1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88
/*! A variety of tests for malicious code injection. Everything here is safe to click (brson). Anyl local paths work on Win 10. ## javascript links [js](javascript:alert\(1\)) [reference js] [reference js]: javascript:alert\(1\) Case matters: [upcase js](JAVASCRIPT:alert\(1\)) ## local links [local file](file://C:/Windows/System32/license.rtf) [reference local file] [reference local file]: file://C:/Windows/System32/license.rtf ## inline html and scripts an inline html that invokes a script: <script type="text/javascript"> function clickme() { alert(1); } </script> <a href="#" onclick="clickme()"> click me </a> an inline script: <script type="text/javascript"> document.write("<strong>if you are seeing this it was injected via javascript</strong>"); </script> ## funky images js image: ) local file:  local text file:  regular non-local image:  non-local html served as image:  non-local html served as gif (I actually can't trick GitHub inter serving this as non-html ContentType)  non-local html served as gif (I actually can't trick GitHub inter serving this as non-html ContentType)  (I can't actually find a service that will serve a .jpg-named html as mimetype text/html - and the browser mime sniffer would probably figure it out anyway) !*/ #[cfg(test)] mod tests { #[test] fn it_works() { assert_eq!(2 + 2, 4); } }