mrpastewart/platform
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
platform/libinjection/data/xss-html5secorg.txt

489 lines
22 KiB
Text
Raw Normal View History

Roll libinjection
2019-08-16 14:42:40 +00:00
#
# http://html5sec.org
# retreieved 2013-11-06
test 1 <form id="test"></form><button form="test" formaction="javascript:alert(1)">X</button>
# obsolete firefox 3
#test 2 <meta charset="x-imap4-modified-utf7">&ADz&AGn&AG0&AEf&ACA&AHM&AHI&AGO&AD0&AGn&ACA&AG8Abg&AGUAcgByAG8AcgA9AGEAbABlAHIAdAAoADEAKQ&ACAAPABi
# obsolete firefox 3
#test 3 <meta charset="x-imap4-modified-utf7">&<script&S1&TS&1>alert&A7&(1)&R&UA;&&<&A9&11/script&X&>
test 4 <script>crypto.generateCRMFRequest('CN=0',0,0,null,'alert(1)',384,null,'rsa-dual-use')</script>
test 5 <script>crypto.generateCRMFRequest('CN=0',0,0,null,'alert(1)',384,null,'rsa-dual-use')</script>
test 6 <script>({set/**/$($){_/**/setter=$,_=1}}).$=alert</script>
test 7 <input onfocus=write(1) autofocus>
test 8 <input onblur=write(1) autofocus><input autofocus>
test 9 <a style="-o-link:'javascript:alert(1)';-o-link-source:current">X</a>
test 10 <video poster=javascript:alert(1)//></video>
test 11 <svg xmlns="http://www.w3.org/2000/svg"><g onload="javascript:alert(1)"></g></svg>
test 12 <body onscroll=alert(1)><br><br><br><br><br><br>...<br><br><br><br><input autofocus>
# opera only, only "DoS"
# test 13 <x repeat="template" repeat-start="999999">0<y repeat="template" repeat-start="999999">1</y></x>
# opera only, "DoS"
# test 14 <input pattern=^((a+.)a)+$ value=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!>
test 15 <script>({0:#0=alert/#0#/#0#(0)})</script>
test 16 X<x style=`behavior:url(#default#time2)` onbegin=`write(1)` >
test 17 <?xml-stylesheet href="javascript:alert(1)"?><root/>
test 18 <script xmlns="http://www.w3.org/1999/xhtml">&#x61;l&#x65;rt&#40;1)</script>
# obsolete firefox 3
# test 19 <meta charset="x-mac-farsi">¼script ¾alert(1)//¼/script ¾
test 20 <script>ReferenceError.prototype.__defineGetter__('name', function(){alert(1)}),x</script>
test 21 <script>Object.__noSuchMethod__ = Function,[{}][0].constructor._('alert(1)')()</script>
test 22 <input onblur=focus() autofocus><input>
test 23 <form id=test onforminput=alert(1)><input></form><button form=test onformchange=alert(2)>X</button>
test 24 1<set/xmlns=`urn:schemas-microsoft-com:time` style=`beh&#x41vior:url(#default#time2)` attributename=`innerhtml` to=`&lt;img/src=&quot;x&quot;onerror=alert(1)&gt;`>
test 25 <script src="#">{alert(1)}</script>;1
# obsolete firefox 4 and under
# test 26 +ADw-html+AD4APA-body+AD4APA-div+AD4-top secret+ADw-/div+AD4APA-/body+AD4APA-/html+AD4-.toXMLString().match(/.*/m),alert(RegExp.input);
test 27 <style>p[foo=bar{}*{-o-link:'javascript:alert(1)'}{}*{-o-link-source:current}*{background:red}]{background:green};</style>
test 28 1<animate/xmlns=urn:schemas-microsoft-com:time style=behavior:url(#default#time2) attributename=innerhtml values=&lt;img/src=&quot;.&quot;onerror=alert(1)&gt;>
test 29 <link rel=stylesheet href=data:,*%7bx:expression(write(1))%7d
test 30 <style>@import "data:,*%7bx:expression(write(1))%7D";</style>
test 31_1 <frameset onload=alert(1)>
test 31_2 <body onload=alert(1)>
test 32 <table background="javascript:alert(1)"></table>
test 33 <a style="pointer-events:none;position:absolute;"><a style="position:absolute;" onclick="alert(1);">XXX</a></a><a href="javascript:alert(2)">XXX</a>
test 34 1<vmlframe xmlns=urn:schemas-microsoft-com:vml style=behavior:url(#default#vml);position:absolute;width:100%25;height:100%25 src=test.vml#xss></vmlframe>
test 35 1<a href=#><line xmlns=urn:schemas-microsoft-com:vml style=behavior:url(#default#vml);position:absolute href=javascript:alert(1) strokecolor=white strokeweight=1000px from=0 to=1000 /></a>
test 36 <a style="behavior:url(#default#AnchorClick);" folder="javascript:alert(1)">XXX</a>
test 37 <!--<img src="--><img src=x onerror=alert(1)//">
test 38 <comment><img src="</comment><img src=x onerror=alert(1)//">
# obsolete, FF 3.6 and Opera 11
#test 39_1 <![><img src="]><img src=x onerror=alert(1)//">
test 39_2 <svg><![CDATA[><image xlink:href="]]><img src=xx:x onerror=alert(2)//"></svg>
test 40 <style><img src="</style><img src=x onerror=alert(1)//">
test 41 <li style=list-style:url() onerror=alert(1)></li> <div style=content:url(data:image/svg+xml,%3Csvg/%3E);visibility:hidden onload=alert(1)></div>
test 42 <head><base href="javascript://"/></head><body><a href="/. /,alert(1)//#">XXX</a></body>
test 43 <style type="text/css"> @font-face {font-family: y; src: url("font.svg#x") format("svg");} body {font: 100px "y";} </style>
test 44 <style>*[{}@import'test.css?]{color: green;}</style>X
test 45 <div style="font-family:'foo[a];color:red;';">XXX</div>
test 46 <div style="font-family:foo}color=red;">XXX</div>
test 47 <svg xmlns="http://www.w3.org/2000/svg"><script>alert(1)</script></svg>
test 48 <SCRIPT FOR=document EVENT=onreadystatechange>alert(1)</SCRIPT>
test 49 <OBJECT CLASSID="clsid:333C7BC4-460F-11D0-BC04-0080C7055A83"><PARAM NAME="DataURL" VALUE="javascript:alert(1)"></OBJECT>
test 50 <object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>
test 51 <embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></embed>
test 52 <x style="behavior:url(test.sct)">
test 53_1 <xml id="xss" src="test.htc"></xml>
test 53_2 <label dataformatas="html" datasrc="#xss" datafld="payload"></label>
test 54 <script>[{'a':Object.prototype.__defineSetter__('b',function(){alert(arguments[0])}),'b':['secret']}]</script
test 55_1 <video><source onerror="alert(1)">
test 55_2 <audio><source onerror="alert(1)">
test 56 <video onerror="alert(1)"><source></source></video>
#
# Obsolete.. Firefox 3.6, Chrome 5, Safari 4
#
# test 57 <b <script>alert(1)//</script>0</script></b>
#
# Obsolete Firefox 3.6
#
#test 58 <b><script<b></b><alert(1)</script </b></b>
test 59 <div id="div1"><input value="``onmouseover=alert(1)"></div> <div id="div2"></div><script>document.getElementById("div2").innerHTML = document.getElementById("div1").innerHTML;</script>
# we reject all styles
# test 60 TBD Obfuscation css-properties and values via ignored extra characters
# we reject all styles
# test 61 TBD CSS encoding and escaping
# IE9 parses this as NOT-XSS
# <x ?="foo"/><x foo="><img src=x onerror=alert(1)//"/>
#
#
test 62_1 <x '="foo"><x foo='><img src=x onerror=alert(1)//'>
#
# IE9 parses this as XSS
# <!-- ="foo"><x foo --><img onerror="alert(1)//'" src="x"/>
#
test 62_2 <! '="foo"><x foo='><img src=x onerror=alert(2)//'>
#
# IE9 parses this as XSS as previous
#
test 62_3 <? '="foo"><x foo='><img src=x onerror=alert(3)//'>
# bonus -- correctly detected
test 62_4 <!-- '="foo"><x foo='--><img src=x onerror=alert(2)//'>
# bonus -- quotes reversed
# same as 62_2
test 62_5 <! "='foo'><x foo="><img src=x onerror=alert(2)//">
# bonus - use of backquotes
test 62_5 <! `='foo'><x foo=`><img src=x onerror=alert(2)//`>
# bonus
<!-- "='foo'><x -->"><img src=x onerror=alert(1)//">
<!-- "=foo><x -->"><img src=x onerror=alert(1)//">
<!-- "foo><x -->"><img src=x onerror=alert(1)//">
<!-- "foo'><x -->"><img src=x onerror=alert(1)//">
test 63_1 <embed src="javascript:alert(1)"></embed> // O10.10↓, OM10.↓, GC6↓,
test 63_2 <img src="javascript:alert(2)">
test 63_3 <image src="javascript:alert(2)"> // IE6, O10.10↓, OM10.
test 63_4 <script src="javascript:alert(3)"></script> // IE6, O11.01↓, OM10.
test 64_1 <!DOCTYPE x[<!ENTITY x SYSTEM "http://html5sec.org/test.xxe">]><y>&x;</y>
test 64_2 <script xmlns="http://www.w3.org/1999/xhtml">alert(1)</script>
test 65 <svg onload="javascript:alert(1)" xmlns="http://www.w3.org/2000/svg"></svg>
test 66 <?xml version="1.0"?> <?xml-stylesheet type="text/xsl" href="data:,%3Cxsl:transform version='1.0' xmlns:xsl='http://www.w3.org/1999/XSL/Transform' id='xss'%3E%3Cxsl:output method='html'/%3E%3Cxsl:template match='/'%3E%3Cscript%3Ealert(1)%3C/script%3E%3C/xsl:template%3E%3C/xsl:transform%3E"?> <root/>
test 67 <!DOCTYPE x [ <!ATTLIST img xmlns CDATA "http://www.w3.org/1999/xhtml" src CDATA "xx:x" onerror CDATA "alert(1)" onload CDATA "alert(2)"> ]><img />
test 68 <doc xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:html="http://www.w3.org/1999/xhtml"> <html:style /><x xlink:href="javascript:alert(1)" xlink:type="simple">XXX</x> </doc>
test 69 <card xmlns="http://www.wapforum.org/2001/wml"><onevent type="ontimer"><go href="javascript:alert(1)"/></onevent><timer value="1"/></card>
test 70 <div style=width:1px;filter:glow onfilterchange=alert(1)>x</div>
test 71 <// style=x:expression\28write(1)\29>
test 72 <form><button formaction="javascript:alert(1)">X</button>
test 73 <event-source src="event.php" onload="alert(1)">
test 74 <a href="javascript:alert(1)"><event-source src="data:application/x-dom-event-stream,Event:click%0Adata:XXX%0A%0A" /></a>
test 75 <script<{alert(1)}/></script </>
test 76_1 <?xml-stylesheet type="text/css"?><!DOCTYPE x SYSTEM "test.dtd"><x>&x;</x>
test 72_2 <!ENTITY x "&#x3C;html:img&#x20;src='x'&#x20;xmlns:html='http://www.w3.org/1999/xhtml'&#x20;onerror='alert(1)'/&#x3E;">
test 77 <?xml-stylesheet type="text/css"?><root style="x:expression(write(1))"/>
test 78 <?xml-stylesheet type="text/xsl" href="#"?><img xmlns="x-schema:test.xdr"/>
test 79 <object allowscriptaccess="always" data="test.swf"></object>
# test 80 TBD IE6 and halfwidth/fullwidth Unicode characters
test 81 <x xmlns:xlink="http://www.w3.org/1999/xlink" xlink:actuate="onLoad" xlink:href="javascript:alert(1)" xlink:type="simple"/>
test 82 <?xml-stylesheet type="text/css" href="data:,*%7bx:expression(write(2));%7d"?>
test 83 <x:template xmlns:x="http://www.wapforum.org/2001/wml" x:ontimer="$(x:unesc)j$(y:escape)a$(z:noecs)v$(x)a$(y)s$(z)cript$x:alert(1)"><x:timer value="1"/></x:template>
test 84 <x xmlns:ev="http://www.w3.org/2001/xml-events" ev:event="load" ev:handler="javascript:alert(1)//#x
test 85 <x xmlns:ev="http://www.w3.org/2001/xml-events" ev:event="load" ev:handler="test.evt#x"/>
test 86 <script xmlns="http://www.w3.org/1999/xhtml" id="x">alert(1)</script>
test 86 <body oninput=alert(1)><input autofocus>
test 87 <a xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="javascript:alert(1)">
test 88_0 <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
test 88_1 <animation xlink:href="javascript:alert(1)"/>
test 88_2 <animation xlink:href="data:text/xml,%3Csvg xmlns='http://www.w3.org/2000/svg' onload='alert(1)'%3E%3C/svg%3E"/>
test 88_3 <image xlink:href="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' onload='alert(1)'%3E%3C/svg%3E"/>
test 88_4 <foreignObject xlink:href="javascript:alert(1)"/>
test 88_5 <foreignObject xlink:href="data:text/xml,%3Cscript xmlns='http://www.w3.org/1999/xhtml'%3Ealert(1)%3C/script%3E"/>
test 89_1 <set attributeName="onmouseover" to="alert(1)"/>
test 89_2 <animate attributeName="onunload" to="alert(1)"/>
test 90_1 <div style=content:url(test2.svg)></div>
test 90_2 <div style="background:url(test5.svg)">PRESS ENTER</div>
test 90_3 <form xmlns="http://www.w3.org/1999/xhtml" target="_top" action="javascript:alert(1)"> <!-- this file can be crossdomain if "action" attribute refers to an external file --> <meta http-equiv="refresh" content="1;URL=test5.svg"/> <input type="submit" autofocus="autofocus"/> </form>
# test 91
test 91_1 <? foo="><script>alert(1)</script>">
test 91_2 <! foo="><script>alert(1)</script>">
test 91_3 </ foo="><script>alert(1)</script>">
# obsolete Safari 4
#test 91_4 <? foo="><x foo='?><script>alert(1)</script>'>">
# obsolete Opera 11
#test 91_5 <! foo="[[[x]]"><x foo="]foo><script>alert(1)</script>">
test 91_6 <%25 foo><x foo="%25><script>alert(1)</script>">
test 92 <div style="background:url(http://foo.f/f oo/;color:red/*/foo.jpg);">X</div>
test 93 <div style="list-style:url(http://foo.f)\20url(javascript:alert(1));">X</div>
test 94_1 <handler xmlns:ev="http://www.w3.org/2001/xml-events" ev:event="load">alert(1)</handler>
test 94_2 <svg xmlns="http://www.w3.org/2000/svg"> <handler xmlns:ev="http://www.w3.org/2001/xml-events" ev:event="load">alert(1)</handler> </svg>
test 95_1 <feImage> <set attributeName="xlink:href" to="data:image/svg+xml;charset=utf-8;base64, PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjxzY3JpcHQ%2BYWxlcnQoMSk8L3NjcmlwdD48L3N2Zz4NCg%3D%3D"/> </feImage>
test 95_2 <set attributeName="xlink:href" to="data:image/svg+xml;charset=utf-8;base64, PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjxzY3JpcHQ%2BYWxlcnQoMSk8L3NjcmlwdD48L3N2Zz4NCg%3D%3D"/>
test 96_1 <iframe src=mhtml:http://html5sec.org/test.html!xss.html></iframe>
test 96_2 <iframe src=mhtml:http://html5sec.org/test.gif!xss.html></iframe>
test 97_1 <div id=d><x xmlns="><iframe onload=alert(1)"></div> <script>d.innerHTML+='';</script>
test 97_2 <div id=d><x xmlns='"><iframe onload=alert(2)//'></div> <script>d.innerHTML+='';</script>
test 98 <div id=d><div style="font-family:'sans\27\2F\2A\22\2A\2F\3B color\3Ared\3B'">X</div></div> <script>with(document.getElementById("d"))innerHTML=innerHTML</script>
test 99 XXX<style> *{color:gre/**/en !/**/important} /* IE 6-9 Standards mode */ <!-- --><!--*{color:red} /* all UA */ *{background:url(xx:x //**/\red/*)} /* IE 6-7 Standards mode */ </style>
# <img[a][b]src=x[d]onerror[c]=[e]"alert(1)">
#
# normal case
test 100_0 <img src=x onerror="alert(1)">
# [a]case
test 100_1 <img%09src=x onerror="alert(1)">
test 100_2 <img%0Asrc=x onerror="alert(1)">
test 100_3 <img%0Csrc=x onerror="alert(1)">
test 100_4 <img%0Dsrc=x onerror="alert(1)">
test 100_5 <img%20src=x onerror="alert(1)">
test 100_6 <img%47src=x onerror="alert(1)">
test 100_7 <img%0Bsrc=x onerror="alert(1)">
# [b] case
test 100_8 <img %47src=x onerror="alert(1)">
test 100_9 <img %00src=x onerror="alert(1)">
# [c] case
test 100_10 <img src=x onerror%09="alert(1)">
test 100_11 <img src=x onerror%0A="alert(1)">
test 100_12 <img src=x onerror%0C="alert(1)">
test 100_13 <img src=x onerror%0D="alert(1)">
test 100_14 <img src=x onerror%20="alert(1)">
test 100_15 <img src=x onerror%00="alert(1)">
test 100_16 <img src=x onerror%0B="alert(1)">
# [d] case
test 100_17 <img src=x%09onerror="alert(1)">
test 100_18 <img src=x%0Aonerror="alert(1)">
test 100_19 <img src=x%0Conerror="alert(1)">
test 100_20 <img src=x%0Donerror="alert(1)">
test 100_21 <img src=x%20onerror="alert(1)">
test 100_22 <img src=x%0Bonerror="alert(1)">
# [e] case
test 100_23 <img src=x onerror=%09"alert(1)">
test 100_24 <img src=x onerror=%0A"alert(1)">
test 100_25 <img src=x onerror=%0C"alert(1)">
test 100_26 <img src=x onerror=%0D"alert(1)">
test 100_27 <img src=x onerror=%20"alert(1)">
test 100_28 <img src=x onerror=%00"alert(1)">
test 100_29 <img src=x onerror=%0B"alert(1)">
# <a href="[a]java[b]script[c]:alert(1)">XXX</a>
test 101_x <a href="javascript:alert(1)">XXX</a>
test 101_0 <a href="%00javascript:alert(1)">XXX</a>
test 101_1 <a href="%01javascript:alert(1)">XXX</a>
test 101_2 <a href="%02javascript:alert(1)">XXX</a>
test 101_3 <a href="%03javascript:alert(1)">XXX</a>
test 101_4 <a href="%04javascript:alert(1)">XXX</a>
test 101_5 <a href="%05javascript:alert(1)">XXX</a>
test 101_6 <a href="%06javascript:alert(1)">XXX</a>
test 101_7 <a href="%07javascript:alert(1)">XXX</a>
test 101_8 <a href="%08javascript:alert(1)">XXX</a>
test 101_9 <a href="%09javascript:alert(1)">XXX</a>
test 101_10 <a href="%0Ajavascript:alert(1)">XXX</a>
test 101_11 <a href="%0Bjavascript:alert(1)">XXX</a>
test 101_12 <a href="%0Cjavascript:alert(1)">XXX</a>
test 101_13 <a href="%0Djavascript:alert(1)">XXX</a>
test 101_14 <a href="%0Ejavascript:alert(1)">XXX</a>
test 101_15 <a href="%0Fjavascript:alert(1)">XXX</a>
test 101_16 <a href="%10javascript:alert(1)">XXX</a>
test 101_17 <a href="%11javascript:alert(1)">XXX</a>
test 101_18 <a href="%12javascript:alert(1)">XXX</a>
test 101_19 <a href="%13javascript:alert(1)">XXX</a>
test 101_20 <a href="%14javascript:alert(1)">XXX</a>
test 101_21 <a href="%15javascript:alert(1)">XXX</a>
test 101_22 <a href="%16javascript:alert(1)">XXX</a>
test 101_23 <a href="%17javascript:alert(1)">XXX</a>
test 101_24 <a href="%18javascript:alert(1)">XXX</a>
test 101_25 <a href="%19javascript:alert(1)">XXX</a>
test 101_26 <a href="%1Ajavascript:alert(1)">XXX</a>
test 101_27 <a href="%1Bjavascript:alert(1)">XXX</a>
test 101_28 <a href="%1Cjavascript:alert(1)">XXX</a>
test 101_29 <a href="%1Djavascript:alert(1)">XXX</a>
test 101_30 <a href="%1Ejavascript:alert(1)">XXX</a>
test 101_31 <a href="%1Fjavascript:alert(1)">XXX</a>
test 101_32 <a href="%20javascript:alert(1)">XXX</a>
# B -- other cases are obsolete
test 101_33 <a href="j%00avascript:alert(1)">XXX</a>
# Confirmed in IE8, Does not work in IE9+
test 102 <img src="x` `<script>alert(1)</script>"` `>
test 103 <script>history.pushState(0,0,'/i/am/somewhere_else');</script>
test 104 <svg xmlns="http://www.w3.org/2000/svg" id="foo"> <x xmlns="http://www.w3.org/2001/xml-events" event="load" observer="foo" handler="data:image/svg+xml,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%3E%0A%3Chandler%20xml%3Aid%3D%22bar%22%20type%3D%22application%2Fecmascript%22%3E alert(1) %3C%2Fhandler%3E%0A%3C%2Fsvg%3E%0A#bar"/> </svg>
test 105 <iframe src="data:image/svg-xml,%1F%8B%08%00%00%00%00%00%02%03%B3)N.%CA%2C(Q%A8%C8%CD%C9%2B%B6U%CA())%B0%D2%D7%2F%2F%2F%D7%2B7%D6%CB%2FJ%D77%B4%B4%B4%D4%AF%C8(%C9%CDQ%B2K%CCI-*%D10%D4%B4%D1%87%E8%B2%03"></iframe>
# Safari 4, supported 2005-2010, now obsolete
# test 106 <img src onerror /" '"= alt=alert(1)//">
test 107 <title onpropertychange=alert(1)></title><title title=></title>
test 108_1 <a href=http://foo.bar/#x=`y></a><img alt="`><img src=xx:x onerror=alert(1)></a>">
test 108_2 <!a foo=x=`y><img alt="`><img src=xx:x onerror=alert(2)//">
test 108_3 <?a foo=x=`y><img alt="`><img src=xx:x onerror=alert(3)//">
# test 109 SVG
test 110_1 <svg xmlns="http://www.w3.org/2000/svg"> <path d="M0,0" style="marker-start:url(test4.svg#a)"/> </svg>
test 110_2 <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <marker id="a" markerWidth="1000" markerHeight="1000" refX="0" refY="0"> <a xlink:href="http://google.com"> <set attributeName="xlink:href" to="javascript:alert(1)" begin="1s" /> <rect width="1000" height="1000" fill="white"/> </a> </marker> </svg>
test 111 <div style="background:url(/f#[a]oo/;color:red/*/foo.jpg);">X</div>
test 112 <div style="font-family:foo{bar;background:url(http://foo.f/oo};color:red/*/foo.jpg);">X</div>
test 113 <div id="x">XXX</div> <style> #x{font-family:foo[bar;color:green;} #y];color:red;{} </style>
test 114 <x style="background:url('x[a];color:red;/*')">XXX</x>
test 115_1 <!--[if]><script>alert(1)</script -->
test 115_2 <!--[if<img src=x onerror=alert(2)//]> -->
test 116_1 <import namespace="t" implementation="#default#time2">
test 116_2 <?import namespace="t" implementation="#default#time2">
test 117 <a href="http://attacker.org"> <iframe src="http://example.org/"></iframe> </a>
test 118 <div draggable="true" ondragstart="event.dataTransfer.setData('text/plain','malicious code');"> <h1>Drop me</h1> </div>
test 119 <iframe src="view-source:http://www.example.org/" frameborder="0" style="width:400px;height:180px"></iframe>
test 120 <a href="#" onclick="makePopups()">Spam</a>
# original for SVG masking
# repurposing this as a generic "no SVG"
test 121_1 <svg:svg>
test 121_2 <svg>
test 121_3 <svg:mast id="foo">
test 122 <iframe sandbox="allow-same-origin allow-forms allow-scripts" src="http://example.org/"></iframe>
# test 123 "class jacking with jquery" http://html5sec.org/#131, requires scripting
test 124_1 <script src="/\example.com\foo.js"></script> // Safari 5.0, Chrome 9, 10
test 124_2 <script src="\\example.com\foo.js"></script> // Safari 5.0
test 125 <xsl:stylesheet id="stylesheet" version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
test 126_1 <object id="x" classid="clsid:CB927D12-4FF7-4a9e-A169-56E4B8A75598"></object>
test 127_2 <object classid="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B" onqt_error="alert(1)" style="behavior:url(#x);"><param name=postdomevents /></object>
test 127_1 <svg xmlns="http://www.w3.org/2000/svg" id="x"> <listener event="load" handler="#y" xmlns="http://www.w3.org/2001/xml-events" observer="x"/> <handler id="y">alert(1)</handler> </svg>
test 127_2 <handler id="y">alert(1)</handler>
test 127_3 <listener event="load" handler="#y" xmlns="http://www.w3.org/2001/xml-events" observer="x"/>
test 128 <svg><style>&lt;img/src=x onerror=alert(1)// </b>
test 129_1 <image style='filter:url("data:image/svg+xml,<svg xmlns=%22http://www.w3.org/2000/svg%22><script>parent.alert(1)</script></svg>")'>
test 129_2 <image filter='filter:url("data:image/svg+xml,<svg xmlns=%22http://www.w3.org/2000/svg%22><script>parent.alert(1)</script></svg>")'>
test 130_1 <math href="javascript:alert(1)">CLICKME</math>
test 130_2 <math><maction actiontype="statusline#http://google.com" xlink:href="javascript:alert(2)">CLICKME</maction>
test 130_3 <math><maction actiontype="statusline" xlink:href="javascript:alert(3)">CLICKME<mtext>http://http://google.com</mtext></maction> </math>
# Obsolete FF < 10
#test 131 TBD Drag and Drop http://html5sec.org/#131
test 132_1 <set attributeName="xlink:href" begin="accessKey(a)" to="//example.com/?a" />
test 132_2 <svg height="50px"> <image xmlns:xlink="http://www.w3.org/1999/xlink"> <set attributeName="xlink:href" begin="accessKey(a)" to="//example.com/?a" /> <set attributeName="xlink:href" begin="accessKey(b)" to="//example.com/?b" /> <set attributeName="xlink:href" begin="accessKey(c)" to="//example.com/?c" /> <set attributeName="xlink:href" begin="accessKey(d)" to="//example.com/?d" /> </image>
test 133 <!-- `<img/src=xx:xx onerror=alert(1)//--!>
test 134_1 <xmp> <%25 </xmp> <img alt='%25></xmp><img src=xx:x onerror=alert(1)//'>
test 134_2 <script> x='<%25' </script> %25>/ alert(2) </script>
test 134_3 XXX <style> *['<!--']{} </style> -->{} *{color:red}</style>
test 135 <!-- `<img/src=xx:xx onerror=alert(1)//--!>
# Somewhat odd injection -- ignoring. We can ban dirname is this
# is really a problem
#test 136 <input name="injected" value="injected" dirname="password" />
test 137_1 <animate attributeName="xlink:href" begin="0" from="javascript:alert(1)" to="&" />
test 137_2 <svg> <a xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="?"> <circle r="400"></circle> <animate attributeName="xlink:href" begin="0" from="javascript:alert(1)" to="&" /> </a>
Reference in a new issue Copy permalink