66 lines
2.6 KiB
JavaScript
66 lines
2.6 KiB
JavaScript
export default {
|
|
'protocol-based JS injection: simple, no spaces': {
|
|
input: '<a href="javascript:alert(\'XSS\');">foo</a>',
|
|
output: '<a>foo</a>',
|
|
},
|
|
'protocol-based JS injection: simple, spaces before': {
|
|
input: '<a href="javascript :alert(\'XSS\');">foo</a>',
|
|
output: '<a>foo</a>',
|
|
},
|
|
'protocol-based JS injection: simple, spaces after': {
|
|
input: '<a href="javascript: alert(\'XSS\');">foo</a>',
|
|
output: '<a>foo</a>',
|
|
},
|
|
'protocol-based JS injection: simple, spaces before and after': {
|
|
input: '<a href="javascript : alert(\'XSS\');">foo</a>',
|
|
output: '<a>foo</a>',
|
|
},
|
|
'protocol-based JS injection: preceding colon': {
|
|
input: '<a href=":javascript:alert(\'XSS\');">foo</a>',
|
|
output: '<a>foo</a>',
|
|
},
|
|
'protocol-based JS injection: UTF-8 encoding': {
|
|
input: '<a href="javascript:">foo</a>',
|
|
output: '<a>foo</a>',
|
|
},
|
|
'protocol-based JS injection: long UTF-8 encoding': {
|
|
input: '<a href="javascript:">foo</a>',
|
|
output: '<a>foo</a>',
|
|
},
|
|
'protocol-based JS injection: long UTF-8 encoding without semicolons': {
|
|
input: '<a href=javascript:alert('XSS')>foo</a>',
|
|
output: '<a>foo</a>',
|
|
},
|
|
'protocol-based JS injection: hex encoding': {
|
|
input: '<a href="javascript:">foo</a>',
|
|
output: '<a>foo</a>',
|
|
},
|
|
'protocol-based JS injection: long hex encoding': {
|
|
input: '<a href="javascript:">foo</a>',
|
|
output: '<a>foo</a>',
|
|
},
|
|
'protocol-based JS injection: hex encoding without semicolons': {
|
|
input: '<a href=javascript:alert('XSS')>foo</a>',
|
|
output: '<a>foo</a>',
|
|
},
|
|
'protocol-based JS injection: null char': {
|
|
input: '<a href=java\0script:alert("XSS")>foo</a>',
|
|
output: '<a>foo</a>',
|
|
},
|
|
'protocol-based JS injection: invalid URL char': {
|
|
input: '<img src=java\script:alert("XSS")>', // eslint-disable-line no-useless-escape
|
|
output: '<img>',
|
|
},
|
|
'protocol-based JS injection: Unicode': {
|
|
input: '<a href="\u0001java\u0003script:alert(\'XSS\')">foo</a>',
|
|
output: '<a>foo</a>',
|
|
},
|
|
'protocol-based JS injection: spaces and entities': {
|
|
input: '<a href="  javascript:alert(\'XSS\');">foo</a>',
|
|
output: '<a>foo</a>',
|
|
},
|
|
'img on error': {
|
|
input: '<img src="x" onerror="alert(document.domain)" />',
|
|
output: '<img src="x">',
|
|
},
|
|
};
|