Skip to content

Commit

Permalink
fix: add positive and negative tests
Browse files Browse the repository at this point in the history 
Signed-off-by: Felipe Zipitria <[email protected]>
  • Loading branch information
@fzipi
fzipi committed Jun 7, 2024
1 parent a349228 commit 8c3ddda
Showing 1 changed file with 35 additions and 28 deletions.
63 changes: 35 additions & 28 deletions xss_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,38 +10,45 @@ import (

// Examples can be read at https://portswigger.net/web-security/cross-site-scripting/cheat-sheet
func TestIsXSS(t *testing.T) {
examples := []string{
"<script>alert(1);</script>",
"><script>alert(1);</script>",
"x ><script>alert(1);</script>",
"' ><script>alert(1);</script>",
"\"><script>alert(1);</script>",
"red;</style><script>alert(1);</script>",
"red;}</style><script>alert(1);</script>",
"red;\"/><script>alert(1);</script>",
"');}</style><script>alert(1);</script>",
"onerror=alert(1)>",
"x onerror=alert(1);>",
"x' onerror=alert(1);>",
"x\" onerror=alert(1);>",
"<a href=\"javascript:alert(1)\">",
"<a href='javascript:alert(1)'>",
"<a href=javascript:alert(1)>",
"<a href = javascript:alert(1); >",
"<a href=\" javascript:alert(1);\" >",
"<a href=\"JAVASCRIPT:alert(1);\" >",
"<style>@keyframes x{}</style><xss style=\"animation-name:x\" onanimationstart=\"alert(1)\"></xss>",
"<noembed><img title=\"</noembed><img src onerror=alert(1)>\"></noembed>",
"javascript:/*--></title></style></textarea></script></xmp><svg/onload='+/\"/+/onmouseover=1/+/[*/[]/+alert(1)//'>", // polyglot payload
"<xss class=progress-bar-animated onanimationstart=alert(1)>",
"<button popovertarget=x>Click me</button><xss ontoggle=alert(1) popover id=x>XSS</xss>",
examples := []struct {
input string
isXSS bool
}{
// True positives
{input: "<script>alert(1);</script>", isXSS: true},
{input: "><script>alert(1);</script>", isXSS: true},
{input: "x ><script>alert(1);</script>", isXSS: true},
{input: "' ><script>alert(1);</script>", isXSS: true},
{input: "\"><script>alert(1);</script>", isXSS: true},
{input: "red;</style><script>alert(1);</script>", isXSS: true},
{input: "red;}</style><script>alert(1);</script>", isXSS: true},
{input: "red;\"/><script>alert(1);</script>", isXSS: true},
{input: "');}</style><script>alert(1);</script>", isXSS: true},
{input: "onerror=alert(1)>", isXSS: true},
{input: "x onerror=alert(1);>", isXSS: true},
{input: "x' onerror=alert(1);>", isXSS: true},
{input: "x\" onerror=alert(1);>", isXSS: true},
{input: "<a href=\"javascript:alert(1)\">", isXSS: true},
{input: "<a href='javascript:alert(1)'>", isXSS: true},
{input: "<a href=javascript:alert(1)>", isXSS: true},
{input: "<a href = javascript:alert(1); >", isXSS: true},
{input: "<a href=\" javascript:alert(1);\" >", isXSS: true},
{input: "<a href=\"JAVASCRIPT:alert(1);\" >", isXSS: true},
{input: "<style>@keyframes x{}</style><xss style=\"animation-name:x\" onanimationstart=\"alert(1)\"></xss>", isXSS: true},
{input: "<noembed><img title=\"</noembed><img src onerror=alert(1)>\"></noembed>", isXSS: true},
{input: "javascript:/*--></title></style></textarea></script></xmp><svg/onload='+/\"/+/onmouseover=1/+/[*/[]/+alert(1)//'>", isXSS: true}, // polyglot payload
{input: "<xss class=progress-bar-animated onanimationstart=alert(1)>", isXSS: true},
{input: "<button popovertarget=x>Click me</button><xss ontoggle=alert(1) popover id=x>XSS</xss>", isXSS: true},
// Payload sample from https://github.com/payloadbox/xss-payload-list
"<HTML xmlns:xss><?import namespace=\"xss\" implementation=\"%(htc)s\"><xss:xss>XSS</xss:xss></HTML>\"\"\",\"XML namespace.\"),(\"\"\"<XML ID=\"xss\"><I><B>&lt;IMG SRC=\"javas<!-- -->cript:javascript:alert(1)\"&gt;</B></I></XML><SPAN DATASRC=\"#xss\" DATAFLD=\"B\" DATAFORMATAS=\"HTML\"></SPAN>",
{input: "<HTML xmlns:xss><?import namespace=\"xss\" implementation=\"%(htc)s\"><xss:xss>XSS</xss:xss></HTML>\"\"\",\"XML namespace.\"),(\"\"\"<XML ID=\"xss\"><I><B>&lt;IMG SRC=\"javas<!-- -->cript:javascript:alert(1)\"&gt;</B></I></XML><SPAN DATASRC=\"#xss\" DATAFLD=\"B\" DATAFORMATAS=\"HTML\"></SPAN>", isXSS: true},
// True negatives
{input: "myvar=onfoobar==", isXSS: false},
{input: "onY29va2llcw==", isXSS: false}, //base64 encoded "thisisacookie", prefixed by "on"

Check failure on line 46 in xss_test.go

View workflow job for this annotation

GitHub Actions / pre-commit 

commentFormatting: put a space between `//` and comment text

Check failure on line 46 in xss_test.go

View workflow job for this annotation

GitHub Actions / pre-commit 

commentFormatting: put a space between `//` and comment text
}

for _, example := range examples {
if !IsXSS(example) {
t.Errorf("[%s] is not XSS", example)
if res := IsXSS(example.input); res != example.isXSS {
t.Errorf("[%s] wanted: %t, got %t", example.input, example.isXSS, res)
}
}
}
Expand Down

0 comments on commit 8c3ddda

Please sign in to comment.