAOKUUP0Q&pf_rd_m=ATVPDKIKX 0DER&pf_rd_s=left-1&pf_rd_r=1JMP7' => 'http://www.amazon.com/s/ref=amb_link_7581132_5/102-9803838-3100108?ie= UTF8&node="/>alert("XSS");&keywords=Lips&emi=A19ZEOAOKUUP0Q&pf_rd_m=ATVPDKIKX 0DER&pf_rd_s=left-1&pf_rd_r=1JMP7', |
||
| 384 | "http://askville.amazon.com/SearchRequests.do?search=\"></script><script >alert('XSS')</script>&start=0&max=10&open=true&closed =true&x=18&y=7" => "http://askville.amazon.com/SearchRequests.do?search=\">alert('XSS')&start=0&max=10&open=true&closed =true&x=18&y=7", |
||
| 385 | 'https://sellercentral.amazon.com/gp/seller/registration/login.html?ie= UTF8&email=&errors=<script src=http://ha.ckers.org/xss.js?/>&userName=&tokenID=AO9UIQIH15 TE' => 'https://sellercentral.amazon.com/gp/seller/registration/login.html?ie= UTF8&email=&errors=&userName=&tokenID=AO9UIQIH15 TE', |
||
| 386 | 'https://sellercentral.amazon.com/gp/seller/registration/login.html?ie= UTF8&email=<script src=http://ha.ckers.org/xss.js?/>&userName=&tokenID=AO9UIQIH15 TE' => 'https://sellercentral.amazon.com/gp/seller/registration/login.html?ie= UTF8&email=&userName=&tokenID=AO9UIQIH15 TE', |
||
| 387 | 'address-daytime-phone=&address-daytime-phone-areacode=%24Q%24%2F%3E&address-daytime-phone-ext=&pipel ine-return-directly=1&pipeline-return-handler=fx-pay-pages%2Fmanage-pay-pages%2F&pipeline-return-han dler-type=post&pipeline-return-html=fx%2Fhelp%2Fgetting-started.html&pipeline-type=payee&register-bi lling-address-id=jgmhpujplj&register-credit-card-id=A1V46DGTZUE15I&register-enter-checking-info=no&r egister-epay-registration-status-check=no&register-nickname=pg5of16&register-payment-program=tipping &input-address-daytime-phone-areacode=%22%2F%3E%3Cscript+src%3Dhttp%3A%2F%2Fha.ckers.org%2Fxss.js%3F %2F%3E&input-address-daytime-phone=&input-address-daytime-phone-ext=&input-register-nickname=xss&inp ut-register-enter-checking-info=no&x=0&y=0' => 'address-daytime-phone=&address-daytime-phone-areacode=$Q$/>&address-daytime-phone-ext=&pipel ine-return-directly=1&pipeline-return-handler=fx-pay-pages/manage-pay-pages/&pipeline-return-han dler-type=post&pipeline-return-html=fx/help/getting-started.html&pipeline-type=payee®ister-bi lling-address-id=jgmhpujplj®ister-credit-card-id=A1V46DGTZUE15I®ister-enter-checking-info=no&r egister-epay-registration-status-check=no®ister-nickname=pg5of16®ister-payment-program=tipping &input-address-daytime-phone-areacode="/>&input-address-daytime-phone=&input-address-daytime-phone-ext=&input-register-nickname=xss&inp ut-register-enter-checking-info=no&x=0&y=0', |
||
| 388 | 'c=A2H6YBKBHMURHR&t=1&o=4&process_form=1&email_address=%22%2F%3E%3Cscript+src%3Dhttp%3A%2F%2Fha.ckers .org%2Fxss.js%3F%2F%3E&password=&x=0&y=0' => 'c=A2H6YBKBHMURHR&t=1&o=4&process_form=1&email_address="/>&password=&x=0&y=0', |
||
| 389 | "https://affiliate-program.amazon.com/gp/associates/help/glossary/'>\">< SCRIPT/SRC=http://kusomiso.com/xss.js></SCRIPT>" => "https://affiliate-program.amazon.com/gp/associates/help/glossary/'>\">< SCRIPT/SRC=http://kusomiso.com/xss.js>", |
||
| 390 | "https://affiliate-program.amazon.com/gp/associates/help/main.html/'>\"> <SCRIPT/SRC=http://kusomiso.com/xss.js></SCRIPT>" => "https://affiliate-program.amazon.com/gp/associates/help/main.html/'>\"> ", |
||
| 391 | "http://www.amazon.com/gp/daily/ref=\"/><script>alert('XSS $4.99 S&H')</script>" => "http://www.amazon.com/gp/daily/ref=\"/>alert('XSS $4.99 S&H')", |
||
| 392 | 'http://bilderdienst.bundestag.de/archives/btgpict/search/_%27-document.write%28String.fromCharCode%2860,105,109,103,32,115,114,99,61,34,104,116,116,112,58,47,47,98,108,111,103,46,102,100,105,107,46,111,114,103,47,50,48,49,51,45,48,54,47,51,56,56,57,50,49,56,55,46,106,112,103,34,32,115,116,121,108,101,61,34,112,97,100,100,105,110,103,58,32,50,53,48,112,120,32,51,51,48,112,120,59,10,112,111,115,105,116,105,111,110,58,32,97,98,115,111,108,117,116,101,59,10,122,45,105,110,100,101,120,58,32,49,48,59,34,62%29%29-%27/' => "http://bilderdienst.bundestag.de/archives/btgpict/search/_'-(String.fromCharCode(60,105,109,103,32,115,114,99,61,34,104,116,116,112,58,47,47,98,108,111,103,46,102,100,105,107,46,111,114,103,47,50,48,49,51,45,48,54,47,51,56,56,57,50,49,56,55,46,106,112,103,34,32,115,116,121,108,101,61,34,112,97,100,100,105,110,103,58,32,50,53,48,112,120,32,51,51,48,112,120,59,10,112,111,115,105,116,105,111,110,58,32,97,98,115,111,108,117,116,101,59,10,122,45,105,110,100,101,120,58,32,49,48,59,34,62))-'/", |
||
| 393 | 'https://bilderdienst.bundestag.de/archives/btgpict/search/_%27-dOcumEnt.wRite%28String.fromCharCode%2860,105,109,103,32,115,114,99,61,34,104,116,116,112,58,47,47,98,108,111,103,46,102,100,105,107,46,111,114,103,47,50,48,49,51,45,48,54,47,51,56,56,57,50,49,56,55,46,106,112,103,34,32,115,116,121,108,101,61,34,112,97,100,100,105,110,103,58,32,50,53,48,112,120,32,51,51,48,112,120,59,10,112,111,115,105,116,105,111,110,58,32,97,98,115,111,108,117,116,101,59,10,122,45,105,110,100,101,120,58,32,49,48,59,34,62%29%29-%27/' => "https://bilderdienst.bundestag.de/archives/btgpict/search/_'-(String.fromCharCode(60,105,109,103,32,115,114,99,61,34,104,116,116,112,58,47,47,98,108,111,103,46,102,100,105,107,46,111,114,103,47,50,48,49,51,45,48,54,47,51,56,56,57,50,49,56,55,46,106,112,103,34,32,115,116,121,108,101,61,34,112,97,100,100,105,110,103,58,32,50,53,48,112,120,32,51,51,48,112,120,59,10,112,111,115,105,116,105,111,110,58,32,97,98,115,111,108,117,116,101,59,10,122,45,105,110,100,101,120,58,32,49,48,59,34,62))-'/", |
||
| 394 | '<IMG SRC="jav
ascript:alert(\'XSS\');">' => '<IMG >', |
||
| 395 | '<IMG SRC="j a v a s c r i p t:alert(\'XSS\');">' => '<IMG >', |
||
| 396 | '<IMG SRC="j a v a s c r i p t:alert(\'XSS\');">' => '<IMG >', |
||
| 397 | '<IMG SRC="j a' . chr(0) . 'v a ' . "\xe2\x82\xa1" . ' s c r' . "\xf0\x90\x8c\xbc" . 'i p t:alert(\'XSS\');">' => '<IMG >', |
||
| 398 | '<IMG alt="中文空白" SRC="j a v a ' . "\xe2\x82\xa1" . ' s c r' . "\xf0\x90\x8c\xbc" . 'i p t:alert(\'XSS\');">' => '<IMG alt="中文空白">', |
||
| 399 | '<script>prompt(1)</script>' => 'prompt(1)', |
||
| 400 | '<script>confirm(1)</script>' => 'confirm(1)', |
||
| 401 | '<script>var fn=window[490837..toString(1<<5)];fn(atob(\'YWxlcnQoMSk=\'));</script>' => 'var fn=window[490837..toString(1<<5)];fn(atob(\'YWxlcnQoMSk=\'));', |
||
| 402 | '<script>var fn=window[String.fromCharCode(101,118,97,108)];fn(atob(\'YWxlcnQoMSk=\'));</script>' => 'var fn=window[String.fromCharCode(101,118,97,108)];fn(atob(\'YWxlcnQoMSk=\'));', |
||
| 403 | '<script>var fn=window[atob(\'ZXZhbA==\')];fn(atob(\'YWxlcnQoMSk=\'));</script>' => 'var fn=window[atob(\'ZXZhbA==\')];fn(atob(\'YWxlcnQoMSk=\'));', |
||
| 404 | '<script>window[490837..toString(1<<5)](atob(\'YWxlcnQoMSk=\'))</script>' => 'window[490837..toString(1<<5)](atob(\'YWxlcnQoMSk=\'))', |
||
| 405 | '<script>this[490837..toString(1<<5)](atob(\'YWxlcnQoMSk=\'))</script>' => 'this[490837..toString(1<<5)](atob(\'YWxlcnQoMSk=\'))', |
||
| 406 | '<script>this[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][+[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]](++[[]][+[]])</script>' => 'this[( {} [])[ !![]] (![] [])[! [] !![]] ([][ []] [])[! [] !![] !![]] (!![] [])[ !![]] (!![] [])[ []]]( [[]][ []])', |
||
| 407 | '<script>this[(+{}+[])[-~[]]+(![]+[])[-~-~[]]+([][+[]]+[])[-~-~-~[]]+(!![]+[])[-~[]]+(!![]+[])[+[]]]((-~[]+[]))</script>' => 'this[( {} [])[-~[]] (![] [])[-~-~[]] ([][ []] [])[-~-~-~[]] (!![] [])[-~[]] (!![] [])[ []]]((-~[] []))', |
||
| 408 | '<script>\'str1ng\'.replace(/1/,alert)</script>' => '\'str1ng\'.replace(/1/,alert)', |
||
| 409 | '<script>\'bbbalert(1)cccc\'.replace(/a\w{4}\(\d\)/,eval)</script>' => '\'bbbalert(1)cccc\'.replace(/a\w{4}\(\d\)/,eval)', |
||
| 410 | '<script>\'a1l2e3r4t6\'.replace(/(.).(.).(.).(.).(.)/, function(match,$1,$2,$3,$4,$5) { this[$1+$2+$3+$4+$5](1); })</script>' => '\'a1l2e3r4t6\'.replace(/(.).(.).(.).(.).(.)/, function(match,$1,$2,$3,$4,$5) { this[$1 $2 $3 $4 $5](1); })', |
||
| 411 | '<script>eval(\'\\\\u\'+\'0061\'+\'lert(1)\')</script>' => 'eval(\'\\\\u\' \'0061\' \'lert(1)\')', |
||
| 412 | '<script>throw~delete~typeof~prompt(1)</script>' => 'throw~delete~typeof~prompt(1)', |
||
| 413 | '<script>delete[a=alert]/prompt a(1)</script>' => 'delete[a=alert]/prompt a(1)', |
||
| 414 | '<script>delete[a=this[atob(\'YWxlcnQ=\')]]/prompt a(1)</script>' => 'delete[a=this[atob(\'YWxlcnQ=\')]]/prompt a(1)', |
||
| 415 | '<script>(()=>{return this})().alert(1)</script>' => '(()=>{return this})().alert(1)', |
||
| 416 | '<script>new function(){new.target.constructor(\'alert(1)\')();}</script>' => 'new function(){new.target.constructor(\'alert(1)\')();}', |
||
| 417 | '<script>Reflect.construct(function(){new.target.constructor(\'alert(1)\')()},[])</script>' => 'Reflect.construct(function(){new.target.constructor(\'alert(1)\')()},[])', |
||
| 418 | '<link/rel=prefetch
import href=data:q;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg>' => "<link/rel=prefetch\nimport href=PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg>", |
||
| 419 | '<link rel="import" href="data:x,<script>alert(1)</script>' => '<link rel="import" href="data:x,alert(1)', |
||
| 420 | '<script>Array.from`1${alert}3${window}2`</script>' => 'Array.from`1${alert}3${window}2`', |
||
| 421 | '<script>!{x(){alert(1)}}.x()</script>' => '!{x(){alert(1)}}.x()', |
||
| 422 | '<script>Array.from`${eval}alert\`1\``</script>' => 'Array.from`${eval}alert\`1\``', |
||
| 423 | '<script>Array.from([1],alert)</script>' => 'Array.from([1],alert)', |
||
| 424 | '<script>Promise.reject("1").then(null,alert)</script>' => 'Promise.reject("1").then(null,alert)', |
||
| 425 | '<svg </onload ="1> (_=alert,_(1)) "">' => '<svg </> (_=alert,_(1)) "">', |
||
| 426 | '<img onerror="location=\'javascript:=lert(1)\'" src="x">' => '<img src="x">', |
||
| 427 | '<img onerror="location=\'javascript:%61lert(1)\'" src="x">' => '<img src="x">', |
||
| 428 | '<img onerror="location=\'javascript:\x2561lert(1)\'" src="x">' => '<img src="x">', |
||
| 429 | '<img onerror="location=\'javascript:\x255Cu0061lert(1)\'" src="x" >' => '<img src="x" >', |
||
| 430 | ); |
||
| 431 | |||
| 432 | foreach ($testArray as $before => $after) { |
||
| 433 | self::assertEquals($after, $this->security->xss_clean($before), 'testing: ' . $before); |
||
| 434 | } |
||
| 435 | |||
| 436 | // test for php < OR > 5.3 |
||
| 437 | |||
| 438 | if (Bootup::is_php('5.4.0') !== true || defined('HHVM_VERSION')) { |
||
| 439 | $testArray = array( |
||
| 440 | '<IMG SRC="jav
ascript:alert(\'XSS\');">' => '<IMG >', |
||
| 441 | '<DIV STYLE="background-image: url(javascript:alert(\'XSS\'))">' => '<DIV url(alert(\'XSS\'))">', |
||
| 442 | 'If you like entities... <a href="javascript:'<script src=//Ð.pw>⃒</script>⃒'">CLICK</a>' => 'If you like entities... <a href="\'script src=//Ð.pw/script\'">CLICK</a>', |
||
| 443 | // https://twitter.com/0x6D6172696F/status/629754114084175872 |
||
| 444 | '<iframe srcdoc="<svg onload=alert(1)>⃒"></iframe>' => '<iframe srcdoc="<svg ></iframe>', |
||
| 445 | '<a href="javascript:'<svg onload=alert(1)>⃒'">CLICK</a>' => '<a >CLICK</a>', |
||
| 446 | ); |
||
| 447 | } else { |
||
| 448 | $testArray = array( |
||
| 449 | '<IMG SRC="jav
ascript:alert(\'XSS\');">' => '<IMG >', |
||
| 450 | '<DIV STYLE="background-image: url(javascript:alert(\'XSS\'))">' => '<DIV url(alert(\'XSS\'))">', |
||
| 451 | 'If you like entities... <a href="javascript:'<script src=//Ð.pw>⃒</script>⃒'">CLICK</a>' => 'If you like entities... <a >⃒⃒\'">CLICK</a>', // https://twitter.com/0x6D6172696F/status/629754114084175872 |
||
| 452 | '<iframe srcdoc="<svg onload=alert(1)>⃒"></iframe>' => '<iframe srcdoc="<svg >⃒"></iframe>', |
||
| 453 | '<a href="javascript:'<svg onload=alert(1)>⃒'">CLICK</a>' => '<a >⃒\'">CLICK</a>', |
||
| 454 | ); |
||
| 455 | } |
||
| 456 | |||
| 457 | for ($i = 0; $i < 5; $i++) { |
||
| 458 | foreach ($testArray as $before => $after) { |
||
| 459 | self::assertEquals($after, $this->security->xss_clean($before), 'testing: ' . $before); |
||
| 460 | } |
||
| 461 | } |
||
| 462 | } |
||
| 463 | |||
| 464 | View Code Duplication | public function testHtmlXssFile() |
|
| 471 | |||
| 472 | View Code Duplication | public function testSvgXssFileV1() |
|
| 479 | |||
| 480 | View Code Duplication | public function testSvgXssFileV2() |
|
| 491 | |||
| 492 | View Code Duplication | public function testScriptEncoding() |
|
| 507 | |||
| 508 | public function testOnError() |
||
| 525 | |||
| 526 | View Code Duplication | public function testSvgXss() |
|
| 570 | |||
| 571 | public function testJavaScriptCleaning() |
||
| 708 | |||
| 709 | public function test_xss_clean_entity_double_encoded() |
||
| 724 | |||
| 725 | public function test_xss_clean_js_img_removal() |
||
| 730 | |||
| 731 | public function test_xss_clean_js_a_removal() |
||
| 736 | |||
| 737 | public function test_xss_clean_js_div_removal() |
||
| 751 | |||
| 752 | public function test_naughty_html_plus_evil_attributes() |
||
| 756 | |||
| 757 | public function test_xss_clean_sanitize_naughty_html() |
||
| 765 | |||
| 766 | public function test_xss_clean_sanitize_naughty_html_attributes() |
||
| 788 | |||
| 789 | /** |
||
| 790 | * all tests from drupal |
||
| 791 | */ |
||
| 792 | public function testXss() { |
||
| 1126 | |||
| 1127 | |||
| 1128 | } |
||
| 1129 |
Loading history...
You can fix this by adding a namespace to your class:
When choosing a vendor namespace, try to pick something that is not too generic to avoid conflicts with other libraries.