From 895b5f4885516f10df4504445373e488d551d96c Mon Sep 17 00:00:00 2001 From: Mike Dalessio Date: Thu, 8 Apr 2021 10:49:18 -0400 Subject: [PATCH] test: actually test against a working unicode-encoded exploit I'm SMDH at the errors that have propagated in the test strings over the years. --- test/assets/testdata_sanitizer_tests1.dat | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/test/assets/testdata_sanitizer_tests1.dat b/test/assets/testdata_sanitizer_tests1.dat index c8284dc..b531675 100644 --- a/test/assets/testdata_sanitizer_tests1.dat +++ b/test/assets/testdata_sanitizer_tests1.dat @@ -34,11 +34,33 @@ }, { + /* original */ "name": "div_background_image_unicode_encoded", "input": "
foo
", "output": "
foo
" }, + { + /* from https://owasp.org/www-community/xss-filter-evasion-cheatsheet */ + "name": "div_background_image_unicode_encoded2", + "input": "
foo
", + "output": "
foo
" + }, + + { + /* uh, fix what appear to be typos that have propagated over the years */ + "name": "div_background_image_unicode_encoded3", + "input": "
foo
", + "output": "
foo
" + }, + + { + /* and finally a version that has a chance of actually demonstrating a javascript vulnerability */ + "name": "div_background_image_unicode_encoded4", + "input": "
foo
", + "output": "
foo
" + }, + { "name": "div_expression", "input": "
foo
",