1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
/*!
A variety of tests for malicious code injection.
Everything here is safe to click (brson). Anyl local paths work on Win 10.
## javascript links
[js](javascript:alert\(1\))
[reference js]
[reference js]: javascript:alert\(1\)
Case matters:
[upcase js](JAVASCRIPT:alert\(1\))
## local links
[local file](file://C:/Windows/System32/license.rtf)
[reference local file]
[reference local file]: file://C:/Windows/System32/license.rtf
## inline html and scripts
an inline html that invokes a script:
<script type="text/javascript">
function clickme() {
alert(1);
}
</script>
<a href="#" onclick="clickme()">
click me
</a>
an inline script:
<script type="text/javascript">
document.write("<strong>if you are seeing this it was injected via javascript</strong>");
</script>
inline html with script onclick:
<a href="#" onclick="javascript:alert(1)">click me</a>
## funky images
js image:
)
local file:
local text file:
regular non-local image:
non-local html served as image:
non-local html served as gif (I actually can't trick GitHub inter serving this as non-html ContentType)
non-local html served as gif (I actually can't trick GitHub inter serving this as non-html ContentType)
(I can't actually find a service that will serve a .jpg-named html as mimetype text/html - and the browser mime sniffer would probably figure it out anyway)
!*/