Chris Morgan  ›  Git  ›  sanitise-file-name  ›  blob
1.0.0
[sanitise-file-name] / tests / blns.passthrough.sanitised
1 # Reserved Strings
2 #
3 # Strings which may be used elsewhere in code
4
5 undefined
6 undef
7 null
8 NULL
9 (null)
10 nil
11 NIL
12 true
13 false
14 True
15 False
16 TRUE
17 FALSE
18 None
19 hasOwnProperty
20 then
21 constructor
22 \
23 \\
24
25 # Numeric Strings
26 #
27 # Strings which can be interpreted as numeric
28
29 0
30 1
31 1.00
32 $1.00
33 1/2
34 1E2
35 1E02
36 1E+02
37 -1
38 -1.00
39 -$1.00
40 -1/2
41 -1E2
42 -1E02
43 -1E+02
44 1/0
45 0/0
46 -2147483648/-1
47 -9223372036854775808/-1
48 -0
49 -0.0
50 +0
51 +0.0
52 0.00
53 0..0
54 .
55 0.0.0
56 0,00
57 0,,0
58 ,
59 0,0,0
60 0.0/0
61 1.0/0.0
62 0.0/0.0
63 1,0/0,0
64 0,0/0,0
65 --1
66 -
67 -.
68 -,
69 999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999
70 NaN
71 Infinity
72 -Infinity
73 INF
74 1#INF
75 -1#IND
76 1#QNAN
77 1#SNAN
78 1#IND
79 0x0
80 0xffffffff
81 0xffffffffffffffff
82 0xabad1dea
83 123456789012345678901234567890123456789
84 1,000.00
85 1 000.00
86 1'000.00
87 1,000,000.00
88 1 000 000.00
89 1'000'000.00
90 1.000,00
91 1 000,00
92 1'000,00
93 1.000.000,00
94 1 000 000,00
95 1'000'000,00
96 01000
97 08
98 09
99 2.2250738585072011e-308
100
101 # Special Characters
102 #
103 # ASCII punctuation. All of these characters may need to be escaped in some
104 # contexts. Divided into three groups based on (US-layout) keyboard position.
105
106 ,./;'[]\-=
107 <>?:"{}|_+
108 !@#$%^&*()`~
109
110 # Non-whitespace C0 controls: U+0001 through U+0008, U+000E through U+001F,
111 # and U+007F (DEL)
112 # Often forbidden to appear in various text-based file formats (e.g. XML),
113 # or reused for internal delimiters on the theory that they should never
114 # appear in input.
115 # The next line may appear to be blank or mojibake in some viewers.
116 \ 1\ 2\ 3\ 4\ 5\ 6\a\b\ e\ f\10\11\12\13\14\15\16\17\18\19\1a\e\1c\1d\1e\1f\7f
117
118 # Non-whitespace C1 controls: U+0080 through U+0084 and U+0086 through U+009F.
119 # Commonly misinterpreted as additional graphic characters.
120 # The next line may appear to be blank, mojibake, or dingbats in some viewers.
121 \80\81\82\83\84\86\87\88\89\8a\8b\8c\8d\8e\8f\90\91\92\93\94\95\96\97\98\99\9a\9b\9c\9d\9e\9f
122
123 # Whitespace: all of the characters with category Zs, Zl, or Zp (in Unicode
124 # version 8.0.0), plus U+0009 (HT), U+000B (VT), U+000C (FF), U+0085 (NEL),
125 # and U+200B (ZERO WIDTH SPACE), which are in the C categories but are often
126 # treated as whitespace in some contexts.
127 # This file unfortunately cannot express strings containing
128 # U+0000, U+000A, or U+000D (NUL, LF, CR).
129 # The next line may appear to be blank or mojibake in some viewers.
130 # The next line may be flagged for "trailing whitespace" in some viewers.
131 \v\f \85             ​

   
132
133 # Unicode additional control characters: all of the characters with
134 # general category Cf (in Unicode 8.0.0).
135 # The next line may appear to be blank or mojibake in some viewers.
136 ­؀؁؂؃؄؅؜۝܏᠎​‌‍‎‏‪‫‬‭‮⁠⁡⁢⁣⁤⁦⁧⁨⁩𑂽𛲠𛲡𛲢𛲣𝅳𝅴𝅵𝅶𝅷𝅸𝅹𝅺󠀁󠀠󠀡󠀢󠀣󠀤󠀥󠀦󠀧󠀨󠀩󠀪󠀫󠀬󠀭󠀮󠀯󠀰󠀱󠀲󠀳󠀴󠀵󠀶󠀷󠀸󠀹󠀺󠀻󠀼󠀽󠀾󠀿󠁀󠁁󠁂󠁃󠁄󠁅󠁆󠁇󠁈󠁉󠁊󠁋󠁌󠁍󠁎󠁏󠁐󠁑󠁒󠁓󠁔󠁕󠁖󠁗󠁘󠁙󠁚󠁛󠁜󠁝󠁞󠁟󠁠󠁡󠁢󠁣󠁤󠁥󠁦󠁧󠁨󠁩󠁪󠁫󠁬󠁭󠁮󠁯󠁰󠁱󠁲󠁳󠁴󠁵󠁶󠁷󠁸󠁹󠁺󠁻󠁼󠁽󠁾󠁿
137
138 # "Byte order marks", U+FEFF and U+FFFE, each on its own line.
139 # The next two lines may appear to be blank or mojibake in some viewers.
140 
141
142
143 # Unicode Symbols
144 #
145 # Strings which contain common unicode symbols (e.g. smart quotes)
146
147 Ω≈ç√∫˜µ≤≥÷
148 åß∂ƒ©˙∆˚¬…æ
149 œ∑´®†¥¨ˆøπ“‘
150 ¡™£¢∞§¶•ªº–≠
151 ¸˛Ç◊ı˜Â¯˘¿
152 ÅÍÎÏ˝ÓÔÒÚÆ☃
153 Œ„´‰ˇÁ¨ˆØ∏”’
154 `⁄€‹›fifl‡°·‚—±
155 ⅛⅜⅝⅞
156 ЁЂЃЄЅІЇЈЉЊЋЌЍЎЏАБВГДЕЖЗИЙКЛМНОПРСТУФХЦЧШЩЪЫЬЭЮЯабвгдежзийклмнопрстуфхцчшщъыьэюя
157 ٠١٢٣٤٥٦٧٨٩
158
159 # Unicode Subscript/Superscript/Accents
160 #
161 # Strings which contain unicode subscripts/superscripts; can cause rendering issues
162
163 ⁰⁴⁵
164 ₀₁₂
165 ⁰⁴⁵₀₁₂
166 ด้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็ ด้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็ ด้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็
167
168 # Quotation Marks
169 #
170 # Strings which contain misplaced quotation marks; can cause encoding errors
171
172 '
173 "
174 ''
175 ""
176 '"'
177 "''''"'"
178 "'"'"''''"
179 <foo val=“bar” />
180 <foo val=“bar” />
181 <foo val=”bar“ />
182 <foo val=`bar' />
183
184 # Two-Byte Characters
185 #
186 # Strings which contain two-byte characters: can cause rendering issues or character-length issues
187
188 田中さんにあげて下さい
189 パーティーへ行かないか
190 和製漢語
191 部落格
192 사회과학원 어학연구소
193 찦차를 타고 온 펲시맨과 쑛다리 똠방각하
194 社會科學院語學研究所
195 울란바토르
196 𠜎𠜱𠝹𠱓𠱸𠲖𠳏
197
198 # Strings which contain two-byte letters: can cause issues with naïve UTF-16 capitalizers which think that 16 bits == 1 character
199
200 𐐜 𐐔𐐇𐐝𐐀𐐡𐐇𐐓 𐐙𐐊𐐡𐐝𐐓/𐐝𐐇𐐗𐐊𐐤𐐔 𐐒𐐋𐐗 𐐒𐐌 𐐜 𐐡𐐀𐐖𐐇𐐤𐐓𐐝 𐐱𐑂 𐑄 𐐔𐐇𐐝𐐀𐐡𐐇𐐓 𐐏𐐆𐐅𐐤𐐆𐐚𐐊𐐡𐐝𐐆𐐓𐐆
201
202 # Special Unicode Characters Union
203 #
204 # A super string recommended by VMware Inc. Globalization Team: can effectively cause rendering issues or character-length issues to validate product globalization readiness.
205 #
206 # 表 CJK_UNIFIED_IDEOGRAPHS (U+8868)
207 # ポ KATAKANA LETTER PO (U+30DD)
208 # あ HIRAGANA LETTER A (U+3042)
209 # A LATIN CAPITAL LETTER A (U+0041)
210 # 鷗 CJK_UNIFIED_IDEOGRAPHS (U+9DD7)
211 # ΠLATIN SMALL LIGATURE OE (U+0153)
212 # é LATIN SMALL LETTER E WITH ACUTE (U+00E9)
213 # B FULLWIDTH LATIN CAPITAL LETTER B (U+FF22)
214 # 逍 CJK_UNIFIED_IDEOGRAPHS (U+900D)
215 # Ü LATIN SMALL LETTER U WITH DIAERESIS (U+00FC)
216 # ß LATIN SMALL LETTER SHARP S (U+00DF)
217 # ª FEMININE ORDINAL INDICATOR (U+00AA)
218 # ą LATIN SMALL LETTER A WITH OGONEK (U+0105)
219 # ñ LATIN SMALL LETTER N WITH TILDE (U+00F1)
220 # 丂 CJK_UNIFIED_IDEOGRAPHS (U+4E02)
221 # 㐀 CJK Ideograph Extension A, First (U+3400)
222 # 𠀀 CJK Ideograph Extension B, First (U+20000)
223
224 表ポあA鷗ŒéB逍Üߪąñ丂㐀𠀀
225
226 # Changing length when lowercased
227 #
228 # Characters which increase in length (2 to 3 bytes) when lowercased
229 # Credit: https://twitter.com/jifa/status/625776454479970304
230
231 Ⱥ
232 Ⱦ
233
234 # Japanese Emoticons
235 #
236 # Strings which consists of Japanese-style emoticons which are popular on the web
237
238 ヽ༼ຈل͜ຈ༽ノ ヽ༼ຈل͜ຈ༽ノ
239 (。◕ ∀ ◕。)
240 `ィ(´∀`∩
241 __ロ(,_,*)
242 ・( ̄∀ ̄)・:*:
243 ゚・✿ヾ╲(。◕‿◕。)╱✿・゚
244 ,。・:*:・゜’( ☻ ω ☻ )。・:*:・゜’
245 (╯°□°)╯︵ ┻━┻)
246 (ノಥ益ಥ)ノ ┻━┻
247 ┬─┬ノ( º _ ºノ)
248 ( ͡° ͜ʖ ͡°)
249 ¯\_(ツ)_/¯
250
251 # Emoji
252 #
253 # Strings which contain Emoji; should be the same behavior as two-byte characters, but not always
254
255 😍
256 👩🏽
257 👨‍🦰 👨🏿‍🦰 👨‍🦱 👨🏿‍🦱 🦹🏿‍♂️
258 👾 🙇 💁 🙅 🙆 🙋 🙎 🙍
259 🐵 🙈 🙉 🙊
260 ❤️ 💔 💌 💕 💞 💓 💗 💖 💘 💝 💟 💜 💛 💚 💙
261 ✋🏿 💪🏿 👐🏿 🙌🏿 👏🏿 🙏🏿
262 👨‍👩‍👦 👨‍👩‍👧‍👦 👨‍👨‍👦 👩‍👩‍👧 👨‍👦 👨‍👧‍👦 👩‍👦 👩‍👧‍👦
263 🚾 🆒 🆓 🆕 🆖 🆗 🆙 🏧
264 0️⃣ 1️⃣ 2️⃣ 3️⃣ 4️⃣ 5️⃣ 6️⃣ 7️⃣ 8️⃣ 9️⃣ 🔟
265
266 # Regional Indicator Symbols
267 #
268 # Regional Indicator Symbols can be displayed differently across
269 # fonts, and have a number of special behaviors
270
271 🇺🇸🇷🇺🇸 🇦🇫🇦🇲🇸
272 🇺🇸🇷🇺🇸🇦🇫🇦🇲
273 🇺🇸🇷🇺🇸🇦
274
275 # Unicode Numbers
276 #
277 # Strings which contain unicode numbers; if the code is localized, it should see the input as numeric
278
279 123
280 ١٢٣
281
282 # Right-To-Left Strings
283 #
284 # Strings which contain text that should be rendered RTL if possible (e.g. Arabic, Hebrew)
285
286 ثم نفس سقطت وبالتحديد،, جزيرتي باستخدام أن دنو. إذ هنا؟ الستار وتنصيب كان. أهّل ايطاليا، بريطانيا-فرنسا قد أخذ. سليمان، إتفاقية بين ما, يذكر الحدود أي بعد, معاملة بولندا، الإطلاق عل إيو.
287 בְּרֵאשִׁית, בָּרָא אֱלֹהִים, אֵת הַשָּׁמַיִם, וְאֵת הָאָרֶץ
288 הָיְתָהtestالصفحات التّحول
289
290
291 مُنَاقَشَةُ سُبُلِ اِسْتِخْدَامِ اللُّغَةِ فِي النُّظُمِ الْقَائِمَةِ وَفِيم يَخُصَّ التَّطْبِيقَاتُ الْحاسُوبِيَّةُ،
292 الكل في المجمو عة (5)
293
294 # Ogham Text
295 #
296 # The only unicode alphabet to use a space which isn't empty but should still act like a space.
297
298 ᚛ᚄᚓᚐᚋᚒᚄ ᚑᚄᚂᚑᚏᚅ᚜
299 ᚛                 ᚜
300
301 # Trick Unicode
302 #
303 # Strings which contain unicode with unusual properties (e.g. Right-to-left override) (c.f. http://www.unicode.org/charts/PDF/U2000.pdf)
304
305 ‪‪test‪
306 ‫test‫
307 
test

308 test⁠test‫
309 ⁦test⁧
310
311 # Zalgo Text
312 #
313 # Strings which contain "corrupted" text. The corruption will not appear in non-HTML text, however. (via http://www.eeemo.net)
314
315 Ṱ̺̺̕o͞ ̷i̲̬͇̪͙n̝̗͕v̟̜̘̦͟o̶̙̰̠kè͚̮̺̪̹̱̤ ̖t̝͕̳̣̻̪͞h̼͓̲̦̳̘̲e͇̣̰̦̬͎ ̢̼̻̱̘h͚͎͙̜̣̲ͅi̦̲̣̰̤v̻͍e̺̭̳̪̰-m̢iͅn̖̺̞̲̯̰d̵̼̟͙̩̼̘̳ ̞̥̱̳̭r̛̗̘e͙p͠r̼̞̻̭̗e̺̠̣͟s̘͇̳͍̝͉e͉̥̯̞̲͚̬͜ǹ̬͎͎̟̖͇̤t͍̬̤͓̼̭͘ͅi̪̱n͠g̴͉ ͏͉ͅc̬̟h͡a̫̻̯͘o̫̟̖͍̙̝͉s̗̦̲.̨̹͈̣
316 ̡͓̞ͅI̗̘̦͝n͇͇͙v̮̫ok̲̫̙͈i̖͙̭̹̠̞n̡̻̮̣̺g̲͈͙̭͙̬͎ ̰t͔̦h̞̲e̢̤ ͍̬̲͖f̴̘͕̣è͖ẹ̥̩l͖͔͚i͓͚̦͠n͖͍̗͓̳̮g͍ ̨o͚̪͡f̘̣̬ ̖̘͖̟͙̮c҉͔̫͖͓͇͖ͅh̵̤̣͚͔á̗̼͕ͅo̼̣̥s̱͈̺̖̦̻͢.̛̖̞̠̫̰
317 ̗̺͖̹̯͓Ṯ̤͍̥͇͈h̲́e͏͓̼̗̙̼̣͔ ͇̜̱̠͓͍ͅN͕͠e̗̱z̘̝̜̺͙p̤̺̹͍̯͚e̠̻̠͜r̨̤͍̺̖͔̖̖d̠̟̭̬̝͟i̦͖̩͓͔̤a̠̗̬͉̙n͚͜ ̻̞̰͚ͅh̵͉i̳̞v̢͇ḙ͎͟-҉̭̩̼͔m̤̭̫i͕͇̝̦n̗͙ḍ̟ ̯̲͕͞ǫ̟̯̰̲͙̻̝f ̪̰̰̗̖̭̘͘c̦͍̲̞͍̩̙ḥ͚a̮͎̟̙͜ơ̩̹͎s̤.̝̝ ҉Z̡̖̜͖̰̣͉̜a͖̰͙̬͡l̲̫̳͍̩g̡̟̼̱͚̞̬ͅo̗͜.̟
318 ̦H̬̤̗̤͝e͜ ̜̥̝̻͍̟́w̕h̖̯͓o̝͙̖͎̱̮ ҉̺̙̞̟͈W̷̼̭a̺̪͍į͈͕̭͙̯̜t̶̼̮s̘͙͖̕ ̠̫̠B̻͍͙͉̳ͅe̵h̵̬͇̫͙i̹͓̳̳̮͎̫̕n͟d̴̪̜̖ ̰͉̩͇͙̲͞ͅT͖̼͓̪͢h͏͓̮̻e̬̝̟ͅ ̤̹̝W͙̞̝͔͇͝ͅa͏͓͔̹̼̣l̴͔̰̤̟͔ḽ̫.͕
319 Z̮̞̠͙͔ͅḀ̗̞͈̻̗Ḷ͙͎̯̹̞͓G̻O̭̗̮
320
321 # Unicode Upsidedown
322 #
323 # Strings which contain unicode with an "upsidedown" effect (via http://www.upsidedowntext.com)
324
325 ˙ɐnbᴉlɐ ɐuƃɐɯ ǝɹolop ʇǝ ǝɹoqɐl ʇn ʇunpᴉpᴉɔuᴉ ɹodɯǝʇ poɯsnᴉǝ op pǝs 'ʇᴉlǝ ƃuᴉɔsᴉdᴉpɐ ɹnʇǝʇɔǝsuoɔ 'ʇǝɯɐ ʇᴉs ɹolop ɯnsdᴉ ɯǝɹo˥
326 00˙Ɩ$-
327
328 # Unicode font
329 #
330 # Strings which contain bold/italic/etc. versions of normal characters
331
332 The quick brown fox jumps over the lazy dog
333 𝐓𝐡𝐞 𝐪𝐮𝐢𝐜𝐤 𝐛𝐫𝐨𝐰𝐧 𝐟𝐨𝐱 𝐣𝐮𝐦𝐩𝐬 𝐨𝐯𝐞𝐫 𝐭𝐡𝐞 𝐥𝐚𝐳𝐲 𝐝𝐨𝐠
334 𝕿𝖍𝖊 𝖖𝖚𝖎𝖈𝖐 𝖇𝖗𝖔𝖜𝖓 𝖋𝖔𝖝 𝖏𝖚𝖒𝖕𝖘 𝖔𝖛𝖊𝖗 𝖙𝖍𝖊 𝖑𝖆𝖟𝖞 𝖉𝖔𝖌
335 𝑻𝒉𝒆 𝒒𝒖𝒊𝒄𝒌 𝒃𝒓𝒐𝒘𝒏 𝒇𝒐𝒙 𝒋𝒖𝒎𝒑𝒔 𝒐𝒗𝒆𝒓 𝒕𝒉𝒆 𝒍𝒂𝒛𝒚 𝒅𝒐𝒈
336 𝓣𝓱𝓮 𝓺𝓾𝓲𝓬𝓴 𝓫𝓻𝓸𝔀𝓷 𝓯𝓸𝔁 𝓳𝓾𝓶𝓹𝓼 𝓸𝓿𝓮𝓻 𝓽𝓱𝓮 𝓵𝓪𝔃𝔂 𝓭𝓸𝓰
337 𝕋𝕙𝕖 𝕢𝕦𝕚𝕔𝕜 𝕓𝕣𝕠𝕨𝕟 𝕗𝕠𝕩 𝕛𝕦𝕞𝕡𝕤 𝕠𝕧𝕖𝕣 𝕥𝕙𝕖 𝕝𝕒𝕫𝕪 𝕕𝕠𝕘
338 𝚃𝚑𝚎 𝚚𝚞𝚒𝚌𝚔 𝚋𝚛𝚘𝚠𝚗 𝚏𝚘𝚡 𝚓𝚞𝚖𝚙𝚜 𝚘𝚟𝚎𝚛 𝚝𝚑𝚎 𝚕𝚊𝚣𝚢 𝚍𝚘𝚐
339 ⒯⒣⒠ ⒬⒰⒤⒞⒦ ⒝⒭⒪⒲⒩ ⒡⒪⒳ ⒥⒰⒨⒫⒮ ⒪⒱⒠⒭ ⒯⒣⒠ ⒧⒜⒵⒴ ⒟⒪⒢
340
341 # Script Injection
342 #
343 # Strings which attempt to invoke a benign script injection; shows vulnerability to XSS
344
345 <script>alert(0)</script>
346 &lt;script&gt;alert(&#39;1&#39;);&lt;/script&gt;
347 <img src=x onerror=alert(2) />
348 <svg><script>123<1>alert(3)</script>
349 "><script>alert(4)</script>
350 '><script>alert(5)</script>
351 ><script>alert(6)</script>
352 </script><script>alert(7)</script>
353 < / script >< script >alert(8)< / script >
354  onfocus=JaVaSCript:alert(9) autofocus
355 " onfocus=JaVaSCript:alert(10) autofocus
356 ' onfocus=JaVaSCript:alert(11) autofocus
357 <script>alert(12)</script>
358 <sc<script>ript>alert(13)</sc</script>ript>
359 --><script>alert(14)</script>
360 ";alert(15);t="
361 ';alert(16);t='
362 JavaSCript:alert(17)
363 ;alert(18);
364 src=JaVaSCript:prompt(19)
365 "><script>alert(20);</script x="
366 '><script>alert(21);</script x='
367 ><script>alert(22);</script x=
368 " autofocus onkeyup="javascript:alert(23)
369 ' autofocus onkeyup='javascript:alert(24)
370 <script\x20type="text/javascript">javascript:alert(25);</script>
371 <script\x3Etype="text/javascript">javascript:alert(26);</script>
372 <script\x0Dtype="text/javascript">javascript:alert(27);</script>
373 <script\x09type="text/javascript">javascript:alert(28);</script>
374 <script\x0Ctype="text/javascript">javascript:alert(29);</script>
375 <script\x2Ftype="text/javascript">javascript:alert(30);</script>
376 <script\x0Atype="text/javascript">javascript:alert(31);</script>
377 '`"><\x3Cscript>javascript:alert(32)</script>
378 '`"><\x00script>javascript:alert(33)</script>
379 ABC<div style="x\x3Aexpression(javascript:alert(34)">DEF
380 ABC<div style="x:expression\x5C(javascript:alert(35)">DEF
381 ABC<div style="x:expression\x00(javascript:alert(36)">DEF
382 ABC<div style="x:exp\x00ression(javascript:alert(37)">DEF
383 ABC<div style="x:exp\x5Cression(javascript:alert(38)">DEF
384 ABC<div style="x:\x0Aexpression(javascript:alert(39)">DEF
385 ABC<div style="x:\x09expression(javascript:alert(40)">DEF
386 ABC<div style="x:\xE3\x80\x80expression(javascript:alert(41)">DEF
387 ABC<div style="x:\xE2\x80\x84expression(javascript:alert(42)">DEF
388 ABC<div style="x:\xC2\xA0expression(javascript:alert(43)">DEF
389 ABC<div style="x:\xE2\x80\x80expression(javascript:alert(44)">DEF
390 ABC<div style="x:\xE2\x80\x8Aexpression(javascript:alert(45)">DEF
391 ABC<div style="x:\x0Dexpression(javascript:alert(46)">DEF
392 ABC<div style="x:\x0Cexpression(javascript:alert(47)">DEF
393 ABC<div style="x:\xE2\x80\x87expression(javascript:alert(48)">DEF
394 ABC<div style="x:\xEF\xBB\xBFexpression(javascript:alert(49)">DEF
395 ABC<div style="x:\x20expression(javascript:alert(50)">DEF
396 ABC<div style="x:\xE2\x80\x88expression(javascript:alert(51)">DEF
397 ABC<div style="x:\x00expression(javascript:alert(52)">DEF
398 ABC<div style="x:\xE2\x80\x8Bexpression(javascript:alert(53)">DEF
399 ABC<div style="x:\xE2\x80\x86expression(javascript:alert(54)">DEF
400 ABC<div style="x:\xE2\x80\x85expression(javascript:alert(55)">DEF
401 ABC<div style="x:\xE2\x80\x82expression(javascript:alert(56)">DEF
402 ABC<div style="x:\x0Bexpression(javascript:alert(57)">DEF
403 ABC<div style="x:\xE2\x80\x81expression(javascript:alert(58)">DEF
404 ABC<div style="x:\xE2\x80\x83expression(javascript:alert(59)">DEF
405 ABC<div style="x:\xE2\x80\x89expression(javascript:alert(60)">DEF
406 <a href="\x0Bjavascript:javascript:alert(61)" id="fuzzelement1">test</a>
407 <a href="\x0Fjavascript:javascript:alert(62)" id="fuzzelement1">test</a>
408 <a href="\xC2\xA0javascript:javascript:alert(63)" id="fuzzelement1">test</a>
409 <a href="\x05javascript:javascript:alert(64)" id="fuzzelement1">test</a>
410 <a href="\xE1\xA0\x8Ejavascript:javascript:alert(65)" id="fuzzelement1">test</a>
411 <a href="\x18javascript:javascript:alert(66)" id="fuzzelement1">test</a>
412 <a href="\x11javascript:javascript:alert(67)" id="fuzzelement1">test</a>
413 <a href="\xE2\x80\x88javascript:javascript:alert(68)" id="fuzzelement1">test</a>
414 <a href="\xE2\x80\x89javascript:javascript:alert(69)" id="fuzzelement1">test</a>
415 <a href="\xE2\x80\x80javascript:javascript:alert(70)" id="fuzzelement1">test</a>
416 <a href="\x17javascript:javascript:alert(71)" id="fuzzelement1">test</a>
417 <a href="\x03javascript:javascript:alert(72)" id="fuzzelement1">test</a>
418 <a href="\x0Ejavascript:javascript:alert(73)" id="fuzzelement1">test</a>
419 <a href="\x1Ajavascript:javascript:alert(74)" id="fuzzelement1">test</a>
420 <a href="\x00javascript:javascript:alert(75)" id="fuzzelement1">test</a>
421 <a href="\x10javascript:javascript:alert(76)" id="fuzzelement1">test</a>
422 <a href="\xE2\x80\x82javascript:javascript:alert(77)" id="fuzzelement1">test</a>
423 <a href="\x20javascript:javascript:alert(78)" id="fuzzelement1">test</a>
424 <a href="\x13javascript:javascript:alert(79)" id="fuzzelement1">test</a>
425 <a href="\x09javascript:javascript:alert(80)" id="fuzzelement1">test</a>
426 <a href="\xE2\x80\x8Ajavascript:javascript:alert(81)" id="fuzzelement1">test</a>
427 <a href="\x14javascript:javascript:alert(82)" id="fuzzelement1">test</a>
428 <a href="\x19javascript:javascript:alert(83)" id="fuzzelement1">test</a>
429 <a href="\xE2\x80\xAFjavascript:javascript:alert(84)" id="fuzzelement1">test</a>
430 <a href="\x1Fjavascript:javascript:alert(85)" id="fuzzelement1">test</a>
431 <a href="\xE2\x80\x81javascript:javascript:alert(86)" id="fuzzelement1">test</a>
432 <a href="\x1Djavascript:javascript:alert(87)" id="fuzzelement1">test</a>
433 <a href="\xE2\x80\x87javascript:javascript:alert(88)" id="fuzzelement1">test</a>
434 <a href="\x07javascript:javascript:alert(89)" id="fuzzelement1">test</a>
435 <a href="\xE1\x9A\x80javascript:javascript:alert(90)" id="fuzzelement1">test</a>
436 <a href="\xE2\x80\x83javascript:javascript:alert(91)" id="fuzzelement1">test</a>
437 <a href="\x04javascript:javascript:alert(92)" id="fuzzelement1">test</a>
438 <a href="\x01javascript:javascript:alert(93)" id="fuzzelement1">test</a>
439 <a href="\x08javascript:javascript:alert(94)" id="fuzzelement1">test</a>
440 <a href="\xE2\x80\x84javascript:javascript:alert(95)" id="fuzzelement1">test</a>
441 <a href="\xE2\x80\x86javascript:javascript:alert(96)" id="fuzzelement1">test</a>
442 <a href="\xE3\x80\x80javascript:javascript:alert(97)" id="fuzzelement1">test</a>
443 <a href="\x12javascript:javascript:alert(98)" id="fuzzelement1">test</a>
444 <a href="\x0Djavascript:javascript:alert(99)" id="fuzzelement1">test</a>
445 <a href="\x0Ajavascript:javascript:alert(100)" id="fuzzelement1">test</a>
446 <a href="\x0Cjavascript:javascript:alert(101)" id="fuzzelement1">test</a>
447 <a href="\x15javascript:javascript:alert(102)" id="fuzzelement1">test</a>
448 <a href="\xE2\x80\xA8javascript:javascript:alert(103)" id="fuzzelement1">test</a>
449 <a href="\x16javascript:javascript:alert(104)" id="fuzzelement1">test</a>
450 <a href="\x02javascript:javascript:alert(105)" id="fuzzelement1">test</a>
451 <a href="\x1Bjavascript:javascript:alert(106)" id="fuzzelement1">test</a>
452 <a href="\x06javascript:javascript:alert(107)" id="fuzzelement1">test</a>
453 <a href="\xE2\x80\xA9javascript:javascript:alert(108)" id="fuzzelement1">test</a>
454 <a href="\xE2\x80\x85javascript:javascript:alert(109)" id="fuzzelement1">test</a>
455 <a href="\x1Ejavascript:javascript:alert(110)" id="fuzzelement1">test</a>
456 <a href="\xE2\x81\x9Fjavascript:javascript:alert(111)" id="fuzzelement1">test</a>
457 <a href="\x1Cjavascript:javascript:alert(112)" id="fuzzelement1">test</a>
458 <a href="javascript\x00:javascript:alert(113)" id="fuzzelement1">test</a>
459 <a href="javascript\x3A:javascript:alert(114)" id="fuzzelement1">test</a>
460 <a href="javascript\x09:javascript:alert(115)" id="fuzzelement1">test</a>
461 <a href="javascript\x0D:javascript:alert(116)" id="fuzzelement1">test</a>
462 <a href="javascript\x0A:javascript:alert(117)" id="fuzzelement1">test</a>
463 `"'><img src=xxx:x \x0Aonerror=javascript:alert(118)>
464 `"'><img src=xxx:x \x22onerror=javascript:alert(119)>
465 `"'><img src=xxx:x \x0Bonerror=javascript:alert(120)>
466 `"'><img src=xxx:x \x0Donerror=javascript:alert(121)>
467 `"'><img src=xxx:x \x2Fonerror=javascript:alert(122)>
468 `"'><img src=xxx:x \x09onerror=javascript:alert(123)>
469 `"'><img src=xxx:x \x0Conerror=javascript:alert(124)>
470 `"'><img src=xxx:x \x00onerror=javascript:alert(125)>
471 `"'><img src=xxx:x \x27onerror=javascript:alert(126)>
472 `"'><img src=xxx:x \x20onerror=javascript:alert(127)>
473 "`'><script>\x3Bjavascript:alert(128)</script>
474 "`'><script>\x0Djavascript:alert(129)</script>
475 "`'><script>\xEF\xBB\xBFjavascript:alert(130)</script>
476 "`'><script>\xE2\x80\x81javascript:alert(131)</script>
477 "`'><script>\xE2\x80\x84javascript:alert(132)</script>
478 "`'><script>\xE3\x80\x80javascript:alert(133)</script>
479 "`'><script>\x09javascript:alert(134)</script>
480 "`'><script>\xE2\x80\x89javascript:alert(135)</script>
481 "`'><script>\xE2\x80\x85javascript:alert(136)</script>
482 "`'><script>\xE2\x80\x88javascript:alert(137)</script>
483 "`'><script>\x00javascript:alert(138)</script>
484 "`'><script>\xE2\x80\xA8javascript:alert(139)</script>
485 "`'><script>\xE2\x80\x8Ajavascript:alert(140)</script>
486 "`'><script>\xE1\x9A\x80javascript:alert(141)</script>
487 "`'><script>\x0Cjavascript:alert(142)</script>
488 "`'><script>\x2Bjavascript:alert(143)</script>
489 "`'><script>\xF0\x90\x96\x9Ajavascript:alert(144)</script>
490 "`'><script>-javascript:alert(145)</script>
491 "`'><script>\x0Ajavascript:alert(146)</script>
492 "`'><script>\xE2\x80\xAFjavascript:alert(147)</script>
493 "`'><script>\x7Ejavascript:alert(148)</script>
494 "`'><script>\xE2\x80\x87javascript:alert(149)</script>
495 "`'><script>\xE2\x81\x9Fjavascript:alert(150)</script>
496 "`'><script>\xE2\x80\xA9javascript:alert(151)</script>
497 "`'><script>\xC2\x85javascript:alert(152)</script>
498 "`'><script>\xEF\xBF\xAEjavascript:alert(153)</script>
499 "`'><script>\xE2\x80\x83javascript:alert(154)</script>
500 "`'><script>\xE2\x80\x8Bjavascript:alert(155)</script>
501 "`'><script>\xEF\xBF\xBEjavascript:alert(156)</script>
502 "`'><script>\xE2\x80\x80javascript:alert(157)</script>
503 "`'><script>\x21javascript:alert(158)</script>
504 "`'><script>\xE2\x80\x82javascript:alert(159)</script>
505 "`'><script>\xE2\x80\x86javascript:alert(160)</script>
506 "`'><script>\xE1\xA0\x8Ejavascript:alert(161)</script>
507 "`'><script>\x0Bjavascript:alert(162)</script>
508 "`'><script>\x20javascript:alert(163)</script>
509 "`'><script>\xC2\xA0javascript:alert(164)</script>
510 <img \x00src=x onerror="alert(165)">
511 <img \x47src=x onerror="javascript:alert(166)">
512 <img \x11src=x onerror="javascript:alert(167)">
513 <img \x12src=x onerror="javascript:alert(168)">
514 <img\x47src=x onerror="javascript:alert(169)">
515 <img\x10src=x onerror="javascript:alert(170)">
516 <img\x13src=x onerror="javascript:alert(171)">
517 <img\x32src=x onerror="javascript:alert(172)">
518 <img\x47src=x onerror="javascript:alert(173)">
519 <img\x11src=x onerror="javascript:alert(174)">
520 <img \x47src=x onerror="javascript:alert(175)">
521 <img \x34src=x onerror="javascript:alert(176)">
522 <img \x39src=x onerror="javascript:alert(177)">
523 <img \x00src=x onerror="javascript:alert(178)">
524 <img src\x09=x onerror="javascript:alert(179)">
525 <img src\x10=x onerror="javascript:alert(180)">
526 <img src\x13=x onerror="javascript:alert(181)">
527 <img src\x32=x onerror="javascript:alert(182)">
528 <img src\x12=x onerror="javascript:alert(183)">
529 <img src\x11=x onerror="javascript:alert(184)">
530 <img src\x00=x onerror="javascript:alert(185)">
531 <img src\x47=x onerror="javascript:alert(186)">
532 <img src=x\x09onerror="javascript:alert(187)">
533 <img src=x\x10onerror="javascript:alert(188)">
534 <img src=x\x11onerror="javascript:alert(189)">
535 <img src=x\x12onerror="javascript:alert(190)">
536 <img src=x\x13onerror="javascript:alert(191)">
537 <img[a][b][c]src[d]=x[e]onerror=[f]"alert(192)">
538 <img src=x onerror=\x09"javascript:alert(193)">
539 <img src=x onerror=\x10"javascript:alert(194)">
540 <img src=x onerror=\x11"javascript:alert(195)">
541 <img src=x onerror=\x12"javascript:alert(196)">
542 <img src=x onerror=\x32"javascript:alert(197)">
543 <img src=x onerror=\x00"javascript:alert(198)">
544 <a href=java&#1&#2&#3&#4&#5&#6&#7&#8&#11&#12script:javascript:alert(199)>XXX</a>
545 <img src="x` `<script>javascript:alert(200)</script>"` `>
546 <img src onerror /" '"= alt=javascript:alert(201)//">
547 <title onpropertychange=javascript:alert(202)></title><title title=>
548 <a href=http://foo.bar/#x=`y></a><img alt="`><img src=x:x onerror=javascript:alert(203)></a>">
549 <!--[if]><script>javascript:alert(204)</script -->
550 <!--[if<img src=x onerror=javascript:alert(205)//]> -->
551 <script src="/\%(jscript)s"></script>
552 <script src="\\%(jscript)s"></script>
553 <IMG """><SCRIPT>alert("206")</SCRIPT>">
554 <IMG SRC=javascript:alert(String.fromCharCode(50,48,55))>
555 <IMG SRC=# onmouseover="alert('208')">
556 <IMG SRC= onmouseover="alert('209')">
557 <IMG onmouseover="alert('210')">
558 <IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#50;&#49;&#49;&#39;&#41;>
559 <IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000050&#0000049&#0000050&#0000039&#0000041>
560 <IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x32&#x31&#x33&#x27&#x29>
561 <IMG SRC="jav   ascript:alert('214');">
562 <IMG SRC="jav&#x09;ascript:alert('215');">
563 <IMG SRC="jav&#x0A;ascript:alert('216');">
564 <IMG SRC="jav&#x0D;ascript:alert('217');">
565 perl -e 'print "<IMG SRC=java\0script:alert(\"218\")>";' > out
566 <IMG SRC=" &#14;  javascript:alert('219');">
567 <SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>
568 <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("220")>
569 <SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT>
570 <<SCRIPT>alert("221");//<</SCRIPT>
571 <SCRIPT SRC=http://ha.ckers.org/xss.js?< B >
572 <SCRIPT SRC=//ha.ckers.org/.j>
573 <IMG SRC="javascript:alert('222')"
574 <iframe src=http://ha.ckers.org/scriptlet.html <
575 \";alert('223');//
576 <u oncopy=alert()> Copy me</u>
577 <i onwheel=alert(224)> Scroll over me </i>
578 <plaintext>
579 http://a/%%30%30
580 </textarea><script>alert(225)</script>
581
582 # SQL Injection
583 #
584 # Strings which can cause a SQL injection if inputs are not sanitized
585
586 1;DROP TABLE users
587 1'; DROP TABLE users-- 1
588 ' OR 1=1 -- 1
589 ' OR '1'='1
590 '; EXEC sp_MSForEachTable 'DROP TABLE ?'; --
591
592 %
593 _
594
595 # Server Code Injection
596 #
597 # Strings which can cause user to run code on server as a privileged user (c.f. https://news.ycombinator.com/item?id=7665153)
598
599 -
600 --
601 --version
602 --help
603 $USER
604 /dev/null; touch /tmp/blns.fail ; echo
605 `touch /tmp/blns.fail`
606 $(touch /tmp/blns.fail)
607 @{[system "touch /tmp/blns.fail"]}
608
609 # Command Injection (Ruby)
610 #
611 # Strings which can call system commands within Ruby/Rails applications
612
613 eval("puts 'hello world'")
614 System("ls -al /")
615 `ls -al /`
616 Kernel.exec("ls -al /")
617 Kernel.exit(1)
618 %x('ls -al /')
619
620 # XXE Injection (XML)
621 #
622 # String which can reveal system files when parsed by a badly configured XML parser
623
624 <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [ <!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>
625
626 # Unwanted Interpolation
627 #
628 # Strings which can be accidentally expanded into different strings if evaluated in the wrong context, e.g. used as a printf format string or via Perl or shell eval. Might expose sensitive data from the program doing the interpolation, or might just represent the wrong string.
629
630 $HOME
631 $ENV{'HOME'}
632 %d
633 %s%s%s%s%s
634 {0}
635 %*.*s
636 %@
637 %n
638 File:///
639
640 # File Inclusion
641 #
642 # Strings which can cause user to pull in files that should not be a part of a web server
643
644 ../../../../../../../../../../../etc/passwd%00
645 ../../../../../../../../../../../etc/hosts
646
647 # Known CVEs and Vulnerabilities
648 #
649 # Strings that test for known vulnerabilities
650
651 () { 0; }; touch /tmp/blns.shellshock1.fail;
652 () { _; } >_[$($())] { touch /tmp/blns.shellshock2.fail; }
653 <<< %s(un='%s') = %u
654 +++ATH0
655
656 # MSDOS/Windows Special Filenames
657 #
658 # Strings which are reserved characters in MSDOS/Windows
659
660 CON
661 PRN
662 AUX
663 CLOCK$
664 NUL
665 A:
666 ZZ:
667 COM1
668 LPT1
669 LPT2
670 LPT3
671 COM2
672 COM3
673 COM4
674
675 # IRC specific strings
676 #
677 # Strings that may occur on IRC clients that make security products freak out
678
679 DCC SEND STARTKEYLOGGER 0 0 0
680
681 # Scunthorpe Problem
682 #
683 # Innocuous strings which may be blocked by profanity filters (https://en.wikipedia.org/wiki/Scunthorpe_problem)
684
685 Scunthorpe General Hospital
686 Penistone Community Church
687 Lightwater Country Park
688 Jimmy Clitheroe
689 Horniman Museum
690 shitake mushrooms
691 RomansInSussex.co.uk
692 http://www.cum.qc.ca/
693 Craig Cockburn, Software Specialist
694 Linda Callahan
695 Dr. Herman I. Libshitz
696 magna cum laude
697 Super Bowl XXX
698 medieval erection of parapets
699 evaluate
700 mocha
701 expression
702 Arsenal canal
703 classic
704 Tyson Gay
705 Dick Van Dyke
706 basement
707
708 # Human injection
709 #
710 # Strings which may cause human to reinterpret worldview
711
712 If you're reading this, you've been in a coma for almost 20 years now. We're trying a new technique. We don't know where this message will end up in your dream, but we hope it works. Please wake up, we miss you.
713
714 # Terminal escape codes
715 #
716 # Strings which punish the fools who use cat/type on this file
717
718 Roses are \e[0;31mred\e[0m, violets are \e[0;34mblue. Hope you enjoy terminal hue
719 But now...\e[20Cfor my greatest trick...\e[8m
720 The quic\b\b\b\b\b\bk brown fo\a\a\a\a\a\a\a\a\a\a\ax... [Beeeep]
721
722 # iOS Vulnerabilities
723 #
724 # Strings which crashed iMessage in various versions of iOS
725
726 Powerلُلُصّبُلُلصّبُررً ॣ ॣh ॣ ॣ冗
727 🏳0🌈️
728 జ్ఞ‌ా
729
730 # Persian special characters
731 #
732 # This is a four characters string which includes Persian special characters (گچپژ)
733
734 گچپژ
735
736 # jinja2 injection
737 #
738 # first one is supposed to raise "MemoryError" exception
739 # second, obviously, prints contents of /etc/passwd
740
741 {% print 'x' * 64 * 1024**3 %}
742 {{ "".__class__.__mro__[2].__subclasses__()[40]("/etc/passwd").read() }}