diff options
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/safe_mode/unsafe_urls.html | 24 | ||||
| -rw-r--r-- | tests/safe_mode/unsafe_urls.txt | 27 |
2 files changed, 51 insertions, 0 deletions
diff --git a/tests/safe_mode/unsafe_urls.html b/tests/safe_mode/unsafe_urls.html new file mode 100644 index 0000000..8eda30d --- /dev/null +++ b/tests/safe_mode/unsafe_urls.html @@ -0,0 +1,24 @@ +<p>These links should be unsafe and not allowed in safe_mode +</p> +<p><a href="">link</a> + <a href="">link</a> + <a href="">link</a> + <a href="">link</a> + <a href="">link</a> + <a href="">link</a> + <a href="">link</a> + <a href="">link</a> + <a href="">link</a> + <a href="">link</a> + <a href="">link</a> +</p> +<p><img src="" alt="img"/><a href="">ref</a> + <img src="" alt="imgref"/> +</p> +<p>These should work regardless: +</p> +<p><a href="relative/url.html">relative</a> + <a href="mailto:foo@bar.com">email</a> + <a href="news:some.news.group.com">news scheme</a> + <a href="http://example.com">http link</a> +</p>
\ No newline at end of file diff --git a/tests/safe_mode/unsafe_urls.txt b/tests/safe_mode/unsafe_urls.txt new file mode 100644 index 0000000..7bfd81d --- /dev/null +++ b/tests/safe_mode/unsafe_urls.txt @@ -0,0 +1,27 @@ +These links should be unsafe and not allowed in safe_mode + +[link](javascript:alert%28'Hello%20world!'%29) +[link](vbscript:msgbox%28%22Hello%20world!%22%29) +[link](livescript:alert%28'Hello%20world!'%29) +[link](mocha:[code]) +[link](jAvAsCrIpT:alert%28'Hello%20world!'%29) +[link](ja vas cr ipt:alert%28'Hello%20world!'%29) +[link](ja vas cr ipt:alert%28'Hello%20world!'%29) +[link](ja vas cr ipt:alert%28'Hello%20world!'%29) +[link](ja%09 %0Avas cr
ipt:alert%28'Hello%20world!'%29) +[link](ja%20vas%20cr%20ipt:alert%28'Hello%20world!'%29) +[link](live%20script:alert%28'Hello%20world!'%29) + + +[ref][] +![imgref][] + +[ref]: javascript:alert%29'XSS'%29 +[imgref]: javascript:alert%29'XSS'%29 + +These should work regardless: + +[relative](relative/url.html) +[email](mailto:foo@bar.com) +[news scheme](news:some.news.group.com) +[http link](http://example.com) |