[ { "name": "IE_Comments", "input": "", "output": "<!--[if gte IE 4]><script>alert('XSS');</script><![endif]-->" }, { "name": "IE_Comments_2", "input": "", "output": "<script>alert('XSS');</script>", "rexml": "Ill-formed XHTML!" }, { "name": "allow_colons_in_path_component", "input": "foo", "output": "foo" }, { "name": "background_attribute", "input": "
", "output": "
", "xhtml": "
", "rexml": "
" }, { "name": "bgsound", "input": "", "output": "<bgsound src=\"javascript:alert('XSS');\"/>", "rexml": "<bgsound src=\"javascript:alert('XSS');\"></bgsound>" }, { "name": "div_background_image_unicode_encoded", "input": "
foo
", "output": "
foo
" }, { "name": "div_expression", "input": "
foo
", "output": "
foo
" }, { "name": "double_open_angle_brackets", "input": "", "rexml": "Ill-formed XHTML!" }, { "name": "double_open_angle_brackets_2", "input": "", "output": "<script src=\"http://ha.ckers.org/xss.js\"></script>", "rexml": "Ill-formed XHTML!" }, { "name": "non_alpha_non_digit_2", "input": "foo", "output": "foo", "rexml": "Ill-formed XHTML!" }, { "name": "non_alpha_non_digit_3", "input": "", "output": "", "rexml": "Ill-formed XHTML!" }, { "name": "non_alpha_non_digit_II", "input": "foo", "output": "foo", "rexml": "Ill-formed XHTML!" }, { "name": "non_alpha_non_digit_III", "input": "foo", "output": "foo", "rexml": "Ill-formed XHTML!" }, { "name": "platypus", "input": "never trust your upstream platypus", "output": "never trust your upstream platypus" }, { "name": "protocol_resolution_in_script_tag", "input": "", "output": "<script src=\"//ha.ckers.org/.j\"></script>", "rexml": "Ill-formed XHTML!" }, { "name": "should_allow_anchors", "input": "", "output": "<script>baz</script>" }, { "name": "should_allow_image_alt_attribute", "input": "foo", "output": "foo", "rexml": "foo" }, { "name": "should_allow_image_height_attribute", "input": "", "output": "", "rexml": "" }, { "name": "should_allow_image_src_attribute", "input": "", "output": "", "rexml": "" }, { "name": "should_allow_image_width_attribute", "input": "", "output": "", "rexml": "" }, { "name": "should_handle_blank_text", "input": "", "output": "" }, { "name": "should_handle_malformed_image_tags", "input": "\">", "output": "<script>alert(\"XSS\")</script>\">", "rexml": "Ill-formed XHTML!" }, { "name": "should_handle_non_html", "input": "abc", "output": "abc" }, { "name": "should_not_fall_for_ridiculous_hack", "input": "", "output": "", "rexml": "" }, { "name": "should_not_fall_for_xss_image_hack_0", "input": "", "output": "", "rexml": "" }, { "name": "should_not_fall_for_xss_image_hack_1", "input": "", "output": "", "rexml": "Ill-formed XHTML!" }, { "name": "should_not_fall_for_xss_image_hack_10", "input": "", "output": "", "rexml": "" }, { "name": "should_not_fall_for_xss_image_hack_11", "input": "", "output": "", "rexml": "" }, { "name": "should_not_fall_for_xss_image_hack_12", "input": "", "output": "", "rexml": "" }, { "name": "should_not_fall_for_xss_image_hack_13", "input": "", "output": "", "rexml": "" }, { "name": "should_not_fall_for_xss_image_hack_14", "input": "", "output": "", "rexml": "" }, { "name": "should_not_fall_for_xss_image_hack_2", "input": "", "output": "", "rexml": "" }, { "name": "should_not_fall_for_xss_image_hack_3", "input": "", "output": "", "rexml": "" }, { "name": "should_not_fall_for_xss_image_hack_4", "input": "", "output": "", "rexml": "" }, { "name": "should_not_fall_for_xss_image_hack_5", "input": "", "output": "", "rexml": "" }, { "name": "should_not_fall_for_xss_image_hack_6", "input": "", "output": "", "rexml": "" }, { "name": "should_not_fall_for_xss_image_hack_7", "input": "", "output": "", "rexml": "" }, { "name": "should_not_fall_for_xss_image_hack_8", "input": "", "output": "", "rexml": "" }, { "name": "should_not_fall_for_xss_image_hack_9", "input": "", "output": "", "rexml": "" }, { "name": "should_sanitize_half_open_scripts", "input": "", "rexml": "Ill-formed XHTML!" }, { "name": "should_sanitize_invalid_script_tag", "input": "", "output": "<script src=\"http://ha.ckers.org/xss.js\"></script>", "rexml": "Ill-formed XHTML!" }, { "name": "should_sanitize_script_tag_with_multiple_open_brackets", "input": "<", "output": "alert(\"XSS\");//", "rexml": "Ill-formed XHTML!" }, { "name": "should_sanitize_script_tag_with_multiple_open_brackets_2", "input": "