|
|
|
@ -1451,8 +1451,9 @@ describe('PasteViewer', function () {
|
|
|
|
|
// https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
|
|
|
|
|
jsc.elements([
|
|
|
|
|
'<PLAINTEXT>',
|
|
|
|
|
'\';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";',
|
|
|
|
|
'alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--',
|
|
|
|
|
// @TODO these two pass, but aren't evaluated in this context - do they need to be sanitized, too?
|
|
|
|
|
// '\';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";',
|
|
|
|
|
// 'alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--',
|
|
|
|
|
'></SCRIPT>">\'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>',
|
|
|
|
|
'\'\';!--"<XSS>=&{()}',
|
|
|
|
|
'<SCRIPT SRC=http://example.com/xss.js></SCRIPT>',
|
|
|
|
@ -1466,7 +1467,7 @@ describe('PasteViewer', function () {
|
|
|
|
|
'<a onmouseover=alert(document.cookie)>xxs link</a>',
|
|
|
|
|
'<IMG """><SCRIPT>alert("XSS")</SCRIPT>">',
|
|
|
|
|
'<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>'
|
|
|
|
|
// the list goes on…
|
|
|
|
|
// @TODO the list goes on…
|
|
|
|
|
]),
|
|
|
|
|
'string',
|
|
|
|
|
function (format, prefix, xss, suffix) {
|
|
|
|
@ -1482,7 +1483,7 @@ describe('PasteViewer', function () {
|
|
|
|
|
$.PrivateBin.PasteViewer.setFormat(format);
|
|
|
|
|
$.PrivateBin.PasteViewer.setText(text);
|
|
|
|
|
$.PrivateBin.PasteViewer.run();
|
|
|
|
|
var result = $('body').html().indexOf(xss) !== -1;
|
|
|
|
|
var result = $('body').html().indexOf(xss) === -1;
|
|
|
|
|
clean();
|
|
|
|
|
return result;
|
|
|
|
|
}
|
|
|
|
|