HTML Purifier XSS Attacks Smoketest

XSS attacks are from http://ha.ckers.org/xss.html.

Caveats: Google.com has been programatically disallowed, but as you can see, there are ways of getting around that, so coverage in this area is not complete. Most XSS broadcasts its presence by spawning an alert dialogue. The displayed code is not strictly correct, as linebreaks have been forced for readability. Linewraps have been marked with ». Some tests are omitted for your convenience. Not all control characters are displayed.

Test

Fatal error: Class 'HTMLPurifier_ChildDef_Table' not found in C:\xampp\htdocs\inlislite3-old\vendorxa\ezyang\htmlpurifier\library\HTMLPurifier\HTMLModule\Tables.php on line 23

Name	Raw	Output	Render
XSS Locator	';alert(String.fromCharCode( » 88,83,83))//\';alert(String. » fromCharCode(88,83,83))//";a » lert(String.fromCharCode(88, » 83,83))//\";alert(String.fro » mCharCode(88,83,83))//--></S » CRIPT>">'><SCRIPT>alert(Stri » ng.fromCharCode(88,83,83))</ » SCRIPT>=&{}

Name

Raw

Output

Render

XSS Locator

';alert(String.fromCharCode( »
88,83,83))//\';alert(String. »
fromCharCode(88,83,83))//";a »
lert(String.fromCharCode(88, »
83,83))//\";alert(String.fro »
mCharCode(88,83,83))//--></S »
CRIPT>">'><SCRIPT>alert(Stri »
ng.fromCharCode(88,83,83))</ »
SCRIPT>=&{}