Lines Matching refs:sanitize
13 sanitize("<div dir=\"ltr\">something</div>", "<div dir=\"ltr\">something</div>");
14 sanitize("<div dir=\"rtl\">something</div>", "<div dir=\"rtl\">something</div>");
15 sanitize("<div dir=\"LTR\">something</div>", "<div dir=\"ltr\">something</div>");
16 sanitize("<div dir=\"RTL\">something</div>", "<div dir=\"rtl\">something</div>");
17 sanitize("<div dir=\"blah\">something</div>", "<div>something</div>");
22 sanitize("<a coords=\"something\"></a>", "<a coords=\"something\"></a>");
23 sanitize("<a href=\"http://www.here.com\"></a>", "<a href=\"http://www.here.com\"></a>");
24 sanitize("<a href=\"https://www.here.com\"></a>", "<a href=\"https://www.here.com\"></a>");
25 sanitize("<a name=\"something\"></a>", "<a name=\"something\"></a>");
26 sanitize("<a shape=\"something\"></a>", "<a shape=\"something\"></a>");
29 sanitize("<a charset=\"something\"></a>", "");
30 sanitize("<a datafld=\"something\"></a>", "");
31 sanitize("<a datasrc=\"something\"></a>", "");
32 sanitize("<a download=\"something\"></a>", "");
33 sanitize("<a href=\"javascript:badness()\"></a>", "");
34 sanitize("<a href=\"cid:ii_hyw5v8ej0\"></a>", "");
35 sanitize("<a hreflang=\"something\"></a>", "");
36 sanitize("<a media=\"something\"></a>", "");
37 sanitize("<a methods=\"something\"></a>", "");
38 sanitize("<a ping=\"something\"></a>", "");
39 sanitize("<a rel=\"something\"></a>", "");
40 sanitize("<a rev=\"something\"></a>", "");
41 sanitize("<a target=\"_top\"></a>", "");
42 sanitize("<a type=\"_top\"></a>", "");
43 sanitize("<a urn=\"_top\"></a>", "");
44 sanitize("<a onmouseout=\"alert(document.cookie)\">xxs link</a>", "xxs link");
45 sanitize("<a onmouseover=\"alert(document.cookie)\">xxs link</a>", "xxs link");
46 sanitize("<a onmouseover=alert(document.cookie)>xxs link</a>", "xxs link");
47 sanitize("exp/*<a style='no\\xss:noxss(\"*//*\");\n" +
52 sanitize("<abbr title=\"United Kingdom\">UK</abbr>",
57 sanitize("<acronym title=\"World Wide Web\">WWW</acronym>",
62 sanitize("<address>something</address>", "<address>something</address>");
67 sanitize("<applet>malicious applet</applet>", "malicious applet");
72 sanitize("<area alt=\"something\"/>", "<area alt=\"something\" />");
73 sanitize("<area coords=\"something\"/>", "<area coords=\"something\" />");
74 sanitize("<area href=\"http://www.here.com\"/>", "<area href=\"http://www.here.com\" />");
75 sanitize("<area href=\"https://www.here.com\"/>", "<area href=\"https://www.here.com\" />");
76 sanitize("<area name=\"something\"/>", "<area name=\"something\" />");
77 sanitize("<area nohref />", "<area nohref=\"nohref\" />");
78 sanitize("<area shape=\"something\"/>", "<area shape=\"something\" />");
81 sanitize("<area accessKey=\"A\"/>", "<area />");
82 sanitize("<area download=\"something\"/>", "<area />");
83 sanitize("<area href=\"javascript:badness()\"/>", "<area />");
84 sanitize("<area href=\"cid:ii_hyw5v8ej0\"/>", "<area />");
85 sanitize("<area hreflang=\"something\"/>", "<area />");
86 sanitize("<area media=\"something\"/>", "<area />");
87 sanitize("<area rel=\"something\"/>", "<area />");
88 sanitize("<area target=\"something\"/>", "<area />");
89 sanitize("<area tabindex=\"something\"/>", "<area />");
90 sanitize("<area type=\"something\"/>", "<area />");
94 sanitize("<article></article>", "<article></article>");
98 sanitize("<aside></aside>", "<aside></aside>");
102 sanitize("<audio>not supported</audio>", "not supported");
106 sanitize("<b>something</b>", "<b>something</b>");
111 sanitize("<base href=\"http://www.example.com/\">",
113 sanitize("<base href=\"https://www.example.com/\">",
117 sanitize("<base target=\"_blank\">", "<base />");
118 sanitize("<base href=\"javascript:badness()\">", "<base />");
119 sanitize("<base href=\"cid:ii_hyw5v8ej0\">", "<base />");
120 sanitize("<base href=\"javascript:alert('XSS');//\">", "<base />");
124 sanitize("<basefont color=\"something\"/>", "");
125 sanitize("<basefont face=\"something\"/>", "");
126 sanitize("<basefont size=\"something\"/>", "");
130 sanitize("<bdi>something</bdi>", "<bdi>something</bdi>");
131 sanitize("<bdi dir=\"ltr\">something</bdi>", "<bdi dir=\"ltr\">something</bdi>");
135 sanitize("<bdo>something</bdo>", "<bdo>something</bdo>");
136 sanitize("<bdo dir=\"ltr\">something</bdo>", "<bdo dir=\"ltr\">something</bdo>");
140 sanitize("<bgsound src=\"sound1.mid\">", "");
141 sanitize("<bgsound src=\"javascript:alert('XSS');\">", "");
145 sanitize("<big>something</big>", "<big>something</big>");
149 sanitize("<blink>something</blink>", "something");
153 sanitize("<blockquote>something</blockquote>", "<blockquote>something</blockquote>");
154 sanitize("<blockquote cite=\"http://www.here.com\">something</blockquote>",
156 sanitize("<blockquote cite=\"javascript:badness()\">something</blockquote>",
159 sanitize("<blockquote style=\"margin:0;margin-left:0.8ex;border-left:1px #ccc solid;" +
170 sanitize("<body alink=\"something\"></body>", "<div></div>");
171 sanitize("<body background=\"something\"></body>", "<div></div>");
172 sanitize("<body bgcolor=\"something\"></body>", "<div></div>");
173 sanitize("<body link=\"something\"></body>", "<div></div>");
174 sanitize("<body text=\"something\"></body>", "<div></div>");
175 sanitize("<body vlink=\"something\"></body>", "<div></div>");
178 sanitize("<body onafterprint=\"something\"></body>", "<div></div>");
179 sanitize("<body onbeforeprint=\"something\"></body>", "<div></div>");
180 sanitize("<body onbeforeunload=\"something\"></body>", "<div></div>");
181 sanitize("<body onblur=\"something\"></body>", "<div></div>");
182 sanitize("<body onerror=\"something\"></body>", "<div></div>");
183 sanitize("<body onfocus=\"something\"></body>", "<div></div>");
184 sanitize("<body onhashchange=\"something\"></body>", "<div></div>");
185 sanitize("<body onload=\"something\"></body>", "<div></div>");
186 sanitize("<body onmessage=\"something\"></body>", "<div></div>");
187 sanitize("<body onoffline=\"something\"></body>", "<div></div>");
188 sanitize("<body ononline=\"something\"></body>", "<div></div>");
189 sanitize("<body onpopstate=\"something\"></body>", "<div></div>");
190 sanitize("<body onredo=\"something\"></body>", "<div></div>");
191 sanitize("<body onresize=\"something\"></body>", "<div></div>");
192 sanitize("<body onstorage=\"something\"></body>", "<div></div>");
193 sanitize("<body onundo=\"something\"></body>", "<div></div>");
194 sanitize("<body onunload=\"something\"></body>", "<div></div>");
195 sanitize("<body onload!#$%&()*~+-_.,:;?@[/|\\]^`=alert(\"XSS\")>", "<div></div>");
196 sanitize("<body background=\"javascript:alert('XSS')\">", "<div></div>");
197 sanitize("<body onload=alert('XSS')>", "<div></div>");
198 sanitize("<body onload =alert('XSS')>", "<div></div>");
202 sanitize("something<br>something", "something<br />something");
203 sanitize("something<br clear=\"all\">something", "something<br clear=\"all\" />something");
207 sanitize("<button>Click Me!</button>", "<button>Click Me!</button>");
208 sanitize("<button autofocus=\"true\">Click Me!</button>",
210 sanitize("<button disabled=\"true\">Click Me!</button>",
212 sanitize("<button formenctype=\"text/plain\">Click Me!</button>",
214 sanitize("<button formmethod=\"post\">Click Me!</button>",
216 sanitize("<button formnovalidate=\"formnovalidate\">Click Me!</button>",
218 sanitize("<button formtarget=\"_top\">Click Me!</button>",
220 sanitize("<button name=\"something\">Click Me!</button>",
222 sanitize("<button type=\"button\">Click Me!</button>",
224 sanitize("<button value=\"something\">Click Me!</button>",
226 sanitize("<button formaction=\"http://www.overhere.com/\">Click Me!</button>",
229 sanitize("<button formaction=\"javascript:badness()\">Click Me!</button>",
234 sanitize("<canvas></canvas>", "<canvas></canvas>");
235 sanitize("<canvas width=\"500\"></canvas>", "<canvas width=\"500\"></canvas>");
236 sanitize("<canvas height=\"500\"></canvas>", "<canvas height=\"500\"></canvas>");
240 sanitize("<caption>something</caption>", "<caption>something</caption>");
241 sanitize("<caption align=\"left\">something</caption>",
246 sanitize("<center>something</center>", "<center>something</center>");
250 sanitize("<cite>something</cite>", "<cite>something</cite>");
254 sanitize("<code>something</code>", "<code>something</code>");
258 sanitize("<col>", "<col />");
259 sanitize("<col align=\"left\">", "<col align=\"left\" />");
260 sanitize("<col bgcolor=\"something\">", "<col bgcolor=\"something\" />");
261 sanitize("<col char=\"something\">", "<col char=\"something\" />");
262 sanitize("<col charoff=\"something\">", "<col charoff=\"something\" />");
263 sanitize("<col span=\"something\">", "<col span=\"something\" />");
264 sanitize("<col valign=\"something\">", "<col valign=\"something\" />");
265 sanitize("<col width=\"something\">", "<col width=\"something\" />");
269 sanitize("<colgroup></colgroup>", "<colgroup></colgroup>");
270 sanitize("<colgroup align=\"left\"></colgroup>", "<colgroup align=\"left\"></colgroup>");
271 sanitize("<colgroup char=\"something\"></colgroup>",
273 sanitize("<colgroup charoff=\"something\"></colgroup>",
275 sanitize("<colgroup span=\"something\"></colgroup>",
277 sanitize("<colgroup valign=\"something\"></colgroup>",
279 sanitize("<colgroup width=\"something\"></colgroup>",
284 sanitize("<datalist></datalist>", "<datalist></datalist>");
288 sanitize("<dd>something</dd>", "<dd>something</dd>");
292 sanitize("<del>something</del>", "<del>something</del>");
293 sanitize("<del cite=\"javascript:badness();\">something</del>", "<del>something</del>");
294 sanitize("<del cite=\"http://www.reason.com/\">something</del>",
296 sanitize("<del datetime=\"something\">something</del>",
301 sanitize("<details>something</details>", "<details>something</details>");
305 sanitize("<dfn>something</dfn>", "<dfn>something</dfn>");
309 sanitize("<dialog open>This is an open dialog window</dialog>",
314 sanitize("<dir><li>something</li></dir>", "<dir><li>something</li></dir>");
315 sanitize("<dir compact=\"compact\"><li>something</li></dir>",
320 sanitize("<div></div>", "<div></div>");
321 sanitize("<div align=\"left\"></div>", "<div align=\"left\"></div>");
322 sanitize("<div background=\"http://www.random.com/mypng.gif\"></div>",
325 sanitize("<div background=\"javascript:badness();\"></div>", "<div></div>");
326 sanitize("<div style=\"width: expression(alert('XSS'));\">", "<div></div>");
327 sanitize("<div style=\"background-image: url(javascript:alert('XSS'))\">", "<div></div>");
328 sanitize("<div style=\"background-image:\\0075\\0072\\006C\\0028'\\006a\\0061\\0076\\0061" +
331 sanitize("<div style=\"background-image: url(javascript:alert('XSS'))\">",
336 sanitize("<dl></dl>", "<dl></dl>");
340 sanitize("<dt></dt>", "<dt></dt>");
344 sanitize("<em>something</em>", "<em>something</em>");
348 sanitize("<embed src=\"helloworld.swf\">", "");
352 sanitize("<fieldset>something</fieldset>", "<fieldset>something</fieldset>");
353 sanitize("<fieldset disabled=\"true\">something</fieldset>",
355 sanitize("<fieldset form=\"formId\">something</fieldset>",
357 sanitize("<fieldset name=\"something\">something</fieldset>",
362 sanitize("<figcaption>Fig1. something</figcaption>",
367 sanitize("<figure>something</figure>", "<figure>something</figure>");
371 sanitize("<font>something</font>", "something");
372 sanitize("<font size=\"3\">something</font>", "<font size=\"3\">something</font>");
373 sanitize("<font face=\"verdana\">something</font>",
375 sanitize("<font color=\"red\">something</font>", "<font color=\"red\">something</font>");
379 sanitize("<footer>something</footer>", "<footer>something</footer>");
383 sanitize("<form></form>", "<form></form>");
384 sanitize("<form accept=\"something\"></form>", "<form accept=\"something\"></form>");
385 sanitize("<form accept-charset=\"something\"></form>",
387 sanitize("<form autocomplete=\"on\"></form>", "<form autocomplete=\"on\"></form>");
388 sanitize("<form enctype=\"text/plain\"></form>", "<form enctype=\"text/plain\"></form>");
389 sanitize("<form method=\"get\"></form>", "<form method=\"get\"></form>");
390 sanitize("<form name=\"something\"></form>", "<form name=\"something\"></form>");
391 sanitize("<form novalidate=\"novalidate\"></form>",
393 sanitize("<form target=\"_top\"></form>", "<form target=\"_top\"></form>");
394 sanitize("<form action=\"http://www.overhere.com/\"></form>",
397 sanitize("<form action=\"javascript:badness()\"></form>", "<form></form>");
398 sanitize("<form onsubmit=\"javascript:badness()\"></form>", "<form></form>");
399 sanitize("<form onreset=\"javascript:badness()\"></form>", "<form></form>");
403 sanitize("<frame src=\"frame_a.htm\">", "");
407 sanitize("<frameset cols=\"25%,*,25%\"></frameset>", "");
408 sanitize("<frameset><frame src=\"javascript:alert('XSS');\"></frameset>", "");
412 sanitize("<head></head>", "");
413 sanitize("<head profile=\"http://www.overhere.com/\"></head>", "");
414 sanitize("<head profile=\"javascript:badness()\"></head>", "");
418 sanitize("<header></header>", "<header></header>");
422 sanitize("<h1>something</h1>", "<h1>something</h1>");
423 sanitize("<h1 align=\"left\">something</h1>", "<h1 align=\"left\">something</h1>");
427 sanitize("<h2>something</h2>", "<h2>something</h2>");
428 sanitize("<h2 align=\"left\">something</h2>", "<h2 align=\"left\">something</h2>");
432 sanitize("<h3>something</h3>", "<h3>something</h3>");
433 sanitize("<h3 align=\"left\">something</h3>", "<h3 align=\"left\">something</h3>");
437 sanitize("<h4>something</h4>", "<h4>something</h4>");
438 sanitize("<h4 align=\"left\">something</h4>", "<h4 align=\"left\">something</h4>");
442 sanitize("<h5>something</h5>", "<h5>something</h5>");
443 sanitize("<h5 align=\"left\">something</h5>", "<h5 align=\"left\">something</h5>");
447 sanitize("<h6>something</h6>", "<h6>something</h6>");
448 sanitize("<h6 align=\"left\">something</h6>", "<h6 align=\"left\">something</h6>");
452 sanitize("<hr/>", "<hr />");
453 sanitize("<hr align=\"left\"/>", "<hr align=\"left\" />");
454 sanitize("<hr noshade=\"noshade\"/>", "<hr noshade=\"noshade\" />");
455 sanitize("<hr size=\"11\"/>", "<hr size=\"11\" />");
456 sanitize("<hr width=\"666\"/>", "<hr width=\"666\" />");
460 sanitize("<html></html>", "");
461 sanitize("<html xmlns=\"http://www.w3.org/1999/xhtml\"></html>", "");
462 sanitize("<html manifest=\"http://www.overhere.com/\"></html>", "");
463 sanitize("<html manifest=\"javascript:badness()\"></html>", "");
467 sanitize("<i></i>", "<i></i>");
471 sanitize("<iframe src=\"http://www.w3schools.com\"></iframe>", "");
472 sanitize("<iframe src=http://ha.ckers.org/scriptlet.html <", "");
473 sanitize("<iframe src=\"javascript:alert('XSS');\"></iframe>", "");
474 sanitize("<iframe src=# onmouseover=\"alert(document.cookie)\"></iframe>", "");
478 sanitize("<isindex prompt=\"Search Document... \"/>", "");
482 sanitize("<img/>", "");
483 sanitize("<img align=\"left\"/>", "<img align=\"left\" />");
484 sanitize("<img alt=\"something\"/>", "<img alt=\"something\" />");
485 sanitize("<img border=\"22\"/>", "<img border=\"22\" />");
486 sanitize("<img crossorigin=\"anonymous \"/>", "<img crossorigin=\"anonymous \" />");
487 sanitize("<img height=\"22\"/>", "<img height=\"22\" />");
488 sanitize("<img hspace=\"22\"/>", "<img hspace=\"22\" />");
489 sanitize("<img ismap=\"ismap\"/>", "<img ismap=\"ismap\" />");
490 sanitize("<img usemap=\"something\"/>", "<img usemap=\"something\" />");
491 sanitize("<img vspace=\"22\"/>", "<img vspace=\"22\" />");
492 sanitize("<img width=\"22\"/>", "<img width=\"22\" />");
493 sanitize("<img src=\"http://www.overhere.com/\"></img>",
495 sanitize("<img src=\"https://www.overhere.com/\"></img>",
497 sanitize("<img src=\"cid:ii_hyw5v8ej0\"></img>",
499 sanitize("<img longdesc=\"http://www.overhere.com/\"></img>",
501 sanitize("<img longdesc=\"https://www.overhere.com/\"></img>",
504 sanitize("<img src=\"javascript:badness()\"></img>", "");
505 sanitize("<img longdesc=\"javascript:badness()\"></img>", "");
506 sanitize("<img longdesc=\"cid:ii_hyw5v8ej0\"></img>", "");
507 sanitize("<img src=javascript:alert('XSS')>", "");
508 sanitize("<img src=JaVaScRiPt:alert('XSS')>", "");
509 sanitize("<img src=javascript:alert(\"XSS\")>", "");
510 sanitize("<img src=`javascript:alert(\"RSnake says, 'XSS'\")`>", "");
511 sanitize("<img \"\"\"><script>alert(\"XSS\")</script>\">", "">");
512 sanitize("<img src=# onmouseover=\"alert('xxs')\">", "<img src=\"#\" />");
513 sanitize("<img src= onmouseover=\"alert('xxs')\">", "<img src=\"onmouseover=\" />");
514 sanitize("<img onmouseover=\"alert('xxs')\">", "");
515 sanitize("<img src=/ onerror=\"alert(String.fromCharCode(88,83,83))\"></img>",
517 sanitize("<img src=javascript:a" +
520 sanitize("<img src=javascr" +
524 sanitize("<img src=javascript:ale" +
526 sanitize("<img src=\"jav\tascript:alert('XSS');\">", "");
527 sanitize("<img src=\"jav	ascript:alert('XSS');\">", "");
528 sanitize("<img src=\"jav
ascript:alert('XSS');\">", "");
529 sanitize("<img src=\"jav
ascript:alert('XSS');\">", "");
530 sanitize("<img src=java\0script:alert(\\\"XSS\\\")>", "");
531 sanitize("<img src=\"  javascript:alert('XSS');\">", "");
532 sanitize("<img src=\"javascript:alert('XSS')\"", "");
533 sanitize("<img dynsrc=\"javascript:alert('XSS')\">", "");
534 sanitize("<img lowsrc=\"javascript:alert('XSS')\">", "");
535 sanitize("<img src='vbscript:msgbox(\"XSS\")'>", "");
536 sanitize("<img src=\"livescript:[code]\">", "");
537 sanitize("<img style=\"xss:expr/*XSS*/ession(alert('XSS'))\">", "");
541 sanitize("<input accept=\"image/*\"/>", "<input accept=\"image/*\" />");
542 sanitize("<input align=\"left\"/>", "<input align=\"left\" />");
543 sanitize("<input alt=\"something\"/>", "<input alt=\"something\" />");
544 sanitize("<input autocomplete=\"on\"/>", "<input autocomplete=\"on\" />");
545 sanitize("<input autofocus=\"autofocus\"/>", "<input autofocus=\"autofocus\" />");
546 sanitize("<input checked=\"checked\"/>", "<input checked=\"checked\" />");
547 sanitize("<input disabled=\"disabled\"/>", "<input disabled=\"disabled\" />");
548 sanitize("<input form=\"1\"/>", "<input form=\"1\" />");
549 sanitize("<input formenctype=\"text/plain\"/>", "<input formenctype=\"text/plain\" />");
550 sanitize("<input formmethod=\"post\"/>", "<input formmethod=\"post\" />");
551 sanitize("<input formnovalidate=\"formnovalidate\"/>",
553 sanitize("<input formtarget=\"_top\"/>", "<input formtarget=\"_top\" />");
554 sanitize("<input height=\"22\"/>", "<input height=\"22\" />");
555 sanitize("<input list=\"something\"/>", "<input list=\"something\" />");
556 sanitize("<input max=\"1000\"/>", "<input max=\"1000\" />");
557 sanitize("<input maxlength=\"10\"/>", "<input maxlength=\"10\" />");
558 sanitize("<input min=\"10\"/>", "<input min=\"10\" />");
559 sanitize("<input multiple=\"multiple\"/>", "<input multiple=\"multiple\" />");
560 sanitize("<input name=\"herman\"/>", "<input name=\"herman\" />");
561 sanitize("<input pattern=\"*.*\"/>", "<input pattern=\"*.*\" />");
562 sanitize("<input placeholder=\"something\"/>", "<input placeholder=\"something\" />");
563 sanitize("<input readonly=\"readonly\"/>", "<input readonly=\"readonly\" />");
564 sanitize("<input required=\"required\"/>", "<input required=\"required\" />");
565 sanitize("<input size=\"22\"/>", "<input size=\"22\" />");
566 sanitize("<input step=\"5\"/>", "<input step=\"5\" />");
567 sanitize("<input type=\"button\"/>", "<input type=\"button\" />");
568 sanitize("<input value=\"something\"/>", "<input value=\"something\" />");
569 sanitize("<input width=\"50\"/>", "<input width=\"50\" />");
570 sanitize("<input src=\"http://www.overhere.com/\"></input>",
572 sanitize("<input src=\"https://www.overhere.com/\"></input>",
574 sanitize("<input formaction=\"http://www.overhere.com/\"></input>",
576 sanitize("<input formaction=\"https://www.overhere.com/\"></input>",
579 sanitize("<input src=\"cid:ii_hyw5v8ej0\"></input>", "");
580 sanitize("<input src=\"javascript:badness()\"></input>", "");
581 sanitize("<input formaction=\"cid:ii_hyw5v8ej0\"></input>", "");
582 sanitize("<input formaction=\"javascript:badness()\"></input>", "");
583 sanitize("<input type=\"image\" src=\"javascript:alert('XSS');\">",
585 sanitize("<input type=\"text\" onchange=\"javascript:alert('XSS');\">",
587 sanitize("<input type=\"button\" onclick=\"javascript:alert('XSS');\">",
589 sanitize("<input type=\"button\" ondblclick=\"javascript:alert('XSS');\">",
594 sanitize("<ins>something</ins>", "<ins>something</ins>");
595 sanitize("<ins cite=\"javascript:badness();\">something</ins>", "<ins>something</ins>");
596 sanitize("<ins cite=\"http://www.reason.com/\">something</ins>",
598 sanitize("<ins cite=\"https://www.reason.com/\">something</ins>",
600 sanitize("<ins datetime=\"something\">something</ins>",
603 sanitize("<ins cite=\"cid:ii_hyw5v8ej0\">something</ins>",
608 sanitize("<kbd>something</kbd>", "<kbd>something</kbd>");
612 sanitize("<keygen/>", "<keygen />");
613 sanitize("<keygen autofocus=\"autofocus\"/>", "<keygen autofocus=\"autofocus\" />");
614 sanitize("<keygen challenge=\"challenge\"/>", "<keygen challenge=\"challenge\" />");
615 sanitize("<keygen disabled=\"disabled\"/>", "<keygen disabled=\"disabled\" />");
616 sanitize("<keygen form=\"formId\"/>", "<keygen form=\"formId\" />");
617 sanitize("<keygen keytype=\"rsa\"/>", "<keygen keytype=\"rsa\" />");
618 sanitize("<keygen name=\"herman\"/>", "<keygen name=\"herman\" />");
622 sanitize("<label for=\"elementId\">Something:</label>", "<label>Something:</label>");
623 sanitize("<label form=\"formId\">Something:</label>",
628 sanitize("<legend>Something:</legend>", "<legend>Something:</legend>");
629 sanitize("<legend align=\"left\">Something:</legend>",
634 sanitize("<li>Something:</li>", "<li>Something:</li>");
635 sanitize("<li type=\"a\">Something:</li>", "<li type=\"a\">Something:</li>");
636 sanitize("<li value=\"11\">Something:</li>", "<li value=\"11\">Something:</li>");
640 sanitize("<link charset=\"utf8\"/>", "");
641 sanitize("<link href=\"http://www.reason.com/\"/>", "");
642 sanitize("<link href=\"https://www.reason.com/\"/>", "");
643 sanitize("<link href=\"cid:ii_hyw5v8ej0\"/>", "");
644 sanitize("<link hreflang=\"fr_CA\"/>", "");
645 sanitize("<link media=\"tv\"/>", "");
646 sanitize("<link rel=\"alternate\"/>", "");
647 sanitize("<link rev=\"something\"/>", "");
648 sanitize("<link sizes=\"500x400\"/>", "");
649 sanitize("<link target=\"_top\"/>", "");
650 sanitize("<link type=\"mimeType\"/>", "");
651 sanitize("<link href=\"javascript:alert('XSS');\">", "");
655 sanitize("<main>something</main>", "<main>something</main>");
659 sanitize("<map></map>", "<map></map>");
660 sanitize("<map name=\"mapname\"></map>", "<map name=\"mapname\"></map>");
664 sanitize("<mark>something</mark>", "<mark>something</mark>");
668 sanitize
669 sanitize("<menu label=\"Edit\"></menu>", "<menu label=\"Edit\"></menu>");
670 sanitize("<menu type=\"popup\"></menu>", "<menu type=\"popup\"></menu>");
674 sanitize("<menuitem></menuitem>", "<menuitem></menuitem>");
675 sanitize("<menuitem checked=\"checked\"></menuitem>",
677 sanitize("<menuitem command=\"something\"></menuitem>",
679 sanitize("<menuitem default=\"default\"></menuitem>",
681 sanitize("<menuitem disabled=\"disabled\"></menuitem>",
683 sanitize("<menuitem icon=\"http://www.reason.com/\"></menuitem>",
685 sanitize("<menuitem icon=\"https://www.reason.com/\"></menuitem>",
687 sanitize("<menuitem label=\"something\"></menuitem>",
689 sanitize("<menuitem type=\"checkbox\"></menuitem>",
691 sanitize("<menuitem radiogroup=\"something\"></menuitem>",
694 sanitize("<menuitem icon=\"cid:ii_hyw5v8ej0\"></menuitem>", "<menuitem></menuitem>");
695 sanitize("<menuitem icon=\"javascript:badness()\"></menuitem>", "<menuitem></menuitem>");
699 sanitize("<meta/>", "");
700 sanitize("<meta charset=\"utf8\" />", "");
701 sanitize("<meta content=\"something\" />", "");
702 sanitize("<meta http-equiv=\"refresh\" />", "");
703 sanitize("<meta name=\"description\" />", "");
704 sanitize("<meta scheme=\"YYYY-MM-DD\" />", "");
705 sanitize("<meta http-equiv=\"Link\" content=\"<http://ha.ckers.org/xss.css>; " +
707 sanitize("<meta http-equiv=\"refresh\" content=\"0;url=javascript:alert('XSS');\">", "");
708 sanitize("<meta http-equiv=\"refresh\" content=\"0;url=data:text/html " +
710 sanitize("<meta http-equiv=\"refresh\" CONTENT=\"0; url=http://;" +
715 sanitize("<meter>2 out of 10</meter>", "<meter>2 out of 10</meter>");
716 sanitize("<meter form=\"formId\">2 out of 10</meter>",
718 sanitize("<meter high=\"10\">2 out of 10</meter>",
720 sanitize("<meter low=\"10\">2 out of 10</meter>", "<meter low=\"10\">2 out of 10</meter>");
721 sanitize("<meter max=\"10\">2 out of 10</meter>", "<meter max=\"10\">2 out of 10</meter>");
722 sanitize("<meter min=\"10\">2 out of 10</meter>", "<meter min=\"10\">2 out of 10</meter>");
723 sanitize("<meter optimum=\"10\">2 out of 10</meter>",
725 sanitize("<meter value=\"10\">2 out of 10</meter>",
730 sanitize("<nav>something</nav>", "<nav>something</nav>");
734 sanitize("<noframes>No frames!</noframes>", "");
738 sanitize("<noscript>No JavaScript!</noscript>", "");
742 sanitize("<object>No Objects!</object>", "");
743 sanitize("<object type=\"text/x-scriptlet\" data=\"http://ha.ckers.org/scriptlet.html\">" +
748 sanitize("<ol></ol>", "<ol></ol>");
749 sanitize("<ol compact=\"compact\"></ol>", "<ol compact=\"compact\"></ol>");
750 sanitize("<ol reversed=\"reversed\"></ol>", "<ol reversed=\"reversed\"></ol>");
751 sanitize("<ol start=\"11\"></ol>", "<ol start=\"11\"></ol>");
752 sanitize("<ol type=\"a\"></ol>", "<ol type=\"a\"></ol>");
756 sanitize("<optgroup></optgroup>", "<optgroup></optgroup>");
757 sanitize("<optgroup disabled=\"disabled\"></optgroup>",
759 sanitize("<optgroup label=\"something\"></optgroup>",
764 sanitize("<option>something</option>", "<option>something</option>");
765 sanitize("<option disabled=\"disabled\">something</option>",
767 sanitize("<option label=\"something\">something</option>",
769 sanitize("<option selected=\"selected\">something</option>",
771 sanitize("<option value=\"volvo\">something</option>",
776 sanitize("<output></output>", "<output></output>");
777 sanitize("<output for=\"elementId\"></output>", "<output></output>");
778 sanitize("<output form=\"formId\"></output>", "<output form=\"formId\"></output>");
779 sanitize("<output name=\"something\"></output>", "<output name=\"something\"></output>");
783 sanitize("<p>something</p>", "<p>something</p>");
784 sanitize("<p align=\"left\">something</p>", "<p align=\"left\">something</p>");
788 sanitize("<param name=\"autoplay\" value=\"true\">", "");
792 sanitize("<pre>something</pre>", "<pre>something</pre>");
793 sanitize("<pre width=\"400\">something</pre>", "<pre width=\"400\">something</pre>");
797 sanitize("<progress></progress>", "<progress></progress>");
798 sanitize("<progress value=\"22\"></progress>", "<progress value=\"22\"></progress>");
799 sanitize("<progress max=\"100\"></progress>", "<progress max=\"100\"></progress>");
803 sanitize("<q>something</q>", "<q>something</q>");
804 sanitize("<q cite=\"http://www.reason.com/\">something</q>",
806 sanitize("<q cite=\"https://www.reason.com/\">something</q>",
809 sanitize("<q cite=\"cid:ii_hyw5v8ej0\">something</q>", "<q>something</q>");
810 sanitize("<q cite=\"javascript:badness()\">something</q>", "<q>something</q>");
814 sanitize("<rp>something</rp>", "<rp>something</rp>");
818 sanitize("<rt>something</rt>", "<rt>something</rt>");
822 sanitize("<ruby></ruby>", "<ruby></ruby>");
826 sanitize("<s>old skool strikethrough</s>", "<s>old skool strikethrough</s>");
830 sanitize("<samp>something</samp>", "<samp>something</samp>");
834 sanitize("<script>malicious script</script>", "");
835 sanitize("<<script>alert(\"XSS\");//<</script>", "<");
836 sanitize("<script src=http://ha.ckers.org/xss.js></script>", "");
837 sanitize("<script/XSS src=\"http://ha.ckers.org/xss.js\"></script>", "");
838 sanitize("<script/src=\"http://ha.ckers.org/xss.js\"></script>", "");
839 sanitize("<script src=http://ha.ckers.org/xss.js?< B >", "");
840 sanitize("<script src=//ha.ckers.org/.j>", "");
841 sanitize("</title><script>alert(\"XSS\");</script>", "");
842 sanitize("<script src=\"http://ha.ckers.org/xss.jpg\"></script>", "");
854 sanitize(attack, defend);
858 sanitize("<section>something</section>", "<section>something</section>");
862 sanitize("<select></select>", "<select></select>");
863 sanitize("<select autofocus=\"autofocus\"></select>",
865 sanitize("<select disabled=\"disabled\"></select>",
867 sanitize("<select form=\"formId\"></select>", "<select form=\"formId\"></select>");
868 sanitize("<select multiple=\"multiple\"></select>",
870 sanitize("<select required=\"required\"></select>",
872 sanitize("<select size=\"11\"></select>", "<select size=\"11\"></select>");
876 sanitize("<small>something</small>", "<small>something</small>");
880 sanitize("<source/>", "");
881 sanitize("<source></source>", "");
885 sanitize("<span style=\"color:blue\">something</span>",
890 sanitize("<strike>something</strike>", "<strike>something</strike>");
894 sanitize("<strong>something</strong>", "<strong>something</strong>");
898 sanitize("<style>something</style>", "");
899 sanitize("<style media=\"something\">something</style>", "");
900 sanitize("<style scoped=\"scoped\">something</style>", "");
901 sanitize("<style type=\"text/css\">something</style>", "");
902 sanitize("<style>li {list-style-image: url(\"javascript:alert('XSS')\");}</style>", "");
903 sanitize("<style>@im\\port'\\ja\\vasc\\ript:alert(\"XSS\")';</style>", "");
904 sanitize("<style>body{-moz-binding:url(\"http://ha.ckers.org/xssmoz.xml#xss\")}</style>",
906 sanitize("<style>@import'http://ha.ckers.org/xss.css';</style>", "");
907 sanitize("<style type=\"text/javascript\">alert('XSS');</style>", "");
908 sanitize("<style>.XSS{background-image:url(\"javascript:alert('XSS')\");}</style>" +
910 sanitize("<style type=\"text/css\">body{background:url(\"javascript:alert('XSS')\")}" +
915 sanitize("<sub>something</sub>", "<sub>something</sub>");
919 sanitize("<summary>something</summary>", "<summary>something</summary>");
923 sanitize("<sup>something</sup>", "<sup>something</sup>");
927 sanitize("<table></table>", "<table></table>");
928 sanitize("<table align=\"left\"></table>", "<table align=\"left\"></table>");
929 sanitize("<table bgcolor=\"red\"></table>", "<table bgcolor=\"red\"></table>");
930 sanitize("<table border=\"1\"></table>", "<table border=\"1\"></table>");
931 sanitize("<table cellpadding=\"1\"></table>", "<table cellpadding=\"1\"></table>");
932 sanitize("<table cellspacing=\"1\"></table>", "<table cellspacing=\"1\"></table>");
933 sanitize("<table frame=\"void\"></table>", "<table frame=\"void\"></table>");
934 sanitize("<table rules=\"none\"></table>", "<table rules=\"none\"></table>");
935 sanitize("<table sortable=\"sortable\"></table>", "<table sortable=\"sortable\"></table>");
936 sanitize("<table summary=\"something\"></table>", "<table summary=\"something\"></table>");
937 sanitize("<table width=\"11\"></table>", "<table width=\"11\"></table>");
939 sanitize("<table background=\"javascript:alert('XSS')\">", "<table></table>");
943 sanitize("<tbody></tbody>", "<tbody></tbody>");
944 sanitize("<tbody char=\"something\"></tbody>", "<tbody char=\"something\"></tbody>");
945 sanitize("<tbody charoff=\"11\"></tbody>", "<tbody charoff=\"11\"></tbody>");
946 sanitize("<tbody valign=\"top\"></tbody>", "<tbody valign=\"top\"></tbody>");
950 sanitize("<td></td>", "<td></td>");
951 sanitize("<td abbr=\"something\"></td>", "<td abbr=\"something\"></td>");
952 sanitize("<td align=\"left\"></td>", "<td align=\"left\"></td>");
953 sanitize("<td axis=\"something\"></td>", "<td axis=\"something\"></td>");
954 sanitize("<td bgcolor=\"red\"></td>", "<td bgcolor=\"red\"></td>");
955 sanitize("<td char=\"something\"></td>", "<td char=\"something\"></td>");
956 sanitize("<td charoff=\"22\"></td>", "<td charoff=\"22\"></td>");
957 sanitize("<td colspan=\"33\"></td>", "<td colspan=\"33\"></td>");
958 sanitize("<td height=\"44\"></td>", "<td height=\"44\"></td>");
959 sanitize("<td nowrap=\"nowrap\"></td>", "<td nowrap=\"nowrap\"></td>");
960 sanitize("<td rowspan=\"3\"></td>", "<td rowspan=\"3\"></td>");
961 sanitize("<td scope=\"col\"></td>", "<td scope=\"col\"></td>");
962 sanitize("<td valign=\"top\"></td>", "<td valign=\"top\"></td>");
963 sanitize("<td width=\"55\"></td>", "<td width=\"55\"></td>");
965 sanitize("<td headers=\"headerId\"></td>", "<td></td>");
966 sanitize("<td background=\"javascript:alert('XSS')\">", "<td></td>");
970 sanitize("<textarea></textarea>", "<textarea></textarea>");
971 sanitize("<textarea autofocus=\"autofocus\"></textarea>",
973 sanitize("<textarea cols=\"1\"></textarea>", "<textarea cols=\"1\"></textarea>");
974 sanitize("<textarea disabled=\"disabled\"></textarea>",
976 sanitize("<textarea form=\"formId\"></textarea>", "<textarea form=\"formId\"></textarea>");
977 sanitize("<textarea maxlength=\"2\"></textarea>", "<textarea maxlength=\"2\"></textarea>");
978 sanitize("<textarea name=\"something\"></textarea>",
980 sanitize("<textarea placeholder=\"something\"></textarea>",
982 sanitize("<textarea readonly=\"readonly\"></textarea>",
984 sanitize("<textarea required=\"required\"></textarea>",
986 sanitize("<textarea rows=\"3\"></textarea>", "<textarea rows=\"3\"></textarea>");
987 sanitize("<textarea wrap=\"soft\"></textarea>", "<textarea wrap=\"soft\"></textarea>");
991 sanitize("<tfoot></tfoot>", "<tfoot></tfoot>");
992 sanitize("<tfoot align=\"left\"></tfoot>", "<tfoot align=\"left\"></tfoot>");
993 sanitize("<tfoot char=\"something\"></tfoot>", "<tfoot char=\"something\"></tfoot>");
994 sanitize("<tfoot charoff=\"1\"></tfoot>", "<tfoot charoff=\"1\"></tfoot>");
995 sanitize("<tfoot valign=\"top\"></tfoot>", "<tfoot valign=\"top\"></tfoot>");
999 sanitize("<th></th>", "<th></th>");
1000 sanitize("<th abbr=\"something\"></th>", "<th abbr=\"something\"></th>");
1001 sanitize
1002 sanitize("<th axis=\"something\"></th>", "<th axis=\"something\"></th>");
1003 sanitize("<th bgcolor=\"red\"></th>", "<th bgcolor=\"red\"></th>");
1004 sanitize("<th char=\"something\"></th>", "<th char=\"something\"></th>");
1005 sanitize("<th charoff=\"22\"></th>", "<th charoff=\"22\"></th>");
1006 sanitize("<th colspan=\"33\"></th>", "<th colspan=\"33\"></th>");
1007 sanitize("<th height=\"44\"></th>", "<th height=\"44\"></th>");
1008 sanitize("<th nowrap=\"nowrap\"></th>", "<th nowrap=\"nowrap\"></th>");
1009 sanitize("<th rowspan=\"3\"></th>", "<th rowspan=\"3\"></th>");
1010 sanitize("<th scope=\"col\"></th>", "<th scope=\"col\"></th>");
1011 sanitize("<th sorted=\"reversed\"></th>", "<th sorted=\"reversed\"></th>");
1012 sanitize("<th valign=\"top\"></th>", "<th valign=\"top\"></th>");
1013 sanitize("<th width=\"55\"></th>", "<th width=\"55\"></th>");
1015 sanitize("<th headers=\"headerId\"></th>", "<th></th>");
1019 sanitize("<thead></thead>", "<thead></thead>");
1020 sanitize("<thead align=\"left\"></thead>", "<thead align=\"left\"></thead>");
1021 sanitize("<thead char=\"something\"></thead>", "<thead char=\"something\"></thead>");
1022 sanitize("<thead charoff=\"1\"></thead>", "<thead charoff=\"1\"></thead>");
1023 sanitize("<thead valign=\"top\"></thead>", "<thead valign=\"top\"></thead>");
1027 sanitize("<time></time>", "<time></time>");
1028 sanitize("<time datetime=\"datetime\"></time>", "<time datetime=\"datetime\"></time>");
1032 sanitize("<title>something</title>", "");
1036 sanitize("<tr></tr>", "<tr></tr>");
1037 sanitize("<tr align=\"left\"></tr>", "<tr align=\"left\"></tr>");
1038 sanitize("<tr bgcolor=\"red\"></tr>", "<tr bgcolor=\"red\"></tr>");
1039 sanitize("<tr char=\"something\"></tr>", "<tr char=\"something\"></tr>");
1040 sanitize("<tr charoff=\"1\"></tr>", "<tr charoff=\"1\"></tr>");
1041 sanitize("<tr valign=\"top\"></tr>", "<tr valign=\"top\"></tr>");
1045 sanitize("<track/>", "");
1046 sanitize("<track></track>", "");
1050 sanitize("<tt>something</tt>", "<tt>something</tt>");
1054 sanitize("<u>something</u>", "<u>something</u>");
1058 sanitize("<ul compact=\"compact\"></ul>", "<ul compact=\"compact\"></ul>");
1059 sanitize("<ul type=\"disc\"></ul>", "<ul type=\"disc\"></ul>");
1063 sanitize("<var>something</var>", "<var>something</var>");
1067 sanitize("<video></video>", "");
1071 sanitize("word1<wbr/>word2", "word1<wbr />word2");
1074 private void sanitize(String dirtyHTML, String expectedHTML) {
