Chris Morgan  ›  Git  ›  sanitise-file-name  ›  blob
Declare the tinyvec_string feature semver-excluded
[sanitise-file-name] / tests / blns.just-windows_safe.sanitised
1 #_Reserved Strings
2 #
3 #_Strings which may be used elsewhere in code
4 _
5 undefined
6 undef
7 null
8 NULL
9 (null)
10 nil
11 NIL
12 true
13 false
14 True
15 False
16 TRUE
17 FALSE
18 None
19 hasOwnProperty
20 then
21 constructor
22 _
23 __
24 _
25 #_Numeric Strings
26 #
27 #_Strings which can be interpreted as numeric
28 _
29 0
30 1
31 1.00
32 $1.00
33 1_2
34 1E2
35 1E02
36 1E+02
37 -1
38 -1.00
39 -$1.00
40 -1_2
41 -1E2
42 -1E02
43 -1E+02
44 1_0
45 0_0
46 -2147483648_-1
47 -9223372036854775808_-1
48 -0
49 -0.0
50 +0
51 +0.0
52 0.00
53 0..0
54 .
55 0.0.0
56 0,00
57 0,,0
58 ,
59 0,0,0
60 0.0_0
61 1.0_0.0
62 0.0_0.0
63 1,0_0,0
64 0,0_0,0
65 --1
66 -
67 -.
68 -,
69 999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999
70 NaN
71 Infinity
72 -Infinity
73 INF
74 1#INF
75 -1#IND
76 1#QNAN
77 1#SNAN
78 1#IND
79 0x0
80 0xffffffff
81 0xffffffffffffffff
82 0xabad1dea
83 123456789012345678901234567890123456789
84 1,000.00
85 1 000.00
86 1'000.00
87 1,000,000.00
88 1 000 000.00
89 1'000'000.00
90 1.000,00
91 1 000,00
92 1'000,00
93 1.000.000,00
94 1 000 000,00
95 1'000'000,00
96 01000
97 08
98 09
99 2.2250738585072011e-308
100 _
101 #_Special Characters
102 #
103 # ASCII punctuation. All of these characters may need to be escaped in some
104 # contexts. Divided into three groups based on (US-layout) keyboard position.
105 _
106 ,._;'[]_-=
107 _____{}__+
108 !@#$%^&_()`~
109 _
110 # Non-whitespace C0 controls_ U+0001 through U+0008, U+000E through U+001F,
111 # and U+007F (DEL)
112 # Often forbidden to appear in various text-based file formats (e.g. XML),
113 # or reused for internal delimiters on the theory that they should never
114 # appear in input.
115 # The next line may appear to be blank or mojibake in some viewers.
116 ___________________________
117 _
118 # Non-whitespace C1 controls_ U+0080 through U+0084 and U+0086 through U+009F.
119 # Commonly misinterpreted as additional graphic characters.
120 # The next line may appear to be blank, mojibake, or dingbats in some viewers.
121 \80\81\82\83\84\86\87\88\89\8a\8b\8c\8d\8e\8f\90\91\92\93\94\95\96\97\98\99\9a\9b\9c\9d\9e\9f
122 _
123 # Whitespace_ all of the characters with category Zs, Zl, or Zp (in Unicode
124 # version 8.0.0), plus U+0009 (HT), U+000B (VT), U+000C (FF), U+0085 (NEL),
125 # and U+200B (ZERO WIDTH SPACE), which are in the C categories but are often
126 # treated as whitespace in some contexts.
127 # This file unfortunately cannot express strings containing
128 # U+0000, U+000A, or U+000D (NUL, LF, CR).
129 # The next line may appear to be blank or mojibake in some viewers.
130 # The next line may be flagged for _trailing whitespace_ in some viewers.
131 ___ \85             ​

   
132 _
133 # Unicode additional control characters_ all of the characters with
134 # general category Cf (in Unicode 8.0.0).
135 # The next line may appear to be blank or mojibake in some viewers.
136 ­؀؁؂؃؄؅؜۝܏᠎​‌‍‎‏‪‫‬‭‮⁠⁡⁢⁣⁤⁦⁧⁨⁩𑂽𛲠𛲡𛲢𛲣𝅳𝅴𝅵𝅶𝅷𝅸𝅹𝅺󠀁󠀠󠀡󠀢󠀣󠀤󠀥󠀦󠀧󠀨󠀩󠀪󠀫󠀬󠀭󠀮󠀯󠀰󠀱󠀲󠀳󠀴󠀵
137 _
138 # _Byte order marks_, U+FEFF and U+FFFE, each on its own line.
139 # The next two lines may appear to be blank or mojibake in some viewers.
140 
141
142 _
143 #_Unicode Symbols
144 #
145 #_Strings which contain common unicode symbols (e.g. smart quotes)
146 _
147 Ω≈ç√∫˜µ≤≥÷
148 åß∂ƒ©˙∆˚¬…æ
149 œ∑´®†¥¨ˆøπ“‘
150 ¡™£¢∞§¶•ªº–≠
151 ¸˛Ç◊ı˜Â¯˘¿
152 ÅÍÎÏ˝ÓÔÒÚÆ☃
153 Œ„´‰ˇÁ¨ˆØ∏”’
154 `⁄€‹›fifl‡°·‚—±
155 ⅛⅜⅝⅞
156 ЁЂЃЄЅІЇЈЉЊЋЌЍЎЏАБВГДЕЖЗИЙКЛМНОПРСТУФХЦЧШЩЪЫЬЭЮЯабвгдежзийклмнопрстуфхцчшщъыьэюя
157 ٠١٢٣٤٥٦٧٨٩
158 _
159 #_Unicode Subscript_Superscript_Accents
160 #
161 #_Strings which contain unicode subscripts_superscripts; can cause rendering issues
162 _
163 ⁰⁴⁵
164 ₀₁₂
165 ⁰⁴⁵₀₁₂
166 ด้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้
167 _
168 #_Quotation Marks
169 #
170 #_Strings which contain misplaced quotation marks; can cause encoding errors
171 _
172 '
173 _
174 ''
175 __
176 '_'
177 _''''_'_
178 _'_'_''''_
179 _foo val=“bar” __
180 _foo val=“bar” __
181 _foo val=”bar“ __
182 _foo val=`bar' __
183 _
184 #_Two-Byte Characters
185 #
186 #_Strings which contain two-byte characters_ can cause rendering issues or character-length issues
187 _
188 田中さんにあげて下さい
189 パーティーへ行かないか
190 和製漢語
191 部落格
192 사회과학원 어학연구소
193 찦차를 타고 온 펲시맨과 쑛다리 똠방각하
194 社會科學院語學研究所
195 울란바토르
196 𠜎𠜱𠝹𠱓𠱸𠲖𠳏
197 _
198 #_Strings which contain two-byte letters_ can cause issues with naïve UTF-16 capitalizers which think that 16 bits == 1 character
199 _
200 𐐜 𐐔𐐇𐐝𐐀𐐡𐐇𐐓 𐐙𐐊𐐡𐐝𐐓_𐐝𐐇𐐗𐐊𐐤𐐔 𐐒𐐋𐐗 𐐒𐐌 𐐜 𐐡𐐀𐐖𐐇𐐤𐐓𐐝 𐐱𐑂 𐑄 𐐔𐐇𐐝𐐀𐐡𐐇𐐓 𐐏𐐆𐐅𐐤𐐆𐐚𐐊𐐡𐐝𐐆𐐓𐐆
201 _
202 #_Special Unicode Characters Union
203 #
204 #_A super string recommended by VMware Inc. Globalization Team_ can effectively cause rendering issues or character-length issues to validate product globalization readiness.
205 #
206 #_表 CJK_UNIFIED_IDEOGRAPHS (U+8868)
207 #_ポ KATAKANA LETTER PO (U+30DD)
208 #_あ HIRAGANA LETTER A (U+3042)
209 #_A LATIN CAPITAL LETTER A (U+0041)
210 #_鷗 CJK_UNIFIED_IDEOGRAPHS (U+9DD7)
211 #_ΠLATIN SMALL LIGATURE OE (U+0153)
212 #_é LATIN SMALL LETTER E WITH ACUTE (U+00E9)
213 #_B FULLWIDTH LATIN CAPITAL LETTER B (U+FF22)
214 #_逍 CJK_UNIFIED_IDEOGRAPHS (U+900D)
215 #_Ü LATIN SMALL LETTER U WITH DIAERESIS (U+00FC)
216 #_ß LATIN SMALL LETTER SHARP S (U+00DF)
217 #_ª FEMININE ORDINAL INDICATOR (U+00AA)
218 #_ą LATIN SMALL LETTER A WITH OGONEK (U+0105)
219 #_ñ LATIN SMALL LETTER N WITH TILDE (U+00F1)
220 #_丂 CJK_UNIFIED_IDEOGRAPHS (U+4E02)
221 #_㐀 CJK Ideograph Extension A, First (U+3400)
222 #_𠀀 CJK Ideograph Extension B, First (U+20000)
223 _
224 表ポあA鷗ŒéB逍Üߪąñ丂㐀𠀀
225 _
226 #_Changing length when lowercased
227 #
228 #_Characters which increase in length (2 to 3 bytes) when lowercased
229 #_Credit_ https___twitter.com_jifa_status_625776454479970304
230 _
231 Ⱥ
232 Ⱦ
233 _
234 #_Japanese Emoticons
235 #
236 #_Strings which consists of Japanese-style emoticons which are popular on the web
237 _
238 ヽ༼ຈل͜ຈ༽ノ ヽ༼ຈل͜ຈ༽ノ
239 (。◕ ∀ ◕。)
240 `ィ(´∀`∩
241 __ロ(,_,_)
242 ・( ̄∀ ̄)・___
243 ゚・✿ヾ╲(。◕‿◕。)╱✿・゚
244 ,。・___・゜’( ☻ ω ☻ )。・___・゜’
245 (╯°□°)╯︵ ┻━┻)
246 (ノಥ益ಥ)ノ ┻━┻
247 ┬─┬ノ( º _ ºノ)
248 ( ͡° ͜ʖ ͡°)
249 ¯__(ツ)__¯
250 _
251 #_Emoji
252 #
253 #_Strings which contain Emoji; should be the same behavior as two-byte characters, but not always
254 _
255 😍
256 👩🏽
257 👨‍🦰 👨🏿‍🦰 👨‍🦱 👨🏿‍🦱 🦹🏿‍♂️
258 👾 🙇 💁 🙅 🙆 🙋 🙎 🙍
259 🐵 🙈 🙉 🙊
260 ❤️ 💔 💌 💕 💞 💓 💗 💖 💘 💝 💟 💜 💛 💚 💙
261 ✋🏿 💪🏿 👐🏿 🙌🏿 👏🏿 🙏🏿
262 👨‍👩‍👦 👨‍👩‍👧‍👦 👨‍👨‍👦 👩‍👩‍👧 👨‍👦 👨‍👧‍👦 👩‍👦 👩‍👧‍👦
263 🚾 🆒 🆓 🆕 🆖 🆗 🆙 🏧
264 0️⃣ 1️⃣ 2️⃣ 3️⃣ 4️⃣ 5️⃣ 6️⃣ 7️⃣ 8️⃣ 9️⃣ 🔟
265 _
266 # Regional Indicator Symbols
267 #
268 # Regional Indicator Symbols can be displayed differently across
269 # fonts, and have a number of special behaviors
270 _
271 🇺🇸🇷🇺🇸 🇦🇫🇦🇲🇸
272 🇺🇸🇷🇺🇸🇦🇫🇦🇲
273 🇺🇸🇷🇺🇸🇦
274 _
275 #_Unicode Numbers
276 #
277 #_Strings which contain unicode numbers; if the code is localized, it should see the input as numeric
278 _
279 123
280 ١٢٣
281 _
282 #_Right-To-Left Strings
283 #
284 #_Strings which contain text that should be rendered RTL if possible (e.g. Arabic, Hebrew)
285 _
286 ثم نفس سقطت وبالتحديد،, جزيرتي باستخدام أن دنو. إذ هنا؟ الستار وتنصيب كان. أهّل ايطاليا، بريطانيا-فرنسا قد أخذ. سليمان، إتفاقية بين ما, يذكر .
287 בְּרֵאשִׁית, בָּרָא אֱלֹהִים, אֵת הַשָּׁמַיִם, וְאֵת הָאָרֶץ
288 הָיְתָהtestالصفحات التّحول
289
290
291 مُنَاقَشَةُ سُبُلِ اِسْتِخْدَامِ اللُّغَةِ فِي النُّظُمِ الْقَائِمَةِ وَفِيم يَخُصَّ التَّطْبِيقَاتُ الْحاسُوبِيَّةُ،
292 الكل في المجمو عة (5)
293 _
294 #_Ogham Text
295 #
296 #_The only unicode alphabet to use a space which isn't empty but should still act like a space.
297 _
298 ᚛ᚄᚓᚐᚋᚒᚄ ᚑᚄᚂᚑᚏᚅ᚜
299 ᚛                 ᚜
300 _
301 #_Trick Unicode
302 #
303 #_Strings which contain unicode with unusual properties (e.g. Right-to-left override) (c.f. http___www.unicode.org_charts_PDF_U2000.pdf)
304 _
305 ‪‪test‪
306 ‫test‫
307 
test

308 test⁠test‫
309 ⁦test⁧
310 _
311 #_Zalgo Text
312 #
313 #_Strings which contain _corrupted_ text. The corruption will not appear in non-HTML text, however. (via http___www.eeemo.net)
314 _
315 Ṱ̺̺̕o͞ ̷i̲̬͇̪͙n̝̗͕v̟̜̘̦͟o̶̙̰̠kè͚̮̺̪̹̱̤ ̖t̝͕̳̣̻̪͞h̼͓̲̦̳̘̲e͇̣̰̦̬͎ ̢̼̻̱̘h͚͎͙̜̣̲ͅi̦̲̣̰̤v̻͍e̺̭̳̪̰-m̢iͅn̖̺̞̲̯̰d̵̼̟͙̩̼̘̳ ̞̥̱̳̭r̛̗̘e͙p͠r̼̞̻̭̗e̺̠.̨̹͈̣
316 ̡͓̞ͅI̗̘̦͝n͇͇͙v̮̫ok̲̫̙͈i̖͙̭̹̠̞n̡̻̮̣̺g̲͈͙̭͙̬͎ ̰t͔̦h̞̲e̢̤ ͍̬̲͖f̴̘͕̣è͖ẹ̥̩l͖͔͚i͓͚̦͠n͖͍̗͓̳̮g͍ ̨o͚̪͡f̘̣̬ ̖̘͖̟͙̮c҉͔̫͖͓͇͖ͅh̵̤̣͚͔á̗̼͕ͅo̼̣̥s̱͈̺̖.̛̖̞̠̫̰
317 ̗̺͖̹̯͓Ṯ̤͍̥͇͈h̲́e͏͓̼̗̙̼̣͔ ͇̜̱̠͓͍ͅN͕͠e̗̱z̘̝̜̺͙p̤̺̹͍̯͚e̠̻̠͜r̨̤͍̺̖͔̖̖d̠̟̭̬̝͟i̦͖̩͓͔̤a̠̗̬͉̙n͚͜ ̻̞̰͚ͅh̵͉i̳̞v̢͇ḙ͎͟-҉̭̩̼͔m̤̭̫i͕͇̝̦n̗͙ḍ̟ ̯̲͕͞ǫ̟̯̰.̟
318 ̦H̬̤̗̤͝e͜ ̜̥̝̻͍̟́w̕h̖̯͓o̝͙̖͎̱̮ ҉̺̙̞̟͈W̷̼̭a̺̪͍į͈͕̭͙̯̜t̶̼̮s̘͙͖̕ ̠̫̠B̻͍͙͉̳ͅe̵h̵̬͇̫͙i̹͓̳̳̮͎̫̕n͟d̴̪̜̖ ̰͉̩͇͙̲͞ͅT͖̼͓̪͢h͏͓̮̻e̬̝̟ͅ ̤̹̝W͙̞̝͔͇͝ͅa͏͓͔̹.͕
319 Z̮̞̠͙͔ͅḀ̗̞͈̻̗Ḷ͙͎̯̹̞͓G̻O̭̗̮
320 _
321 #_Unicode Upsidedown
322 #
323 #_Strings which contain unicode with an _upsidedown_ effect (via http___www.upsidedowntext.com)
324 _
325 ˙ɐnbᴉlɐ ɐuƃɐɯ ǝɹolop ʇǝ ǝɹoqɐl ʇn ʇunpᴉpᴉɔuᴉ ɹodɯǝʇ poɯsnᴉǝ op pǝs 'ʇᴉlǝ ƃuᴉɔsᴉdᴉpɐ ɹnʇǝʇɔǝsuoɔ 'ʇǝɯɐ ʇᴉs ɹolop ɯnsdᴉ ɯǝɹo˥
326 00˙Ɩ$-
327 _
328 #_Unicode font
329 #
330 #_Strings which contain bold_italic_etc. versions of normal characters
331 _
332 The quick brown fox jumps over the lazy dog
333 𝐓𝐡𝐞 𝐪𝐮𝐢𝐜𝐤 𝐛𝐫𝐨𝐰𝐧 𝐟𝐨𝐱 𝐣𝐮𝐦𝐩𝐬 𝐨𝐯𝐞𝐫 𝐭𝐡𝐞 𝐥𝐚𝐳𝐲 𝐝𝐨𝐠
334 𝕿𝖍𝖊 𝖖𝖚𝖎𝖈𝖐 𝖇𝖗𝖔𝖜𝖓 𝖋𝖔𝖝 𝖏𝖚𝖒𝖕𝖘 𝖔𝖛𝖊𝖗 𝖙𝖍𝖊 𝖑𝖆𝖟𝖞 𝖉𝖔𝖌
335 𝑻𝒉𝒆 𝒒𝒖𝒊𝒄𝒌 𝒃𝒓𝒐𝒘𝒏 𝒇𝒐𝒙 𝒋𝒖𝒎𝒑𝒔 𝒐𝒗𝒆𝒓 𝒕𝒉𝒆 𝒍𝒂𝒛𝒚 𝒅𝒐𝒈
336 𝓣𝓱𝓮 𝓺𝓾𝓲𝓬𝓴 𝓫𝓻𝓸𝔀𝓷 𝓯𝓸𝔁 𝓳𝓾𝓶𝓹𝓼 𝓸𝓿𝓮𝓻 𝓽𝓱𝓮 𝓵𝓪𝔃𝔂 𝓭𝓸𝓰
337 𝕋𝕙𝕖 𝕢𝕦𝕚𝕔𝕜 𝕓𝕣𝕠𝕨𝕟 𝕗𝕠𝕩 𝕛𝕦𝕞𝕡𝕤 𝕠𝕧𝕖𝕣 𝕥𝕙𝕖 𝕝𝕒𝕫𝕪 𝕕𝕠𝕘
338 𝚃𝚑𝚎 𝚚𝚞𝚒𝚌𝚔 𝚋𝚛𝚘𝚠𝚗 𝚏𝚘𝚡 𝚓𝚞𝚖𝚙𝚜 𝚘𝚟𝚎𝚛 𝚝𝚑𝚎 𝚕𝚊𝚣𝚢 𝚍𝚘𝚐
339 ⒯⒣⒠ ⒬⒰⒤⒞⒦ ⒝⒭⒪⒲⒩ ⒡⒪⒳ ⒥⒰⒨⒫⒮ ⒪⒱⒠⒭ ⒯⒣⒠ ⒧⒜⒵⒴ ⒟⒪⒢
340 _
341 #_Script Injection
342 #
343 #_Strings which attempt to invoke a benign script injection; shows vulnerability to XSS
344 _
345 _script_alert(0)__script_
346 <script>alert('1');<_script>
347 _img src=x onerror=alert(2) __
348 _svg__script_123_1_alert(3)__script_
349 ___script_alert(4)__script_
350 '__script_alert(5)__script_
351 __script_alert(6)__script_
352 __script__script_alert(7)__script_
353 _ _ script __ script _alert(8)_ _ script _
354  onfocus=JaVaSCript_alert(9) autofocus
355 _ onfocus=JaVaSCript_alert(10) autofocus
356 ' onfocus=JaVaSCript_alert(11) autofocus
357 <script>alert(12)<_script>
358 _sc_script_ript_alert(13)__sc__script_ript_
359 --__script_alert(14)__script_
360 _;alert(15);t=_
361 ';alert(16);t='
362 JavaSCript_alert(17)
363 ;alert(18);
364 src=JaVaSCript_prompt(19)
365 ___script_alert(20);__script x=_
366 '__script_alert(21);__script x='
367 __script_alert(22);__script x=
368 _ autofocus onkeyup=_javascript_alert(23)
369 ' autofocus onkeyup='javascript_alert(24)
370 _script_x20type=_text_javascript__javascript_alert(25);__script_
371 _script_x3Etype=_text_javascript__javascript_alert(26);__script_
372 _script_x0Dtype=_text_javascript__javascript_alert(27);__script_
373 _script_x09type=_text_javascript__javascript_alert(28);__script_
374 _script_x0Ctype=_text_javascript__javascript_alert(29);__script_
375 _script_x2Ftype=_text_javascript__javascript_alert(30);__script_
376 _script_x0Atype=_text_javascript__javascript_alert(31);__script_
377 '`____x3Cscript_javascript_alert(32)__script_
378 '`____x00script_javascript_alert(33)__script_
379 ABC_div style=_x_x3Aexpression(javascript_alert(34)__DEF
380 ABC_div style=_x_expression_x5C(javascript_alert(35)__DEF
381 ABC_div style=_x_expression_x00(javascript_alert(36)__DEF
382 ABC_div style=_x_exp_x00ression(javascript_alert(37)__DEF
383 ABC_div style=_x_exp_x5Cression(javascript_alert(38)__DEF
384 ABC_div style=_x__x0Aexpression(javascript_alert(39)__DEF
385 ABC_div style=_x__x09expression(javascript_alert(40)__DEF
386 ABC_div style=_x__xE3_x80_x80expression(javascript_alert(41)__DEF
387 ABC_div style=_x__xE2_x80_x84expression(javascript_alert(42)__DEF
388 ABC_div style=_x__xC2_xA0expression(javascript_alert(43)__DEF
389 ABC_div style=_x__xE2_x80_x80expression(javascript_alert(44)__DEF
390 ABC_div style=_x__xE2_x80_x8Aexpression(javascript_alert(45)__DEF
391 ABC_div style=_x__x0Dexpression(javascript_alert(46)__DEF
392 ABC_div style=_x__x0Cexpression(javascript_alert(47)__DEF
393 ABC_div style=_x__xE2_x80_x87expression(javascript_alert(48)__DEF
394 ABC_div style=_x__xEF_xBB_xBFexpression(javascript_alert(49)__DEF
395 ABC_div style=_x__x20expression(javascript_alert(50)__DEF
396 ABC_div style=_x__xE2_x80_x88expression(javascript_alert(51)__DEF
397 ABC_div style=_x__x00expression(javascript_alert(52)__DEF
398 ABC_div style=_x__xE2_x80_x8Bexpression(javascript_alert(53)__DEF
399 ABC_div style=_x__xE2_x80_x86expression(javascript_alert(54)__DEF
400 ABC_div style=_x__xE2_x80_x85expression(javascript_alert(55)__DEF
401 ABC_div style=_x__xE2_x80_x82expression(javascript_alert(56)__DEF
402 ABC_div style=_x__x0Bexpression(javascript_alert(57)__DEF
403 ABC_div style=_x__xE2_x80_x81expression(javascript_alert(58)__DEF
404 ABC_div style=_x__xE2_x80_x83expression(javascript_alert(59)__DEF
405 ABC_div style=_x__xE2_x80_x89expression(javascript_alert(60)__DEF
406 _a href=__x0Bjavascript_javascript_alert(61)_ id=_fuzzelement1__test__a_
407 _a href=__x0Fjavascript_javascript_alert(62)_ id=_fuzzelement1__test__a_
408 _a href=__xC2_xA0javascript_javascript_alert(63)_ id=_fuzzelement1__test__a_
409 _a href=__x05javascript_javascript_alert(64)_ id=_fuzzelement1__test__a_
410 _a href=__xE1_xA0_x8Ejavascript_javascript_alert(65)_ id=_fuzzelement1__test__a_
411 _a href=__x18javascript_javascript_alert(66)_ id=_fuzzelement1__test__a_
412 _a href=__x11javascript_javascript_alert(67)_ id=_fuzzelement1__test__a_
413 _a href=__xE2_x80_x88javascript_javascript_alert(68)_ id=_fuzzelement1__test__a_
414 _a href=__xE2_x80_x89javascript_javascript_alert(69)_ id=_fuzzelement1__test__a_
415 _a href=__xE2_x80_x80javascript_javascript_alert(70)_ id=_fuzzelement1__test__a_
416 _a href=__x17javascript_javascript_alert(71)_ id=_fuzzelement1__test__a_
417 _a href=__x03javascript_javascript_alert(72)_ id=_fuzzelement1__test__a_
418 _a href=__x0Ejavascript_javascript_alert(73)_ id=_fuzzelement1__test__a_
419 _a href=__x1Ajavascript_javascript_alert(74)_ id=_fuzzelement1__test__a_
420 _a href=__x00javascript_javascript_alert(75)_ id=_fuzzelement1__test__a_
421 _a href=__x10javascript_javascript_alert(76)_ id=_fuzzelement1__test__a_
422 _a href=__xE2_x80_x82javascript_javascript_alert(77)_ id=_fuzzelement1__test__a_
423 _a href=__x20javascript_javascript_alert(78)_ id=_fuzzelement1__test__a_
424 _a href=__x13javascript_javascript_alert(79)_ id=_fuzzelement1__test__a_
425 _a href=__x09javascript_javascript_alert(80)_ id=_fuzzelement1__test__a_
426 _a href=__xE2_x80_x8Ajavascript_javascript_alert(81)_ id=_fuzzelement1__test__a_
427 _a href=__x14javascript_javascript_alert(82)_ id=_fuzzelement1__test__a_
428 _a href=__x19javascript_javascript_alert(83)_ id=_fuzzelement1__test__a_
429 _a href=__xE2_x80_xAFjavascript_javascript_alert(84)_ id=_fuzzelement1__test__a_
430 _a href=__x1Fjavascript_javascript_alert(85)_ id=_fuzzelement1__test__a_
431 _a href=__xE2_x80_x81javascript_javascript_alert(86)_ id=_fuzzelement1__test__a_
432 _a href=__x1Djavascript_javascript_alert(87)_ id=_fuzzelement1__test__a_
433 _a href=__xE2_x80_x87javascript_javascript_alert(88)_ id=_fuzzelement1__test__a_
434 _a href=__x07javascript_javascript_alert(89)_ id=_fuzzelement1__test__a_
435 _a href=__xE1_x9A_x80javascript_javascript_alert(90)_ id=_fuzzelement1__test__a_
436 _a href=__xE2_x80_x83javascript_javascript_alert(91)_ id=_fuzzelement1__test__a_
437 _a href=__x04javascript_javascript_alert(92)_ id=_fuzzelement1__test__a_
438 _a href=__x01javascript_javascript_alert(93)_ id=_fuzzelement1__test__a_
439 _a href=__x08javascript_javascript_alert(94)_ id=_fuzzelement1__test__a_
440 _a href=__xE2_x80_x84javascript_javascript_alert(95)_ id=_fuzzelement1__test__a_
441 _a href=__xE2_x80_x86javascript_javascript_alert(96)_ id=_fuzzelement1__test__a_
442 _a href=__xE3_x80_x80javascript_javascript_alert(97)_ id=_fuzzelement1__test__a_
443 _a href=__x12javascript_javascript_alert(98)_ id=_fuzzelement1__test__a_
444 _a href=__x0Djavascript_javascript_alert(99)_ id=_fuzzelement1__test__a_
445 _a href=__x0Ajavascript_javascript_alert(100)_ id=_fuzzelement1__test__a_
446 _a href=__x0Cjavascript_javascript_alert(101)_ id=_fuzzelement1__test__a_
447 _a href=__x15javascript_javascript_alert(102)_ id=_fuzzelement1__test__a_
448 _a href=__xE2_x80_xA8javascript_javascript_alert(103)_ id=_fuzzelement1__test__a_
449 _a href=__x16javascript_javascript_alert(104)_ id=_fuzzelement1__test__a_
450 _a href=__x02javascript_javascript_alert(105)_ id=_fuzzelement1__test__a_
451 _a href=__x1Bjavascript_javascript_alert(106)_ id=_fuzzelement1__test__a_
452 _a href=__x06javascript_javascript_alert(107)_ id=_fuzzelement1__test__a_
453 _a href=__xE2_x80_xA9javascript_javascript_alert(108)_ id=_fuzzelement1__test__a_
454 _a href=__xE2_x80_x85javascript_javascript_alert(109)_ id=_fuzzelement1__test__a_
455 _a href=__x1Ejavascript_javascript_alert(110)_ id=_fuzzelement1__test__a_
456 _a href=__xE2_x81_x9Fjavascript_javascript_alert(111)_ id=_fuzzelement1__test__a_
457 _a href=__x1Cjavascript_javascript_alert(112)_ id=_fuzzelement1__test__a_
458 _a href=_javascript_x00_javascript_alert(113)_ id=_fuzzelement1__test__a_
459 _a href=_javascript_x3A_javascript_alert(114)_ id=_fuzzelement1__test__a_
460 _a href=_javascript_x09_javascript_alert(115)_ id=_fuzzelement1__test__a_
461 _a href=_javascript_x0D_javascript_alert(116)_ id=_fuzzelement1__test__a_
462 _a href=_javascript_x0A_javascript_alert(117)_ id=_fuzzelement1__test__a_
463 `_'__img src=xxx_x _x0Aonerror=javascript_alert(118)_
464 `_'__img src=xxx_x _x22onerror=javascript_alert(119)_
465 `_'__img src=xxx_x _x0Bonerror=javascript_alert(120)_
466 `_'__img src=xxx_x _x0Donerror=javascript_alert(121)_
467 `_'__img src=xxx_x _x2Fonerror=javascript_alert(122)_
468 `_'__img src=xxx_x _x09onerror=javascript_alert(123)_
469 `_'__img src=xxx_x _x0Conerror=javascript_alert(124)_
470 `_'__img src=xxx_x _x00onerror=javascript_alert(125)_
471 `_'__img src=xxx_x _x27onerror=javascript_alert(126)_
472 `_'__img src=xxx_x _x20onerror=javascript_alert(127)_
473 _`'__script__x3Bjavascript_alert(128)__script_
474 _`'__script__x0Djavascript_alert(129)__script_
475 _`'__script__xEF_xBB_xBFjavascript_alert(130)__script_
476 _`'__script__xE2_x80_x81javascript_alert(131)__script_
477 _`'__script__xE2_x80_x84javascript_alert(132)__script_
478 _`'__script__xE3_x80_x80javascript_alert(133)__script_
479 _`'__script__x09javascript_alert(134)__script_
480 _`'__script__xE2_x80_x89javascript_alert(135)__script_
481 _`'__script__xE2_x80_x85javascript_alert(136)__script_
482 _`'__script__xE2_x80_x88javascript_alert(137)__script_
483 _`'__script__x00javascript_alert(138)__script_
484 _`'__script__xE2_x80_xA8javascript_alert(139)__script_
485 _`'__script__xE2_x80_x8Ajavascript_alert(140)__script_
486 _`'__script__xE1_x9A_x80javascript_alert(141)__script_
487 _`'__script__x0Cjavascript_alert(142)__script_
488 _`'__script__x2Bjavascript_alert(143)__script_
489 _`'__script__xF0_x90_x96_x9Ajavascript_alert(144)__script_
490 _`'__script_-javascript_alert(145)__script_
491 _`'__script__x0Ajavascript_alert(146)__script_
492 _`'__script__xE2_x80_xAFjavascript_alert(147)__script_
493 _`'__script__x7Ejavascript_alert(148)__script_
494 _`'__script__xE2_x80_x87javascript_alert(149)__script_
495 _`'__script__xE2_x81_x9Fjavascript_alert(150)__script_
496 _`'__script__xE2_x80_xA9javascript_alert(151)__script_
497 _`'__script__xC2_x85javascript_alert(152)__script_
498 _`'__script__xEF_xBF_xAEjavascript_alert(153)__script_
499 _`'__script__xE2_x80_x83javascript_alert(154)__script_
500 _`'__script__xE2_x80_x8Bjavascript_alert(155)__script_
501 _`'__script__xEF_xBF_xBEjavascript_alert(156)__script_
502 _`'__script__xE2_x80_x80javascript_alert(157)__script_
503 _`'__script__x21javascript_alert(158)__script_
504 _`'__script__xE2_x80_x82javascript_alert(159)__script_
505 _`'__script__xE2_x80_x86javascript_alert(160)__script_
506 _`'__script__xE1_xA0_x8Ejavascript_alert(161)__script_
507 _`'__script__x0Bjavascript_alert(162)__script_
508 _`'__script__x20javascript_alert(163)__script_
509 _`'__script__xC2_xA0javascript_alert(164)__script_
510 _img _x00src=x onerror=_alert(165)__
511 _img _x47src=x onerror=_javascript_alert(166)__
512 _img _x11src=x onerror=_javascript_alert(167)__
513 _img _x12src=x onerror=_javascript_alert(168)__
514 _img_x47src=x onerror=_javascript_alert(169)__
515 _img_x10src=x onerror=_javascript_alert(170)__
516 _img_x13src=x onerror=_javascript_alert(171)__
517 _img_x32src=x onerror=_javascript_alert(172)__
518 _img_x47src=x onerror=_javascript_alert(173)__
519 _img_x11src=x onerror=_javascript_alert(174)__
520 _img _x47src=x onerror=_javascript_alert(175)__
521 _img _x34src=x onerror=_javascript_alert(176)__
522 _img _x39src=x onerror=_javascript_alert(177)__
523 _img _x00src=x onerror=_javascript_alert(178)__
524 _img src_x09=x onerror=_javascript_alert(179)__
525 _img src_x10=x onerror=_javascript_alert(180)__
526 _img src_x13=x onerror=_javascript_alert(181)__
527 _img src_x32=x onerror=_javascript_alert(182)__
528 _img src_x12=x onerror=_javascript_alert(183)__
529 _img src_x11=x onerror=_javascript_alert(184)__
530 _img src_x00=x onerror=_javascript_alert(185)__
531 _img src_x47=x onerror=_javascript_alert(186)__
532 _img src=x_x09onerror=_javascript_alert(187)__
533 _img src=x_x10onerror=_javascript_alert(188)__
534 _img src=x_x11onerror=_javascript_alert(189)__
535 _img src=x_x12onerror=_javascript_alert(190)__
536 _img src=x_x13onerror=_javascript_alert(191)__
537 _img[a][b][c]src[d]=x[e]onerror=[f]_alert(192)__
538 _img src=x onerror=_x09_javascript_alert(193)__
539 _img src=x onerror=_x10_javascript_alert(194)__
540 _img src=x onerror=_x11_javascript_alert(195)__
541 _img src=x onerror=_x12_javascript_alert(196)__
542 _img src=x onerror=_x32_javascript_alert(197)__
543 _img src=x onerror=_x00_javascript_alert(198)__
544 _a href=java&#1&#2&#3&#4&#5&#6&#7&#8&#11&#12script_javascript_alert(199)_XXX__a_
545 _img src=_x` `_script_javascript_alert(200)__script__` `_
546 _img src onerror __ '_= alt=javascript_alert(201)____
547 _title onpropertychange=javascript_alert(202)___title__title title=_
548 _a href=http___foo.bar_#x=`y___a__img alt=_`__img src=x_x onerror=javascript_alert(203)___a___
549 _!--[if]__script_javascript_alert(204)__script --_
550 _!--[if_img src=x onerror=javascript_alert(205)__]_ --_
551 _script src=___%(jscript)s____script_
552 _script src=___%(jscript)s____script_
553 _IMG _____SCRIPT_alert(_206_)__SCRIPT___
554 _IMG SRC=javascript_alert(String.fromCharCode(50,48,55))_
555 _IMG SRC=# onmouseover=_alert('208')__
556 _IMG SRC= onmouseover=_alert('209')__
557 _IMG onmouseover=_alert('210')__
558 _IMG SRC=javascript:alert('211')_
559 _IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000050&#0000049&#0000050&#0000039&#0000041_
560 _IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x32&#x31&#x33&#x27&#x29_
561 _IMG SRC=_jav   ascript_alert('214');__
562 _IMG SRC=_jav	ascript_alert('215');__
563 _IMG SRC=_jav
ascript_alert('216');__
564 _IMG SRC=_jav
ascript_alert('217');__
565 perl -e 'print __IMG SRC=java_0script_alert(__218__)__;' _ out
566 _IMG SRC=_   javascript_alert('219');__
567 _SCRIPT_XSS SRC=_http___ha.ckers.org_xss.js____SCRIPT_
568 _BODY onload!#$%&()_~+-_.,_;_@[___]^`=alert(_220_)_
569 _SCRIPT_SRC=_http___ha.ckers.org_xss.js____SCRIPT_
570 __SCRIPT_alert(_221_);_____SCRIPT_
571 _SCRIPT SRC=http___ha.ckers.org_xss.js__ B _
572 _SCRIPT SRC=__ha.ckers.org_.j_
573 _IMG SRC=_javascript_alert('222')_
574 _iframe src=http___ha.ckers.org_scriptlet.html _
575 __;alert('223');__
576 _u oncopy=alert()_ Copy me__u_
577 _i onwheel=alert(224)_ Scroll over me __i_
578 _plaintext_
579 http___a_%%30%30
580 __textarea__script_alert(225)__script_
581 _
582 #_SQL Injection
583 #
584 #_Strings which can cause a SQL injection if inputs are not sanitized
585 _
586 1;DROP TABLE users
587 1'; DROP TABLE users-- 1
588 ' OR 1=1 -- 1
589 ' OR '1'='1
590 '; EXEC sp_MSForEachTable 'DROP TABLE _'; --
591
592 %
593 _
594 _
595 #_Server Code Injection
596 #
597 #_Strings which can cause user to run code on server as a privileged user (c.f. https___news.ycombinator.com_item_id=7665153)
598 _
599 -
600 --
601 --version
602 --help
603 $USER
604 _dev_null; touch _tmp_blns.fail ; echo
605 `touch _tmp_blns.fail`
606 $(touch _tmp_blns.fail)
607 @{[system _touch _tmp_blns.fail_]}
608 _
609 #_Command Injection (Ruby)
610 #
611 #_Strings which can call system commands within Ruby_Rails applications
612 _
613 eval(_puts 'hello world'_)
614 System(_ls -al __)
615 `ls -al _`
616 Kernel.exec(_ls -al __)
617 Kernel.exit(1)
618 %x('ls -al _')
619 _
620 # XXE Injection (XML)
621 #
622 #_String which can reveal system files when parsed by a badly configured XML parser
623 _
624 __xml version=_1.0_ encoding=_ISO-8859-1____!DOCTYPE foo [ _!ELEMENT foo ANY __!ENTITY xxe SYSTEM _file____etc_passwd_ _]__foo_&xxe;__foo_
625 _
626 #_Unwanted Interpolation
627 #
628 #_Strings which can be accidentally expanded into different strings if evaluated in the wrong context, e.g. used as a printf format string or via Perl or shell eval. Might expose sensitive data from the program doing the interpolation, or might just repr.
629 _
630 $HOME
631 $ENV{'HOME'}
632 %d
633 %s%s%s%s%s
634 {0}
635 %_._s
636 %@
637 %n
638 File____
639 _
640 #_File Inclusion
641 #
642 #_Strings which can cause user to pull in files that should not be a part of a web server
643 _
644 .._.._.._.._.._.._.._.._.._.._.._etc_passwd%00
645 .._.._.._.._.._.._.._.._.._.._.._etc_hosts
646 _
647 #_Known CVEs and Vulnerabilities
648 #
649 #_Strings that test for known vulnerabilities
650 _
651 () { 0; }; touch _tmp_blns.shellshock1.fail;
652 () { _; } __[$($())] { touch _tmp_blns.shellshock2.fail; }
653 ___ %s(un='%s') = %u
654 +++ATH0
655 _
656 #_MSDOS_Windows Special Filenames
657 #
658 #_Strings which are reserved characters in MSDOS_Windows
659 _
660 CON_
661 PRN_
662 AUX_
663 CLOCK$
664 NUL_
665 A_
666 ZZ_
667 COM1_
668 LPT1_
669 LPT2_
670 LPT3_
671 COM2_
672 COM3_
673 COM4_
674 _
675 # IRC specific strings
676 #
677 # Strings that may occur on IRC clients that make security products freak out
678 _
679 DCC SEND STARTKEYLOGGER 0 0 0
680 _
681 #_Scunthorpe Problem
682 #
683 #_Innocuous strings which may be blocked by profanity filters (https___en.wikipedia.org_wiki_Scunthorpe_problem)
684 _
685 Scunthorpe General Hospital
686 Penistone Community Church
687 Lightwater Country Park
688 Jimmy Clitheroe
689 Horniman Museum
690 shitake mushrooms
691 RomansInSussex.co.uk
692 http___www.cum.qc.ca_
693 Craig Cockburn, Software Specialist
694 Linda Callahan
695 Dr. Herman I. Libshitz
696 magna cum laude
697 Super Bowl XXX
698 medieval erection of parapets
699 evaluate
700 mocha
701 expression
702 Arsenal canal
703 classic
704 Tyson Gay
705 Dick Van Dyke
706 basement
707 _
708 #_Human injection
709 #
710 #_Strings which may cause human to reinterpret worldview
711 _
712 If you're reading this, you've been in a coma for almost 20 years now. We're trying a new technique. We don't know where this message will end up in your dream, but we hope it works. Please wake up, we miss you.
713 _
714 #_Terminal escape codes
715 #
716 #_Strings which punish the fools who use cat_type on this file
717 _
718 Roses are _[0;31mred_[0m, violets are _[0;34mblue. Hope you enjoy terminal hue
719 But now..._[20Cfor my greatest trick..._[8m
720 The quic______k brown fo___________x... [Beeeep]
721 _
722 #_iOS Vulnerabilities
723 #
724 #_Strings which crashed iMessage in various versions of iOS
725 _
726 Powerلُلُصّبُلُلصّبُررً ॣ ॣh ॣ ॣ冗
727 🏳0🌈️
728 జ్ఞ‌ా
729 _
730 # Persian special characters
731 #
732 # This is a four characters string which includes Persian special characters (گچپژ)
733 _
734 گچپژ
735 _
736 # jinja2 injection
737 #
738 # first one is supposed to raise _MemoryError_ exception
739 # second, obviously, prints contents of _etc_passwd
740 _
741 {% print 'x' _ 64 _ 1024__3 %}
742 {{ __.__class__.__mro__[2].__subclasses__()[40](__etc_passwd_).read() }}