4 releases (breaking)

Uses old Rust 2015

0.4.0 Apr 15, 2018
0.3.0 Apr 15, 2018
0.2.0 Apr 15, 2018
0.1.0 Apr 15, 2018

#56 in #injection

MIT license

6KB

A variety of tests for malicious code injection.

Everything here is safe to click (brson). Anyl local paths work on Win 10.

js

reference js

Case matters:

upcase js

local file

reference local file

inline html and scripts

an inline html that invokes a script:

<script type="text/javascript"> function clickme() { alert(1); } </script> click me

an inline script:

<script type="text/javascript"> document.write("if you are seeing this it was injected via javascript"); </script>

inline html with script onclick: click me

funky images

js image:

local file:

local text file:

regular non-local image:

non-local image

non-local html served as image:

non-local html as image

non-local html served as gif (I actually can't trick GitHub inter serving this as non-html ContentType)

non-local html served as gif

non-local html served as gif (I actually can't trick GitHub inter serving this as non-html ContentType)

non-local html served as jpg

(I can't actually find a service that will serve a .jpg-named html as mimetype text/html - and the browser mime sniffer would probably figure it out anyway)

No runtime deps