diff --git a/js/test.js b/js/test.js index 2e06c87..be4df6d 100644 --- a/js/test.js +++ b/js/test.js @@ -1451,9 +1451,6 @@ describe('PasteViewer', function () { // https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet jsc.elements([ '', -// @TODO these two pass, but aren't evaluated in this context - do they need to be sanitized, too? -// '\';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";', -// 'alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--', '></SCRIPT>">\'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>', '\'\';!--"<XSS>=&{()}', '<SCRIPT SRC=http://example.com/xss.js></SCRIPT>', @@ -1466,8 +1463,18 @@ describe('PasteViewer', function () { '<a onmouseover="alert(document.cookie)">xxs link</a>', '<a onmouseover=alert(document.cookie)>xxs link</a>', '<IMG """><SCRIPT>alert("XSS")</SCRIPT>">', - '<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>' - // @TODO the list goes on… + '<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>', + '<IMG STYLE="xss:expr/*XSS*/ession(alert(\'XSS\'))">', + '<FRAMESET><FRAME SRC="javascript:alert(\'XSS\');"></FRAMESET>', + '<TABLE BACKGROUND="javascript:alert(\'XSS\')">', + '<TABLE><TD BACKGROUND="javascript:alert(\'XSS\')">', + '<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="httx://xss.rocks/xss.js"></SCRIPT>', + '(alert)(1)', + 'a=alert,a(1)', + 'top[“al”+”ert”](1)', + 'top[/al/.source+/ert/.source](1)', + 'al\u0065rt(1)', + 'top[8680439..toString(30)](1)' ]), 'string', function (format, prefix, xss, suffix) { @@ -1490,4 +1497,3 @@ describe('PasteViewer', function () { ); }); }); -