1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91
/*! A variety of tests for malicious code injection. Everything here is safe to click (brson). Anyl local paths work on Win 10. ## javascript links [js](javascript:alert\(1\)) [reference js] [reference js]: javascript:alert\(1\) Case matters: [upcase js](JAVASCRIPT:alert\(1\)) ## local links [local file](file://C:/Windows/System32/license.rtf) [reference local file] [reference local file]: file://C:/Windows/System32/license.rtf ## inline html and scripts an inline html that invokes a script: <script type="text/javascript"> function clickme() { alert(1); } </script> <a href="#" onclick="clickme()"> click me </a> an inline script: <script type="text/javascript"> document.write("<strong>if you are seeing this it was injected via javascript</strong>"); </script> inline html with script onclick: <a href="#" onclick="javascript:alert(1)">click me</a> ## funky images js image: ![js image](javascript:alert\(1\)) local file: ![local image](file:///C:/Windows/System32/SecurityAndMaintenance.png) local text file: ![local text file](file:///C:/Windows/System32/WindowsCodecsRaw.txt) regular non-local image: ![non-local image](https://i.imgur.com/bHO6PSi.gif) non-local html served as image: ![non-local html as image](https://gist.githubusercontent.com/brson/45a122f6414877b346932906f70f2901/raw/463f5cc968e8aee67146bc715febc2a93f029a43/foo.hml) non-local html served as gif (I actually can't trick GitHub inter serving this as non-html ContentType) ![non-local html served sa gif](https://gist.githubusercontent.com/brson/45a122f6414877b346932906f70f2901/raw/463f5cc968e8aee67146bc715febc2a93f029a43/foo.gif) non-local html served as gif (I actually can't trick GitHub inter serving this as non-html ContentType) ![non-local html served sa jpg](https://raw.githubusercontent.com/brson/jsdoctest/master/not-a-real-image.jpg) (I can't actually find a service that will serve a .jpg-named html as mimetype text/html - and the browser mime sniffer would probably figure it out anyway) !*/ #[cfg(test)] mod tests { #[test] fn it_works() { assert_eq!(2 + 2, 4); } }