dompurify
Version:
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Firefox and Chrome - as well as almost anything else usin
645 lines (644 loc) • 77.3 kB
JavaScript
module.exports = [{
"title": "DOM Clobbering against document.createElement() (see #47)",
"payload": "<img src=x:x name=createElement><img src=y id=createElement>",
"expected": "<img src=\"x:x\"><img src=\"y\">"
}, {
"title": "DOM Clobbering against an empty cookie",
"payload": "<img src=x:x name=cookie>",
"expected": "<img src=\"x:x\">"
}, {
"title": "JavaScript URIs using Unicode LS/PS I",
"payload": "123<a href='\u2028javascript:alert(1)'>I am a dolphin!</a>",
"expected": "123<a>I am a dolphin!</a>"
}, {
"title": "JavaScript URIs using Unicode LS/PS II",
"payload": "123<a href='\u2028javascript:alert(1)'>I am a dolphin too!</a>",
"expected": "123<a>I am a dolphin too!</a>"
}, {
"title": "JavaScript URIs using Unicode Whitespace",
"payload": "123<a href=' javascript:alert(1)'>CLICK</a><a href=' javascript:alert(1)'>CLICK</a><a href=' javascript:alert(1)'>CLICK</a><a href='᠎javascript:alert(1)'>CLICK</a><a href=' javascript:alert(1)'>CLICK</a><a href=' javascript:alert(1)'>CLICK</a><a href=' javascript:alert(1)'>CLICK</a><a href=' javascript:alert(1)'>CLICK</a><a href=' javascript:alert(1)'>CLICK</a><a href=' javascript:alert(1)'>CLICK</a><a href=' javascript:alert(1)'>CLICK</a><a href=' javascript:alert(1)'>CLICK</a><a href=' javascript:alert(1)'>CLICK</a><a href=' javascript:alert(1)'>CLICK</a><a href=' javascript:alert(1)'>CLICK</a><a href=' javascript:alert(1)'>CLICK</a><a href='​javascript:alert(1)'>CLICK</a><a href=' javascript:alert(1)'>CLICK</a><a href=' javascript:alert(1)'>CLICK</a>",
"expected": "123<a>CLICK</a><a>CLICK</a><a>CLICK</a><a>CLICK</a><a>CLICK</a><a>CLICK</a><a>CLICK</a><a>CLICK</a><a>CLICK</a><a>CLICK</a><a>CLICK</a><a>CLICK</a><a>CLICK</a><a>CLICK</a><a>CLICK</a><a>CLICK</a><a>CLICK</a><a>CLICK</a><a>CLICK</a>"
}, {
"title": "Image with data URI src",
"payload": "<img src=data:image/jpeg,ab798ewqxbaudbuoibeqbla>",
"expected": "<img src=\"data:image/jpeg,ab798ewqxbaudbuoibeqbla\">"
}, {
"title": "Image with JavaScript URI src (DoS on Firefox)",
"payload": "<img src='javascript:while(1){}'>",
"expected": "<img>"
}, {
"title": "Link with data URI href",
"payload": "<a href=data:,evilnastystuff>clickme</a>",
"expected": "<a>clickme</a>"
}, {
"title": "Simple numbers",
"payload": "123456",
"expected": "123456"
}, {
"title": "DOM clobbering XSS by @irsdl using attributes",
"payload": "<form onmouseover='alert(1)'><input name=\"attributes\"><input name=\"attributes\">",
"expected": ["", "<form><input><input></form>"]
}, {
"title": "DOM clobbering: getElementById",
"payload": "<img src=x:x name=getElementById>",
"expected": "<img src=\"x:x\">"
}, {
"title": "DOM clobbering: location",
"payload": "<a href=\"#some-code-here\" id=\"location\">invisible",
"expected": "<a href=\"#some-code-here\">invisible</a>"
}, {
"title": "onclick, onsubmit, onfocus; DOM clobbering: parentNode",
"payload": "<div onclick=alert(0)><form onsubmit=alert(1)><input onfocus=alert(2) name=parentNode>123</form></div>",
"expected": "<div><form><input>123</form></div>"
}, {
"title": "onsubmit, onfocus; DOM clobbering: nodeName",
"payload": "<form onsubmit=alert(1)><input onfocus=alert(2) name=nodeName>123</form>",
"expected": ["", "<form><input>123</form>"]
}, {
"title": "onsubmit, onfocus; DOM clobbering: nodeType",
"payload": "<form onsubmit=alert(1)><input onfocus=alert(2) name=nodeType>123</form>",
"expected": ["", "<form><input>123</form>"]
}, {
"title": "onsubmit, onfocus; DOM clobbering: children",
"payload": "<form onsubmit=alert(1)><input onfocus=alert(2) name=children>123</form>",
"expected": ["", "<form><input>123</form>"]
}, {
"title": "onsubmit, onfocus; DOM clobbering: attributes",
"payload": "<form onsubmit=alert(1)><input onfocus=alert(2) name=attributes>123</form>",
"expected": ["", "<form><input>123</form>"]
}, {
"title": "onsubmit, onfocus; DOM clobbering: removeChild",
"payload": "<form onsubmit=alert(1)><input onfocus=alert(2) name=removeChild>123</form>",
"expected": ["", "<form><input>123</form>"]
}, {
"title": "onsubmit, onfocus; DOM clobbering: removeAttributeNode",
"payload": "<form onsubmit=alert(1)><input onfocus=alert(2) name=removeAttributeNode>123</form>",
"expected": ["", "<form><input>123</form>"]
}, {
"title": "onsubmit, onfocus; DOM clobbering: setAttribute",
"payload": "<form onsubmit=alert(1)><input onfocus=alert(2) name=setAttribute>123</form>",
"expected": ["", "<form><input>123</form>"]
}, {
"title": ">style<",
"payload": "<style>*{color: red}</style>",
"expected": ""
}, {
"title": "HTML paragraph with text",
"payload": "<p>hello</p>",
"expected": "<p>hello</p>"
}, {
"title": "mXSS Variation I",
"payload": "<listing><img onerror=\"alert(1);//\" src=x:x><t t></listing>",
"expected": [
"<img onerror=\"alert(1);//\" src=x:x>",
"<img src=\"x:x\">"
]
}, {
"title": "mXSS Variation II",
"payload": "<img src=x:x id/=' onerror=alert(1)//'>",
"expected": ["<img src=\"x:x\">", "<img id=\"\" src=\"x:x\">"]
}, {
"title": "Textarea and comments enabling img element",
"payload": "<textarea>@shafigullin</textarea><!--</textarea><img src=x onerror=alert(1)>-->",
"expected": "<textarea>@shafigullin</textarea>"
}, {
"title": "Img element inside noscript terminated inside comment",
"payload": "<b><noscript><!-- </noscript><img src=x:x onerror=alert(1) --></noscript>",
"expected": ["<b></b>", "<b><img src=\"x:x\"></b>"]
}, {
"title": "Img element inside noscript terminated inside attribute",
"payload": "<b><noscript><a alt=\"</noscript><img src=x:x onerror=alert(1)>\"></noscript>",
"expected": [
"<b><img src=\"x:x\">\"></b>",
"<b><a alt=\"</noscript><img src=x:x onerror=alert(1)>\"></a></b>",
"<b><a alt=\"</noscript><img src=x:x onerror=alert(1)>\"></a></b>"
]
}, {
"title": "Img element inside shadow DOM template",
"payload": "<body><template><s><template><s><img src=x:x onerror=alert(1)>@shafigullin</s></template></s></template>",
"expected": "<template><s><template><s><img src=\"x:x\">@shafigullin</s></template></s></template>"
}, {
"title": "Low-range-ASCII obfuscated JavaScript URI",
"payload": "<a href=\"\u0001java\u0003script:alert(1)\">@shafigullin<a>",
"expected": [
"<a>@shafigullin</a><a></a>",
"<a>@shafigullin<a></a>"
]
}, {
"title": "Img inside style inside broken option element",
"payload": "\u0001<option><style></option></select><b><img src=x:x onerror=alert(1)></style></option>",
"expected": "\u0001<option><style></option></select><b><img src=x:x onerror=alert(1)></style></option>"
}, {
"title": "Iframe inside option element",
"payload": "<option><iframe></select><b><script>alert(1)</script>",
"expected": [
"<option><b></b></option>",
"<option></select><b><script>alert(1)</script></option>"
]
}, {
"title": "Closing Iframe and option",
"payload": "</iframe></option>",
"expected": ""
}, {
"title": "Image after style to trick jQuery tag-completion",
"payload": "<b><style><style/><img src=x:x onerror=alert(1)>",
"expected": "<b><style><style/><img src=x:x onerror=alert(1)></style></b>"
}, {
"title": "Image after self-closing style to trick jQuery tag-completion",
"payload": "<b><style><style////><img src=x:x onerror=alert(1)></style>",
"expected": "<b><style><style////><img src=x:x onerror=alert(1)></style></b>"
}, {
"title": "MathML example",
"payload": "<math xmlns=\"http://www.w3.org/1998/Math/MathML\" display=\"block\">\n <mrow>\n <menclose notation=\"box\"><mi>a</mi></menclose><mo>,</mo>\n <menclose notation=\"box\"><mi mathcolor=\"#FF0000\">a</mi></menclose><mo>,</mo>\n <menclose notation=\"box\" mathcolor=\"#FF0000\"><mi>a</mi></menclose><mo>,</mo>\n <menclose notation=\"box\" mathbackground=\"#80FF80\"><mi mathcolor=\"#FF0000\">a</mi></menclose><mo>,</mo>\n <menclose notation=\"box\" mathcolor=\"#FF0000\" mathbackground=\"#80FF80\"><mi>a</mi></menclose><mo>,</mo>\n <menclose notation=\"box\"><mi mathbackground=\"#80FF80\">a</mi></menclose>\n </mrow>\n</math>",
"expected": [
"<math display=\"block\" xmlns=\"http://www.w3.org/1998/Math/MathML\">\n <mrow>\n <menclose notation=\"box\"><mi>a</mi></menclose><mo>,</mo>\n <menclose notation=\"box\"><mi mathcolor=\"#FF0000\">a</mi></menclose><mo>,</mo>\n <menclose mathcolor=\"#FF0000\" notation=\"box\"><mi>a</mi></menclose><mo>,</mo>\n <menclose mathbackground=\"#80FF80\" notation=\"box\"><mi mathcolor=\"#FF0000\">a</mi></menclose><mo>,</mo>\n <menclose mathbackground=\"#80FF80\" mathcolor=\"#FF0000\" notation=\"box\"><mi>a</mi></menclose><mo>,</mo>\n <menclose notation=\"box\"><mi mathbackground=\"#80FF80\">a</mi></menclose>\n </mrow>\n</math>",
"<math display=\"block\" xmlns=\"http://www.w3.org/1998/Math/MathML\">\n <mrow>\n <menclose notation=\"box\"><mi>a</mi></menclose><mo>,</mo>\n <menclose notation=\"box\"><mi mathcolor=\"#FF0000\">a</mi></menclose><mo>,</mo>\n <menclose notation=\"box\" mathcolor=\"#FF0000\"><mi>a</mi></menclose><mo>,</mo>\n <menclose notation=\"box\" mathbackground=\"#80FF80\"><mi mathcolor=\"#FF0000\">a</mi></menclose><mo>,</mo>\n <menclose notation=\"box\" mathbackground=\"#80FF80\" mathcolor=\"#FF0000\"><mi>a</mi></menclose><mo>,</mo>\n <menclose notation=\"box\"><mi mathbackground=\"#80FF80\">a</mi></menclose>\n </mrow>\n</math>",
"<math display=\"block\" xmlns=\"http://www.w3.org/1998/Math/MathML\">\n <mrow>\n <menclose notation=\"box\"><mi>a</mi></menclose><mo>,</mo>\n <menclose notation=\"box\"><mi mathcolor=\"#FF0000\">a</mi></menclose><mo>,</mo>\n <menclose notation=\"box\" mathcolor=\"#FF0000\"><mi>a</mi></menclose><mo>,</mo>\n <menclose notation=\"box\" mathbackground=\"#80FF80\"><mi mathcolor=\"#FF0000\">a</mi></menclose><mo>,</mo>\n <menclose notation=\"box\" mathcolor=\"#FF0000\" mathbackground=\"#80FF80\"><mi>a</mi></menclose><mo>,</mo>\n <menclose notation=\"box\"><mi mathbackground=\"#80FF80\">a</mi></menclose>\n </mrow>\n</math>"
]
}, {
"title": "DOM clobbering attack using name=body",
"payload": "<image name=body><image name=adoptNode>@mmrupp<image name=firstElementChild><svg onload=alert(1)>",
"expected": [
"<img><img>@mmrupp<img><svg></svg>",
"<img><img>@mmrupp<img name=\"firstElementChild\"><svg></svg>",
"<img><img>@mmrupp<img name=\"firstElementChild\"><svg xmlns=\"http://www.w3.org/2000/svg\" />",
"<img><img>@mmrupp<img><svg xmlns=\"http://www.w3.org/2000/svg\" />"
]
}, {
"title": "Special esacpes in protocol handler for XSS in Blink",
"payload": "<a href=\"\u0001java\u0003script:alert(1)\">@shafigullin<a>",
"expected": [
"<a>@shafigullin</a><a></a>",
"<a>@shafigullin<a></a>"
]
}, {
"title": "DOM clobbering attack using activeElement",
"payload": "<image name=activeElement><svg onload=alert(1)>",
"expected": [
"<img><svg></svg>",
"<img><svg xmlns=\"http://www.w3.org/2000/svg\" />"
]
}, {
"title": "DOM clobbering attack using name=body and injecting SVG + keygen",
"payload": "<image name=body><img src=x:x><svg onload=alert(1); autofocus>, <keygen onfocus=alert(1); autofocus>",
"expected": [
"<img><img src=\"x:x\"><svg>, </svg>",
"<img><img src=\"x:x\"><svg xmlns=\"http://www.w3.org/2000/svg\">, </svg></svg>"
]
}, {
"title": "Bypass using multiple unknown attributes",
"payload": "<div onmouseout=\"javascript:alert(/superevr/)\" x=yscript: n>@superevr</div>",
"expected": "<div>@superevr</div>"
}, {
"title": "Bypass using event handlers and unknown attributes",
"payload": "<button remove=me onmousedown=\"javascript:alert(1);\" onclick=\"javascript:alert(1)\" >@giutro",
"expected": "<button>@giutro</button>"
}, {
"title": "Bypass using DOM bugs when dealing with JS URIs in arbitrary attributes",
"payload": "<a href=\"javascript:123\" onclick=\"alert(1)\">CLICK ME (bypass by @shafigullin)</a>",
"expected": "<a>CLICK ME (bypass by @shafigullin)</a>"
}, {
"title": "Bypass using DOM bugs when dealing with JS URIs in arbitrary attributes (II)",
"payload": "<isindex x=\"javascript:\" onmouseover=\"alert(1)\" label=\"variation of bypass by @giutro\">",
"expected": [
"<form><hr><label>This is a searchable index. Enter search keywords: <input label=\"variation of bypass by @giutro\" name=\"isindex\"></label><hr></form>",
"<form><hr><label>This is a searchable index. Enter search keywords: <input name=\"isindex\" label=\"variation of bypass by @giutro\"></label><hr></form>",
""
]
}, {
"title": "Bypass using unknown attributes III",
"payload": "<div wow=removeme onmouseover=alert(1)>text",
"expected": "<div>text</div>"
}, {
"title": "Bypass using unknown attributes IV",
"payload": "<input x=javascript: autofocus onfocus=alert(1)><svg id=1 onload=alert(1)></svg>",
"expected": [
"<input><svg id=\"1\"></svg>",
"<input><svg xmlns=\"http://www.w3.org/2000/svg\" id=\"1\" />"
]
}, {
"title": "Bypass using unknown attributes V",
"payload": "<isindex src=\"javascript:\" onmouseover=\"alert(1)\" label=\"bypass by @giutro\" />",
"expected": [
"<form><hr><label>This is a searchable index. Enter search keywords: <input name=\"isindex\" label=\"bypass by @giutro\"></label><hr></form>",
"<form><hr><label>This is a searchable index. Enter search keywords: <input label=\"bypass by @giutro\" name=\"isindex\"></label><hr></form>",
""
]
}, {
"title": "Bypass using JS URI in href",
"payload": "<a href=\"javascript:123\" onclick=\"alert(1)\">CLICK ME (bypass by @shafigullin)</a>",
"expected": "<a>CLICK ME (bypass by @shafigullin)</a>"
}, {
"payload": "<form action=\"javasc\nript:alert(1)\"><button>XXX</button></form>",
"expected": "<form><button>XXX</button></form>"
}, {
"payload": "<div id=\"1\"><form id=\"test\"></form><button form=\"test\" formaction=\"javascript:alert(1)\">X</button>//[\"'`-->]]>]</div>",
"expected": [
"<div id=\"1\"><form></form><button>X</button>//[\"'`-->]]>]</div>",
"<div id=\"1\"><form><button>X</button>//[\"'`-->]]>]</form></div>"
]
}, {
"payload": "<div id=\"2\"><meta charset=\"x-imap4-modified-utf7\">&ADz&AGn&AG0&AEf&ACA&AHM&AHI&AGO&AD0&AGn&ACA&AG8Abg&AGUAcgByAG8AcgA9AGEAbABlAHIAdAAoADEAKQ&ACAAPABi//[\"'`-->]]>]</div>",
"expected": "<div id=\"2\">&ADz&AGn&AG0&AEf&ACA&AHM&AHI&AGO&AD0&AGn&ACA&AG8Abg&AGUAcgByAG8AcgA9AGEAbABlAHIAdAAoADEAKQ&ACAAPABi//[\"'`-->]]>]</div>"
}, {
"payload": "<div id=\"3\"><meta charset=\"x-imap4-modified-utf7\">&<script&S1&TS&1>alert&A7&(1)&R&UA;&&<&A9&11/script&X&>//[\"'`-->]]>]</div>",
"expected": "<div id=\"3\">&alert&A7&(1)&R&UA;&&<&A9&11/script&X&>//[\"'`-->]]>]</div>"
}, {
"payload": "<div id=\"4\">0?<script>Worker(\"#\").onmessage=function(_)eval(_.data)</script> :postMessage(importScripts('data:;base64,cG9zdE1lc3NhZ2UoJ2FsZXJ0KDEpJyk'))//[\"'`-->]]>]</div>",
"expected": "<div id=\"4\">0? :postMessage(importScripts('data:;base64,cG9zdE1lc3NhZ2UoJ2FsZXJ0KDEpJyk'))//[\"'`-->]]>]</div>"
}, {
"payload": "<div id=\"5\"><script>crypto.generateCRMFRequest('CN=0',0,0,null,'alert(5)',384,null,'rsa-dual-use')</script>//[\"'`-->]]>]</div>",
"expected": "<div id=\"5\">//[\"'`-->]]>]</div>"
}, {
"payload": "<div id=\"6\"><script>({set/**/$($){_/**/setter=$,_=1}}).$=alert</script>//[\"'`-->]]>]</div>",
"expected": "<div id=\"6\">//[\"'`-->]]>]</div>"
}, {
"payload": "<div id=\"7\"><input onfocus=alert(7) autofocus>//[\"'`-->]]>]</div>",
"expected": "<div id=\"7\"><input>//[\"'`-->]]>]</div>"
}, {
"payload": "<div id=\"8\"><input onblur=alert(8) autofocus><input autofocus>//[\"'`-->]]>]</div>",
"expected": "<div id=\"8\"><input><input>//[\"'`-->]]>]</div>"
}, {
"payload": "<div id=\"9\"><a style=\"-o-link:'javascript:alert(9)';-o-link-source:current\">X</a>//[\"'`-->]]>]</div>\n\n<div id=\"10\"><video poster=javascript:alert(10)//></video>//[\"'`-->]]>]</div>",
"expected": [
"<div id=\"9\"><a style=\"-o-link:'javascript:alert(9)';-o-link-source:current\">X</a>//[\"'`-->]]>]</div>\n\n<div id=\"10\"><video></video>//[\"'`-->]]>]</div>",
"<div id=\"9\"><a style='-o-link: \"javascript:alert(9)\"; -o-link-source: current;'>X</a>//[\"'`-->]]>]</div>\n\n<div id=\"10\"><video></video>//[\"'`-->]]>]</div>"
]
}, {
"payload": "<div id=\"11\"><svg xmlns=\"http://www.w3.org/2000/svg\"><g onload=\"javascript:alert(11)\"></g></svg>//[\"'`-->]]>]</div>",
"expected": [
"<div id=\"11\"><svg xmlns=\"http://www.w3.org/2000/svg\"><g></g></svg>//[\"'`-->]]>]</div>",
"<div id=\"11\"><svg xmlns=\"http://www.w3.org/2000/svg\" xmlns=\"http://www.w3.org/2000/svg\"><g /></svg>//[\"'`-->]]>]</div>",
"<div id=\"11\"><svg xmlns=\"http://www.w3.org/2000/svg\"><g /></svg>//[\"'`-->]]>]</div>"
]
}, {
"payload": "<div id=\"12\"><body onscroll=alert(12)><br><br><br><br><br><br>...<br><br><br><br><input autofocus>//[\"'`-->]]>]</div>",
"expected": "<div id=\"12\"><br><br><br><br><br><br>...<br><br><br><br><input>//[\"'`-->]]>]</div>"
}, {
"payload": "<div id=\"13\"><x repeat=\"template\" repeat-start=\"999999\">0<y repeat=\"template\" repeat-start=\"999999\">1</y></x>//[\"'`-->]]>]</div>",
"expected": "<div id=\"13\">01//[\"'`-->]]>]</div>"
}, {
"payload": "<div id=\"14\"><input pattern=^((a+.)a)+$ value=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!>//[\"'`-->]]>]</div>",
"expected": [
"<div id=\"14\"><input value=\"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!\" pattern=\"^((a+.)a)+$\">//[\"'`-->]]>]</div>",
"<div id=\"14\"><input pattern=\"^((a+.)a)+$\" value=\"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!\">//[\"'`-->]]>]</div>"
]
}, {
"payload": "<div id=\"15\"><script>({0:#0=alert/#0#/#0#(0)})</script>//[\"'`-->]]>]</div>",
"expected": "<div id=\"15\">//[\"'`-->]]>]</div>"
}, {
"payload": "<div id=\"16\">X<x style=`behavior:url(#default#time2)` onbegin=`alert(16)` >//[\"'`-->]]>]</div>",
"expected": "<div id=\"16\">X//[\"'`-->]]>]</div>"
}, {
"payload": "<div id=\"17\"><?xml-stylesheet href=\"javascript:alert(17)\"?><root/>//[\"'`-->]]>]</div>",
"expected": "<div id=\"17\">//[\"'`-->]]>]</div>"
}, {
"payload": "<div id=\"18\"><script xmlns=\"http://www.w3.org/1999/xhtml\">alert(1)</script>//[\"'`-->]]>]</div>",
"expected": "<div id=\"18\">//[\"'`-->]]>]</div>"
}, {
"payload": "<div id=\"19\"><meta charset=\"x-mac-farsi\">\u00BCscript \u00BEalert(19)//\u00BC/script \u00BE//[\"'`-->]]>]</div>",
"expected": "<div id=\"19\">\u00BCscript \u00BEalert(19)//\u00BC/script \u00BE//[\"'`-->]]>]</div>"
}, {
"payload": "<div id=\"20\"><script>ReferenceError.prototype.__defineGetter__('name', function(){alert(20)}),x</script>//[\"'`-->]]>]</div>",
"expected": "<div id=\"20\">//[\"'`-->]]>]</div>"
}, {
"payload": "<div id=\"21\"><script>Object.__noSuchMethod__ = Function,[{}][0].constructor._('alert(21)')()</script>//[\"'`-->]]>]</div>",
"expected": "<div id=\"21\">//[\"'`-->]]>]</div>"
}, {
"payload": "<div id=\"22\"><input onblur=focus() autofocus><input>//[\"'`-->]]>]</div>",
"expected": "<div id=\"22\"><input><input>//[\"'`-->]]>]</div>"
}, {
"payload": "<div id=\"23\"><form id=test onforminput=alert(23)><input></form><button form=test onformchange=alert(2)>X</button>//[\"'`-->]]>]</div>",
"expected": [
"<div id=\"23\"><form><input></form><button>X</button>//[\"'`-->]]>]</div>",
"<div id=\"23\"><form><input><button>X</button>//[\"'`-->]]>]</form></div>"
]
}, {
"payload": "<div id=\"24\">1<set/xmlns=`urn:schemas-microsoft-com:time` style=`behAvior:url(#default#time2)` attributename=`innerhtml` to=`<img/src=\"x:x\"onerror=alert(24)>`>//[\"'`-->]]>]</div>",
"expected": "<div id=\"24\">1`>//[\"'`-->]]>]</div>"
}, {
"payload": "<div id=\"25\"><script src=\"#\">{alert(25)}</script>;1//[\"'`-->]]>]</div>",
"expected": "<div id=\"25\">;1//[\"'`-->]]>]</div>"
}, {
"payload": "<div id=\"26\">+ADw-html+AD4APA-body+AD4APA-div+AD4-top secret+ADw-/div+AD4APA-/body+AD4APA-/html+AD4-.toXMLString().match(/.*/m),alert(RegExp.input);//[\"'`-->]]>]</div>",
"expected": "<div id=\"26\">+ADw-html+AD4APA-body+AD4APA-div+AD4-top secret+ADw-/div+AD4APA-/body+AD4APA-/html+AD4-.toXMLString().match(/.*/m),alert(RegExp.input);//[\"'`-->]]>]</div>"
}, {
"payload": "<div id=\"27\"><style>p[foo=bar{}*{-o-link:'javascript:alert(27)'}{}*{-o-link-source:current}*{background:red}]{background:green};</style>//[\"'`-->]]>]</div><div id=\"28\">1<animate/xmlns=urn:schemas-microsoft-com:time style=behavior:url(#default#time2) attributename=innerhtml values=<img/src=\".\"onerror=alert(28)>>//[\"'`-->]]>]</div>",
"expected": "<div id=\"27\"><style>p[foo=bar{}*{-o-link:'javascript:alert(27)'}{}*{-o-link-source:current}*{background:red}]{background:green};</style>//[\"'`-->]]>]</div><div id=\"28\">1>//[\"'`-->]]>]</div>"
}, {
"payload": "<div id=\"29\"><link rel=stylesheet href=data:,*%7bx:expression(alert(29))%7d//[\"'`-->]]>]</div>",
"expected": "<div id=\"29\">]]>]</div>"
}, {
"payload": "<div id=\"30\"><style>@import \"data:,*%7bx:expression(alert(30))%7D\";</style>//[\"'`-->]]>]</div>",
"expected": "<div id=\"30\"><style>@import \"data:,*%7bx:expression(alert(30))%7D\";</style>//[\"'`-->]]>]</div>"
}, {
"payload": "<div id=\"31\"><frameset onload=alert(31)>//[\"'`-->]]>]</div>",
"expected": ""
}, {
"payload": "<div id=\"32\"><table background=\"javascript:alert(32)\"></table>//[\"'`-->]]>]</div>",
"expected": "<div id=\"32\"><table></table>//[\"'`-->]]>]</div>"
}, {
"payload": "<div id=\"33\"><a style=\"pointer-events:none;position:absolute;\"><a style=\"position:absolute;\" onclick=\"alert(33);\">XXX</a></a><a href=\"javascript:alert(2)\">XXX</a>//[\"'`-->]]>]</div>",
"expected": [
"<div id=\"33\"><a style=\"pointer-events:none;position:absolute;\"></a><a style=\"position:absolute;\">XXX</a><a>XXX</a>//[\"'`-->]]>]</div>",
"<div id=\"33\"><a style=\"position: absolute; pointer-events: none;\"><a style=\"position: absolute;\">XXX</a><a>XXX</a>//[\"'`-->]]>]</div>",
"<div id=\"33\"><a style=\"pointer-events:none;position:absolute;\"><a style=\"position:absolute;\">XXX</a><a>XXX</a>//[\"'`-->]]>]</div>"
]
}, {
"payload": "<div id=\"34\">1<vmlframe xmlns=urn:schemas-microsoft-com:vml style=behavior:url(#default#vml);position:absolute;width:100%;height:100% src=test.vml#xss></vmlframe>//[\"'`-->]]>]</div>",
"expected": "<div id=\"34\">1//[\"'`-->]]>]</div>"
}, {
"payload": "<div id=\"35\">1<a href=#><line xmlns=urn:schemas-microsoft-com:vml style=behavior:url(#default#vml);position:absolute href=javascript:alert(35) strokecolor=white strokeweight=1000px from=0 to=1000 /></a>//[\"'`-->]]>]</div>",
"expected": [
"<div id=\"35\">1<a href=\"#\"><line style=\"behavior:url(#default#vml);position:absolute\" xmlns=\"urn:schemas-microsoft-com:vml\"></line></a>//[\"'`-->]]>]</div>",
"<div id=\"35\">1<a href=\"#\"><line style=\"position: absolute; behavior: url(#default#vml);\" xmlns=\"urn:schemas-microsoft-com:vml\"></line></a>//[\"'`-->]]>]</div>",
"<div id=\"35\">1<a href=\"#\"><line style=\"position: absolute; -ms-behavior: url(#default#vml);\" xmlns=\"urn:schemas-microsoft-com:vml\"></line></a>//[\"'`-->]]>]</div>"
]
}, {
"payload": "<div id=\"36\"><a style=\"behavior:url(#default#AnchorClick);\" folder=\"javascript:alert(36)\">XXX</a>//[\"'`-->]]>]</div>",
"expected": [
"<div id=\"36\"><a style=\"behavior:url(#default#AnchorClick);\">XXX</a>//[\"'`-->]]>]</div>",
"<div id=\"36\"><a style=\"behavior: url(#default#AnchorClick);\">XXX</a>//[\"'`-->]]>]</div>",
"<div id=\"36\"><a style=\"-ms-behavior: url(#default#AnchorClick);\">XXX</a>//[\"'`-->]]>]</div>"
]
}, {
"payload": "<div id=\"37\"><!--<img src=\"--><img src=x:x onerror=alert(37)//\">//[\"'`-->]]>]</div>",
"expected": "<div id=\"37\"><img src=\"x:x\">//[\"'`-->]]>]</div>"
}, {
"payload": "<div id=\"38\"><comment><img src=\"</comment><img src=x onerror=alert(38)//\">//[\"'`-->]]>]</div><div id=\"39\"><!-- up to Opera 11.52, FF 3.6.28 -->",
"expected": [
"<div id=\"38\"><img src=\"</comment><img src=x onerror=alert(38)//\">//[\"'`-->]]>]</div><div id=\"39\"></div>",
"<div id=\"38\"><img src=\"</comment><img src=x onerror=alert(38)//\">//[\"'`-->]]>]</div><div id=\"39\"></div>",
"<div id=\"38\"><img src=\"%3C/comment%3E%3Cimg%20src=x%20onerror=alert%2838%29//\">//[\"'`-->]]>]</div><div id=\"39\"></div>"
]
}, {
"payload": "<![><img src=\"]><img src=x onerror=alert(39)//\">",
"expected": [
"<img src=\"]><img src=x onerror=alert(39)//\">",
"<img src=\"]><img src=x onerror=alert(39)//\">",
"<img src=\"]%3E%3Cimg%20src=x%20onerror=alert%2839%29//\">"
]
}, {
"payload": "<!-- IE9+, FF4+, Opera 11.60+, Safari 4.0.4+, GC7+ -->\n<svg><![CDATA[><image xlink:href=\"]]><img src=x:x onerror=alert(2)//\"></svg>//[\"'`-->]]>]</div>",
"expected": [
"<svg>><image xlink:href=\"</svg><img src=\"x:x\">//[\"'`-->]]>]",
"<svg>><image xlink:href=\"<img src=\"x:x\"></img></svg>//[\"'`-->]]>]",
"<svg xmlns=\"http://www.w3.org/2000/svg\">><image xlink:href=\"</svg></svg><img src=\"x:x\">//[\"'`-->]]>]"
]
}, {
"payload": "<div id=\"40\"><style><img src=\"</style><img src=x:x onerror=alert(40)//\">//[\"'`-->]]>]</div>",
"expected": "<div id=\"40\"><style><img src=\"</style><img src=\"x:x\">//[\"'`-->]]>]</div>"
}, {
"payload": "<div id=\"41\"><li style=list-style:url() onerror=alert(41)></li>",
"expected": [
"<div id=\"41\"><li style=\"list-style:url()\"></li></div>",
"<div id=\"41\"><li></li></div>"
]
}, {
"payload": "<div style=content:url(data:image/svg+xml,%3Csvg/%3E);visibility:hidden onload=alert(41)></div>//[\"'`-->]]>]</div>",
"expected": [
"<div style=\"content:url(data:image/svg+xml,%3Csvg/%3E);visibility:hidden\"></div>//[\"'`-->]]>]",
"<div style=\"visibility: hidden; content: url(data:image/svg+xml,%3Csvg/%3E);\"></div>//[\"'`-->]]>]"
]
}, {
"payload": "<div id=\"42\"><head><base href=\"javascript://\"/></head><body><a href=\"/. /,alert(42)//#\">XXX</a></body>//[\"'`-->]]>]</div>",
"expected": [
"<div id=\"42\"><a href=\"/. /,alert(42)//#\">XXX</a>//[\"'`-->]]>]</div>",
"<div id=\"42\"><a href=\"/.%20/,alert%2842%29//#\">XXX</a>//[\"'`-->]]>]</div>"
]
}, {
"payload": "<div id=\"43\"><?xml version=\"1.0\" standalone=\"no\"?>",
"expected": "<div id=\"43\"></div>"
}, {
"payload": "<html xmlns=\"http://www.w3.org/1999/xhtml\">\n<head>\n<style type=\"text/css\">\n@font-face {font-family: y; src: url(\"font.svg#x\") format(\"svg\");} body {font: 100px \"y\";}\n</style>\n</head>\n<body>Hello</body>\n</html>//[\"'`-->]]>]</div>",
"expected": "Hello\n//[\"'`-->]]>]"
}, {
"payload": "<div id=\"44\"><style>*[{}@import'test.css?]{color: green;}</style>X//[\"'`-->]]>]</div>",
"expected": "<div id=\"44\"><style>*[{}@import'test.css?]{color: green;}</style>X//[\"'`-->]]>]</div>"
}, {
"payload": "<div id=\"45\"><div style=\"font-family:'foo[a];color:red;';\">XXX</div>//[\"'`-->]]>]</div>",
"expected": [
"<div id=\"45\"><div style=\"font-family:'foo[a];color:red;';\">XXX</div>//[\"'`-->]]>]</div>",
"<div id=\"45\"><div style='font-family: \"foo[a];color:red;\";'>XXX</div>//[\"'`-->]]>]</div>"
]
}, {
"payload": "<div id=\"46\"><div style=\"font-family:foo}color=red;\">XXX</div>//[\"'`-->]]>]</div>",
"expected": [
"<div id=\"46\"><div style=\"font-family:foo}color=red;\">XXX</div>//[\"'`-->]]>]</div>",
"<div id=\"46\"><div style=\"font-family: foo;\">XXX</div>//[\"'`-->]]>]</div>",
"<div id=\"46\"><div>XXX</div>//[\"'`-->]]>]</div>"
]
}, {
"payload": "<div id=\"47\"><svg xmlns=\"http://www.w3.org/2000/svg\"><script>alert(47)</script></svg>//[\"'`-->]]>]</div>",
"expected": [
"<div id=\"47\"><svg xmlns=\"http://www.w3.org/2000/svg\"></svg>//[\"'`-->]]>]</div>",
"<div id=\"47\"><svg xmlns=\"http://www.w3.org/2000/svg\" xmlns=\"http://www.w3.org/2000/svg\" />//[\"'`-->]]>]</div>",
"<div id=\"47\"><svg xmlns=\"http://www.w3.org/2000/svg\" />//[\"'`-->]]>]</div>"
]
}, {
"payload": "<div id=\"48\"><SCRIPT FOR=document EVENT=onreadystatechange>alert(48)</SCRIPT>//[\"'`-->]]>]</div>",
"expected": "<div id=\"48\">//[\"'`-->]]>]</div>"
}, {
"payload": "<div id=\"49\"><OBJECT CLASSID=\"clsid:333C7BC4-460F-11D0-BC04-0080C7055A83\"><PARAM NAME=\"DataURL\" VALUE=\"javascript:alert(49)\"></OBJECT>//[\"'`-->]]>]</div>",
"expected": "<div id=\"49\">//[\"'`-->]]>]</div>"
}, {
"payload": "<div id=\"50\"><object data=\"data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==\"></object>//[\"'`-->]]>]</div>",
"expected": "<div id=\"50\">//[\"'`-->]]>]</div>"
}, {
"payload": "<div id=\"51\"><embed src=\"data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==\"></embed>//[\"'`-->]]>]</div>",
"expected": "<div id=\"51\">//[\"'`-->]]>]</div>"
}, {
"payload": "<div id=\"52\"><x style=\"behavior:url(test.sct)\">//[\"'`-->]]>]</div><div id=\"53\"><xml id=\"xss\" src=\"test.htc\"></xml>",
"expected": "<div id=\"52\">//[\"'`-->]]>]</div><div id=\"53\"></div>"
}, {
"payload": "<label dataformatas=\"html\" datasrc=\"#xss\" datafld=\"payload\"></label>//[\"'`-->]]>]</div>",
"expected": "<label></label>//[\"'`-->]]>]"
}, {
"payload": "<div id=\"54\"><script>[{'a':Object.prototype.__defineSetter__('b',function(){alert(arguments[0])}),'b':['secret']}]</script>//[\"'`-->]]>]</div>",
"expected": "<div id=\"54\">//[\"'`-->]]>]</div>"
}, {
"payload": "<div id=\"55\"><video><source onerror=\"alert(55)\">//[\"'`-->]]>]</div>",
"expected": "<div id=\"55\"><video><source>//[\"'`-->]]>]</video></div>"
}, {
"payload": "<div id=\"56\"><video onerror=\"alert(56)\"><source></source></video>//[\"'`-->]]>]</div>",
"expected": "<div id=\"56\"><video><source></video>//[\"'`-->]]>]</div>"
}, {
"payload": "<div id=\"57\"><b <script>alert(57)//</script>0</script></b>//[\"'`-->]]>]</div>",
"expected": "<div id=\"57\"><b>alert(57)//0</b>//[\"'`-->]]>]</div>"
}, {
"payload": "<div id=\"58\"><b><script<b></b><alert(58)</script </b></b>//[\"'`-->]]>]</div>",
"expected": "<div id=\"58\"><b></b>//[\"'`-->]]>]</div>"
}, {
"payload": "<div id=\"59\"><div id=\"div1\"><input value=\"``onmouseover=alert(59)\"></div> <div id=\"div2\"></div><script>document.getElementById(\"div2\").innerHTML = document.getElementById(\"div1\").innerHTML;</script>//[\"'`-->]]>]</div>",
"expected": "<div id=\"59\"><div id=\"div1\"><input value=\"``onmouseover=alert(59)\"></div> <div id=\"div2\"></div>//[\"'`-->]]>]</div>"
}, {
"payload": "<div id=\"60\"><div style=\"[a]color[b]:[c]red\">XXX</div>//[\"'`-->]]>]</div>",
"expected": [
"<div id=\"60\"><div style=\"[a]color[b]:[c]red\">XXX</div>//[\"'`-->]]>]</div>",
"<div id=\"60\"><div>XXX</div>//[\"'`-->]]>]</div>"
]
}, {
"payload": "<div id=\"61\"><div style=\"3\t\u0006f\n\u00006c\f\u000006F\nR:\u0000072 Ed;color\u0000\bla:yellow\u0000\bla;col\u0000\u0000 \u00A0or:blue;\">XXX</div>//[\"'`-->]]>]</div>",
"expected": [
"<div id=\"61\"><div style=\"3\t\u0006f\n\uFFFD6c\f\uFFFD06F\nR:\uFFFD072 Ed;color\uFFFD\bla:yellow\uFFFD\bla;col\uFFFD\uFFFD or:blue;\">XXX</div>//[\"'`-->]]>]</div>",
"<div id=\"61\"><div>XXX</div>//[\"'`-->]]>]</div>",
"<div id=\"61\"></div>"
]
}, {
"payload": "<div id=\"62\"><!-- IE 6-8 -->\n<x '=\"foo\"><x foo='><img src=x onerror=alert(62)//'>\n<!-- IE 6-9 -->\n<! '=\"foo\"><x foo='><img src=x onerror=alert(2)//'>\n<? '=\"foo\"><x foo='><img src=x onerror=alert(3)//'>//[\"'`-->]]>]</div>",
"expected": "<div id=\"62\">\n\n\n\n//[\"'`-->]]>]</div>"
}, {
"payload": "<div id=\"63\"><embed src=\"javascript:alert(63)\"></embed> // O10.10\u2193, OM10.0\u2193, GC6\u2193, FF\n<img src=\"javascript:alert(2)\">\n<image src=\"javascript:alert(2)\"> // IE6, O10.10\u2193, OM10.0\u2193\n<script src=\"javascript:alert(3)\"></script> // IE6, O11.01\u2193, OM10.1\u2193//[\"'`-->]]>]</div>",
"expected": "<div id=\"63\"> // O10.10\u2193, OM10.0\u2193, GC6\u2193, FF\n<img>\n<img> // IE6, O10.10\u2193, OM10.0\u2193\n // IE6, O11.01\u2193, OM10.1\u2193//[\"'`-->]]>]</div>"
}, {
"payload": "<div id=\"64\"><!DOCTYPE x[<!ENTITY x SYSTEM \"http://html5sec.org/test.xxe\">]><y>&x;</y>//[\"'`-->]]>]</div>",
"expected": "<div id=\"64\">]>&x;//[\"'`-->]]>]</div>"
}, {
"payload": "<div id=\"65\"><svg onload=\"javascript:alert(65)\" xmlns=\"http://www.w3.org/2000/svg\"></svg>//[\"'`-->]]>]</div><div id=\"66\"><?xml version=\"1.0\"?>",
"expected": [
"<div id=\"65\"><svg xmlns=\"http://www.w3.org/2000/svg\"></svg>//[\"'`-->]]>]</div><div id=\"66\"></div>",
"<div id=\"65\"><svg xmlns=\"http://www.w3.org/2000/svg\" xmlns=\"http://www.w3.org/2000/svg\" />//[\"'`-->]]>]</div><div id=\"66\"></div>",
"<div id=\"65\"><svg xmlns=\"http://www.w3.org/2000/svg\" />//[\"'`-->]]>]</div><div id=\"66\"></div>"
]
}, {
"payload": "<?xml-stylesheet type=\"text/xsl\" href=\"data:,%3Cxsl:transform version='1.0' xmlns:xsl='http://www.w3.org/1999/XSL/Transform' id='xss'%3E%3Cxsl:output method='html'/%3E%3Cxsl:template match='/'%3E%3Cscript%3Ealert(66)%3C/script%3E%3C/xsl:template%3E%3C/xsl:transform%3E\"?>\n<root/>//[\"'`-->]]>]</div>\n<div id=\"67\"><!DOCTYPE x [\n <!ATTLIST img xmlns CDATA \"http://www.w3.org/1999/xhtml\" src CDATA \"xx:x\"\n onerror CDATA \"alert(67)\"\n onload CDATA \"alert(2)\">\n]><img />//[\"'`-->]]>]</div>",
"expected": "//[\"'`-->]]>]\n<div id=\"67\">\n]><img>//[\"'`-->]]>]</div>"
}, {
"payload": "<div id=\"68\"><doc xmlns:xlink=\"http://www.w3.org/1999/xlink\" xmlns:html=\"http://www.w3.org/1999/xhtml\">\n <html:style /><x xlink:href=\"javascript:alert(68)\" xlink:type=\"simple\">XXX</x>\n</doc>//[\"'`-->]]>]</div>",
"expected": "<div id=\"68\">\n XXX\n//[\"'`-->]]>]</div>"
}, {
"payload": "<div id=\"69\"><card xmlns=\"http://www.wapforum.org/2001/wml\"><onevent type=\"ontimer\"><go href=\"javascript:alert(69)\"/></onevent><timer value=\"1\"/></card>//[\"'`-->]]>]</div>",
"expected": [
"<div id=\"69\">//[\"'`-->]]>]</div>",
"<div id=\"69\"></div>"
]
}, {
"payload": "<div id=\"70\"><div style=width:1px;filter:glow onfilterchange=alert(70)>x</div>//[\"'`-->]]>]</div>",
"expected": [
"<div id=\"70\"><div style=\"width:1px;filter:glow\">x</div>//[\"'`-->]]>]</div>",
"<div id=\"70\"><div style=\"width: 1px;\">x</div>//[\"'`-->]]>]</div>"
]
}, {
"payload": "<div id=\"71\"><// style=x:expression\u00028alert(71)\u00029>//[\"'`-->]]>]</div>",
"expected": "<div id=\"71\">//[\"'`-->]]>]</div>"
}, {
"payload": "<div id=\"72\"><form><button formaction=\"javascript:alert(72)\">X</button>//[\"'`-->]]>]</div>",
"expected": "<div id=\"72\"><form><button>X</button>//[\"'`-->]]>]</form></div>"
}, {
"payload": "<div id=\"73\"><event-source src=\"event.php\" onload=\"alert(73)\">//[\"'`-->]]>]</div>",
"expected": "<div id=\"73\">//[\"'`-->]]>]</div>"
}, {
"payload": "<div id=\"74\"><a href=\"javascript:alert(74)\"><event-source src=\"data:application/x-dom-event-stream,Event:click%0Adata:XXX%0A%0A\" /></a>//[\"'`-->]]>]</div>",
"expected": "<div id=\"74\"><a></a>//[\"'`-->]]>]</div>"
}, {
"payload": "<div id=\"75\"><script<{alert(75)}/></script </>//[\"'`-->]]>]</div>",
"expected": "<div id=\"75\">//[\"'`-->]]>]</div>"
}, {
"payload": "<div id=\"76\"><?xml-stylesheet type=\"text/css\"?><!DOCTYPE x SYSTEM \"test.dtd\"><x>&x;</x>//[\"'`-->]]>]</div>",
"expected": "<div id=\"76\">&x;//[\"'`-->]]>]</div>"
}, {
"payload": "<div id=\"77\"><?xml-stylesheet type=\"text/css\"?><root style=\"x:expression(alert(77))\"/>//[\"'`-->]]>]</div>",
"expected": "<div id=\"77\">//[\"'`-->]]>]</div>"
}, {
"payload": "<div id=\"78\"><?xml-stylesheet type=\"text/xsl\" href=\"#\"?><img xmlns=\"x-schema:test.xdr\"/>//[\"'`-->]]>]</div>",
"expected": "<div id=\"78\"><img xmlns=\"x-schema:test.xdr\">//[\"'`-->]]>]</div>"
}, {
"payload": "<div id=\"79\"><object allowscriptaccess=\"always\" data=\"x:x\"></object>//[\"'`-->]]>]</div>",
"expected": "<div id=\"79\">//[\"'`-->]]>]</div>"
}, {
"payload": "<div id=\"80\"><style>*{x:\uFF45\uFF58\uFF50\uFF52\uFF45\uFF53\uFF53\uFF49\uFF4F\uFF4E(alert(80))}</style>//[\"'`-->]]>]</div>",
"expected": "<div id=\"80\"><style>*{x:\uFF45\uFF58\uFF50\uFF52\uFF45\uFF53\uFF53\uFF49\uFF4F\uFF4E(alert(80))}</style>//[\"'`-->]]>]</div>"
}, {
"payload": "<div id=\"81\"><x xmlns:xlink=\"http://www.w3.org/1999/xlink\" xlink:actuate=\"onLoad\" xlink:href=\"javascript:alert(81)\" xlink:type=\"simple\"/>//[\"'`-->]]>]</div>",
"expected": "<div id=\"81\">//[\"'`-->]]>]</div>"
}, {
"payload": "<div id=\"82\"><?xml-stylesheet type=\"text/css\" href=\"data:,*%7bx:expression(write(2));%7d\"?>//[\"'`-->]]>]</div><div id=\"83\"><x:template xmlns:x=\"http://www.wapforum.org/2001/wml\" x:ontimer=\"$(x:unesc)j$(y:escape)a$(z:noecs)v$(x)a$(y)s$(z)cript$x:alert(83)\"><x:timer value=\"1\"/></x:template>//[\"'`-->]]>]</div>",
"expected": [
"<div id=\"82\">//[\"'`-->]]>]</div><div id=\"83\">//[\"'`-->]]>]</div>",
"<div id=\"82\">//[\"'`-->]]>]</div><div id=\"83\"></div>"
]
}, {
"payload": "<div id=\"84\"><x xmlns:ev=\"http://www.w3.org/2001/xml-events\" ev:event=\"load\" ev:handler=\"javascript:alert(84)//#x\"/>//[\"'`-->]]>]</div>",
"expected": "<div id=\"84\">//[\"'`-->]]>]</div>"
}, {
"payload": "<div id=\"85\"><x xmlns:ev=\"http://www.w3.org/2001/xml-events\" ev:event=\"load\" ev:handler=\"test.evt#x\"/>//[\"'`-->]]>]</div>",
"expected": "<div id=\"85\">//[\"'`-->]]>]</div>"
}, {
"payload": "<div id=\"86\"><body oninput=alert(86)><input autofocus>//[\"'`-->]]>]</div><div id=\"87\"><svg xmlns=\"http://www.w3.org/2000/svg\">\n<a xmlns:xlink=\"http://www.w3.org/1999/xlink\" xlink:href=\"javascript:alert(87)\"><rect width=\"1000\" height=\"1000\" fill=\"white\"/></a>\n</svg>//[\"'`-->]]>]</div>",
"expected": [
"<div id=\"86\"><input>//[\"'`-->]]>]</div><div id=\"87\"><svg xmlns=\"http://www.w3.org/2000/svg\">\n<a><rect fill=\"white\" height=\"1000\" width=\"1000\"></rect></a>\n</svg>//[\"'`-->]]>]</div>",
"<div id=\"86\"><input>//[\"'`-->]]>]</div><div id=\"87\"><svg xmlns=\"http://www.w3.org/2000/svg\">\n<a xmlns:xlink=\"http://www.w3.org/1999/xlink\"><rect fill=\"white\" height=\"1000\" width=\"1000\"></rect></a>\n</svg>//[\"'`-->]]>]</div>",
"<div id=\"86\"><input>//[\"'`-->]]>]</div><div id=\"87\"><svg xmlns=\"http://www.w3.org/2000/svg\" xmlns=\"http://www.w3.org/2000/svg\">\n<a xmlns:NS1=\"\" NS1:xmlns:xlink=\"http://www.w3.org/1999/xlink\"><rect fill=\"white\" width=\"1000\" height=\"1000\" /></a>\n</svg>//[\"'`-->]]>]</div>",
"<div id=\"86\"><input>//[\"'`-->]]>]</div><div id=\"87\"><svg xmlns=\"http://www.w3.org/2000/svg\" xmlns=\"http://www.w3.org/2000/svg\">\n<a><rect fill=\"white\" width=\"1000\" height=\"1000\" /></a>\n</svg>//[\"'`-->]]>]</div>",
"<div id=\"86\"><input>//[\"'`-->]]>]</div><div id=\"87\"><svg xmlns=\"http://www.w3.org/2000/svg\">\n<a xmlns:xlink=\"http://www.w3.org/1999/xlink\"><rect fill=\"white\" width=\"1000\" height=\"1000\" /></a>\n</svg>//[\"'`-->]]>]</div>"
]
}, {
"payload": "<div id=\"88\"><svg xmlns=\"http://www.w3.org/2000/svg\" xmlns:xlink=\"http://www.w3.org/1999/xlink\">\n<animation xlink:href=\"javascript:alert(88)\"/>\n<animation xlink:href=\"data:text/xml,%3Csvg xmlns='http://www.w3.org/2000/svg' onload='alert(88)'%3E%3C/svg%3E\"/>\n\n<image xlink:href=\"data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' onload='alert(88)'%3E%3C/svg%3E\"/>\n\n<foreignObject xlink:href=\"javascript:alert(88)\"/>\n<foreignObject xlink:href=\"data:text/xml,%3Cscript xmlns='http://www.w3.org/1999/xhtml'%3Ealert(88)%3C/script%3E\"/>\n\n</svg>//[\"'`-->]]>]</div>",
"expected": [
"<div id=\"88\"><svg xmlns:xlink=\"http://www.w3.org/1999/xlink\" xmlns=\"http://www.w3.org/2000/svg\">\n\n\n\n<image></image>\n\n\n\n\n</svg>//[\"'`-->]]>]</div>",
"<div id=\"88\"><svg xmlns=\"http://www.w3.org/2000/svg\">\n\n\n\n<image></image>\n\n\n\n\n</svg>//[\"'`-->]]>]</div>",
"<div id=\"88\"><svg xmlns=\"http://www.w3.org/2000/svg\" xmlns=\"http://www.w3.org/2000/svg\" xmlns:NS1=\"\" NS1:xmlns:xlink=\"http://www.w3.org/1999/xlink\">\n\n\n\n<image />\n\n\n\n\n</svg>//[\"'`-->]]>]</div>",
"<div id=\"88\"><svg xmlns=\"http://www.w3.org/2000/svg\" xmlns=\"http://www.w3.org/2000/svg\">\n\n\n\n<image />\n\n\n\n\n</svg>//[\"'`-->]]>]</div>",
"<div id=\"88\"><svg xmlns=\"http://www.w3.org/2000/svg\" xmlns:xlink=\"http://www.w3.org/1999/xlink\">\n\n\n\n<image />\n\n\n\n\n</svg>//[\"'`-->]]>]</div>"
]
}, {
"payload": "<div id=\"89\"><svg xmlns=\"http://www.w3.org/2000/svg\">\n<set attributeName=\"onmouseover\" to=\"alert(89)\"/>\n<animate attributeName=\"onunload\" to=\"alert(89)\"/>\n</svg>//[\"'`-->]]>]</div>",
"expected": [
"<div id=\"89\"><svg xmlns=\"http://www.w3.org/2000/svg\">\n\n\n</svg>//[\"'`-->]]>]</div>",
"<div id=\"89\"><svg xmlns=\"http://www.w3.org/2000/svg\" xmlns=\"http://www.w3.org/2000/svg\">\n\n\n</svg>//[\"'`-->]]>]</div>"
]
}, {
"payload": "<div id=\"90\"><!-- Up to Opera 10.63 -->\n<div style=content:url(test2.svg)></div>\n\n<!-- Up to Opera 11.64 - see link below -->\n\n<!-- Up to Opera 12.x -->\n<div style=\"background:url(test5.svg)\">PRESS ENTER</div>//[\"'`-->]]>]</div>",
"expected": [
"<div id=\"90\">\n<div style=\"content:url(test2.svg)\"></div>\n\n\n\n\n<div style=\"background:url(test5.svg)\">PRESS ENTER</div>//[\"'`-->]]>]</div>",
"<div id=\"90\">\n<div style=\"content: url(test2.svg);\"></div>\n\n\n\n\n<div style='background: url(\"test5.svg\");'>PRESS ENTER</div>//[\"'`-->]]>]</div>"
]
}, {
"payload": "<div id=\"91\">[A]\n<? foo=\"><script>alert(91)</script>\">\n<! foo=\"><script>alert(91)</script>\">\n</ foo=\"><script>alert(91)</script>\">\n[B]\n<? foo=\"><x foo='?><script>alert(91)</script>'>\">\n[C]\n<! foo=\"[[[x]]\"><x foo=\"]foo><script>alert(91)</script>\">\n[D]\n<% foo><x foo=\"%><script>alert(91)</script>\">//[\"'`-->]]>]</div>",
"expected": "<div id=\"91\">[A]\n\">\n\">\n\">\n[B]\n\">\n[C]\n\n[D]\n<% foo>//[\"'`-->]]>]</div>"
}, {
"payload": "<div id=\"92\"><div style=\"background:url(http://foo.f/f oo/;color:red/*/foo.jpg);\">X</div>//[\"'`-->]]>]</div>",
"expected": [
"<div id=\"92\"><div style=\"background:url(http://foo.f/f oo/;color:red/*/foo.jpg);\">X</div>//[\"'`-->]]>]</div>",
"<div id=\"92\"><div>X</div>//[\"'`-->]]>]</div>"
]
}, {
"payload": "<div id=\"93\"><div style=\"list-style:url(http://foo.f)\u0010url(javascript:alert(93));\">X</div>//[\"'`-->]]>]</div>",
"expected": [
"<div id=\"93\"><div style=\"list-style:url(http://foo.f)\u0010url(javascript:alert(93));\">X</div>//[\"'`-->]]>]</div>",
"<div id=\"93\"><div>X</div>//[\"'`-->]]>]</div>"
]
}, {
"payload": "<div id=\"94\"><svg xmlns=\"http://www.w3.org/2000/svg\">\n<handler xmlns:ev=\"http://www.w3.org/2001/xml-events\" ev:event=\"load\">alert(94)</handler>\n</svg>//[\"'`-->]]>]</div>",
"expected": [
"<div id=\"94\"><svg xmlns=\"http://www.w3.org/2000/svg\">\n\n</svg>//[\"'`-->]]>]</div>",
"<div id=\"94\"><svg xmlns=\"http://www.w3.org/2000/svg\">\nalert(94)\n</svg>//[\"'`-->]]>]</div>",
"<div id=\"94\"><svg xmlns=\"http://www.w3.org/2000/svg\" xmlns=\"http://www.w3.org/2000/svg\">\n\n</svg>//[\"'`-->]]>]</div>"
]
}, {
"payload": "<div id=\"95\"><svg xmlns=\"http://www.w3.org/2000/svg\" xmlns:xlink=\"http://www.w3.org/1999/xlink\">\n<feImage>\n<set attributeName=\"xlink:href\" to=\"data:image/svg+xml;charset=utf-8;base64,\nPHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjxzY3JpcHQ%2BYWxlcnQoMSk8L3NjcmlwdD48L3N2Zz4NCg%3D%3D\"/>\n</feImage>\n</svg>//[\"'`-->]]>]</div>",
"expected": [
"<div id=\"95\"><svg xmlns:xlink=\"http://www.w3.org/1999/xlink\" xmlns=\"http://www.w3.org/2000/svg\">\n\n</svg>//[\"'`-->]]>]</div>",
"<div id=\"95\"><svg xmlns:xlink=\"http://www.w3.org/1999/xlink\" xmlns=\"http://www.w3.org/2000/svg\">\n\n\n\n</svg>//[\"'`-->]]>]</div>",
"<div id=\"95\"><svg xmlns:xlink=\"http://www.w3.org/1999/xlink\" xmlns=\"http://www.w3.org/2000/svg\" xmlns=\"http://www.w3.org/2000/svg\">\n\n</svg>//[\"'`-->]]>]</div>",
"<div id=\"95\"><svg xmlns=\"http://www.w3.org/2000/svg\">\n\n\n\n</svg>//[\"'`-->]]>]</div>",
"<div id=\"95\"><svg xmlns=\"http://www.w3.org/2000/svg\">\n\n</svg>//[\"'`-->]]>]</div>",
"<div id=\"95\"><svg xmlns=\"http://www.w3.org/2000/svg\" xmlns=\"http://www.w3.org/2000/svg\" xmlns:NS1=\"\" NS1:xmlns:xlink=\"http://www.w3.org/1999/xlink\">\n\n</svg>//[\"'`-->]]>]</div>",
"<div id=\"95\"><svg xmlns=\"http://www.w3.org/2000/svg\" xmlns=\"http://www.w3.org/2000/svg\">\n\n</svg>//[\"'`-->]]>]</div>",
"<div id=\"95\"><svg xmlns=\"http://www.w3.org/2000/svg\" xmlns:xlink=\"http://www.w3.org/1999/xlink\">\n\n</svg>//[\"'`-->]]>]</div>"
]
}, {
"payload": "<div id=\"96\"><iframe src=mhtml:http://html5sec.org/test.html!xss.html></iframe>\n<iframe src=mhtml:http://html5sec.org/test.gif!xss.html></iframe>//[\"'`-->]]>]</div>",
"expected": "<div id=\"96\">\n//[\"'`-->]]>]</div>"
}, {
"payload": "<div id=\"97\"><!-- IE 5-9 -->\n<div id=d><x xmlns=\"><iframe onload=alert(97)\"></div>\n<script>d.innerHTML+='';</script>\n<!-- IE 10 in IE5-9 Standards mode -->\n<div id=d><x xmlns='\"><iframe onload=alert(2)//'></div>\n<script>d.innerHTML+='';</script>//[\"'`-->]]>]</div>",
"expected": "<div id=\"97\">\n<div id=\"d\"></div>\n\n\n<div id=\"d\"></div>\n//[\"'`-->]]>]</div>"
}, {
"payload": "<div id=\"98\"><div id=d><div style=\"font-family:'sans\u0017\u0002F\u0002A\u0012\u0002A\u0002F\u0003B color\u0003Ared\u0003B'\">X</div></div>\n<script>with(document.getElementById(\"d\"))innerHTML=innerHTML</script>//[\"'`-->]]>]</div>",
"expected": [
"<div id=\"98\"><div id=\"d\"><div style=\"font-family:'sans\u0017\u0002F\u0002A\u0012\u0002A\u0002F\u0003B color\u0003Ared\u0003B'\">X</div></div>\n//[\"'`-->]]>]</div>",
"<div id=\"98\"><div id=\"d\"><div style='font-family: \"sansFAAFB colorAredB\";'>X</div></div>\n//[\"'`-->]]>]</div>",
"<div id=\"98\"><div id=\"d\"><div style=\"font-family:'sansFAAFB colorAredB'\">X</div></div>\n//[\"'`-->]]>]</div>"
]
}, {
"payload": "<div id=\"99\"