diff options
| author | Aleksander Machniak <alec@alec.pl> | 2014-02-05 20:18:51 +0100 |
|---|---|---|
| committer | Aleksander Machniak <alec@alec.pl> | 2014-02-05 20:18:51 +0100 |
| commit | b37954110d2184279a7f400d8750996a27b8f666 (patch) | |
| tree | 0a0b3d1ecd72c157b4d229cb4ecd9ed928198b32 /tests/src/BID-26800.txt | |
| parent | e445e0acb558b2c4805cef3ed13c84139962a5b3 (diff) | |
Bring back unit tests (they should be removed when creating a package)
Diffstat (limited to 'tests/src/BID-26800.txt')
| -rw-r--r-- | tests/src/BID-26800.txt | 53 |
1 files changed, 53 insertions, 0 deletions
diff --git a/tests/src/BID-26800.txt b/tests/src/BID-26800.txt new file mode 100644 index 000000000..e4e2fe795 --- /dev/null +++ b/tests/src/BID-26800.txt @@ -0,0 +1,53 @@ +<html> +<head> +</head> +<body> +<h1>1 test</h1> +<p><style> block</p> +<style>input { left:expression( alert('expression!') ) }</style> +<style>div { background:url(alert('URL!') ) }</style> + +<h1>2 test</h1> +<p><div> block</p> +<div style="font-style:italic">valid css</div> +<div style="color:red; background:url('//somedomain.com/somepath/somefile.png')"> +<div style="{ left:expression( alert('expression!') ) }"> +<div style="{ background:url( alert('URL!') ) }"> + +<h1>3 test</h1> +<p>Inject comment text</p> +<div style="{ left:exp/* */ression( alert('xss3') ) }"> +<div style=" background:u/* */rl( alert('xssurl3') ) "> + +<h1>4 test</h1> +<p>Using reverse solid to directe the codepoint</p> +<div style="{ left:\0065\0078pression( alert('xss4') ) }"> +<div style="{ background:\0075rl( alert('xssurl4') ) }"> + +<h1>5 test</h1> +<p>Character entity references</p> +<p>Character entity references is acceptable in "inline styles"</p> +<div style="{ left:expression( alert('xss') ) }"> +<div style="{ left:expression( alert('xss') ) }"> +<div style="{ background:url( alert('URL!') ) }"> +<div style="{ background:url( alert('URL!') ) }"> +<div style="{ left:expression( alert('xss') ) }"> + +<div style="{ left:..p.....o.( alert('xss') ) }"> +<div style="{ left:../**/pression( alert('xss') ) }"> +<div style="{ left:expʀessioɴ( alert('xss') ) }"> +<div style="{ left:\0065\0078pression( alert('xss') ) }"> +<div style="{ left:ex p ression( alert('xss') ) }"> + +<div style="{ background:...( javascript:alert('xss') ) }"> +<div style="{ background:u/**/rl( javascript:alert('xss') ) }"> +<div style="{ background:\0075\0072\006c( javascript:alert('xss') ) }"> +<div style="{ background:uʀʟ( javascript:alert('xss') ) +}"> +<div style="{ background:\0075\0280l( javascript:alert('xss') +) }"> +<div style="{ background:u r l( javascript:alert('xss') ) }"> + +</body> +</html> + |