2018-01-09 03:39:22 -05:00
|
|
|
export default {
|
|
|
|
'protocol-based JS injection: simple, no spaces': {
|
|
|
|
input: '<a href="javascript:alert(\'XSS\');">foo</a>',
|
|
|
|
output: '<a>foo</a>',
|
|
|
|
},
|
|
|
|
'protocol-based JS injection: simple, spaces before': {
|
|
|
|
input: '<a href="javascript :alert(\'XSS\');">foo</a>',
|
|
|
|
output: '<a>foo</a>',
|
|
|
|
},
|
|
|
|
'protocol-based JS injection: simple, spaces after': {
|
|
|
|
input: '<a href="javascript: alert(\'XSS\');">foo</a>',
|
|
|
|
output: '<a>foo</a>',
|
|
|
|
},
|
|
|
|
'protocol-based JS injection: simple, spaces before and after': {
|
|
|
|
input: '<a href="javascript : alert(\'XSS\');">foo</a>',
|
|
|
|
output: '<a>foo</a>',
|
|
|
|
},
|
|
|
|
'protocol-based JS injection: preceding colon': {
|
|
|
|
input: '<a href=":javascript:alert(\'XSS\');">foo</a>',
|
|
|
|
output: '<a>foo</a>',
|
|
|
|
},
|
|
|
|
'protocol-based JS injection: UTF-8 encoding': {
|
|
|
|
input: '<a href="javascript:">foo</a>',
|
|
|
|
output: '<a>foo</a>',
|
|
|
|
},
|
|
|
|
'protocol-based JS injection: long UTF-8 encoding': {
|
|
|
|
input: '<a href="javascript:">foo</a>',
|
|
|
|
output: '<a>foo</a>',
|
|
|
|
},
|
|
|
|
'protocol-based JS injection: long UTF-8 encoding without semicolons': {
|
2018-10-17 03:13:26 -04:00
|
|
|
input:
|
|
|
|
'<a href=javascript:alert('XSS')>foo</a>',
|
2018-01-09 03:39:22 -05:00
|
|
|
output: '<a>foo</a>',
|
|
|
|
},
|
|
|
|
'protocol-based JS injection: hex encoding': {
|
|
|
|
input: '<a href="javascript:">foo</a>',
|
|
|
|
output: '<a>foo</a>',
|
|
|
|
},
|
|
|
|
'protocol-based JS injection: long hex encoding': {
|
|
|
|
input: '<a href="javascript:">foo</a>',
|
|
|
|
output: '<a>foo</a>',
|
|
|
|
},
|
|
|
|
'protocol-based JS injection: hex encoding without semicolons': {
|
2018-10-17 03:13:26 -04:00
|
|
|
input:
|
|
|
|
'<a href=javascript:alert('XSS')>foo</a>',
|
2018-01-09 03:39:22 -05:00
|
|
|
output: '<a>foo</a>',
|
|
|
|
},
|
|
|
|
'protocol-based JS injection: null char': {
|
|
|
|
input: '<a href=java\0script:alert("XSS")>foo</a>',
|
|
|
|
output: '<a>foo</a>',
|
|
|
|
},
|
|
|
|
'protocol-based JS injection: invalid URL char': {
|
2018-10-17 03:21:28 -04:00
|
|
|
input: '<img src=javascript:alert("XSS")>',
|
2018-01-09 03:39:22 -05:00
|
|
|
output: '<img>',
|
|
|
|
},
|
|
|
|
'protocol-based JS injection: Unicode': {
|
|
|
|
input: '<a href="\u0001java\u0003script:alert(\'XSS\')">foo</a>',
|
|
|
|
output: '<a>foo</a>',
|
|
|
|
},
|
|
|
|
'protocol-based JS injection: spaces and entities': {
|
|
|
|
input: '<a href="  javascript:alert(\'XSS\');">foo</a>',
|
|
|
|
output: '<a>foo</a>',
|
|
|
|
},
|
|
|
|
'img on error': {
|
|
|
|
input: '<img src="x" onerror="alert(document.domain)" />',
|
|
|
|
output: '<img src="x">',
|
|
|
|
},
|
|
|
|
};
|