!! input
<pre width="8" style="border-width: expression(alert(document.cookie))">Narrow screen goodies</pre>
!! result
-<pre width="8">Narrow screen goodies</pre>
+<pre width="8" style="/* insecure input */">Narrow screen goodies</pre>
!! end
!! input
PMID 1234
!! result
-<p><a href="http://www.ncbi.nlm.nih.gov/entrez/query.fcgi?cmd=Retrieve&db=pubmed&dopt=Abstract&list_uids=1234" class="external" title="http://www.ncbi.nlm.nih.gov/entrez/query.fcgi?cmd=Retrieve&db=pubmed&dopt=Abstract&list_uids=1234">PMID 1234</a>
+<p><a href="http://www.ncbi.nlm.nih.gov/pubmed/1234?dopt=Abstract" class="external" title="http://www.ncbi.nlm.nih.gov/pubmed/1234?dopt=Abstract">PMID 1234</a>
</p>
!! end
!! input
<div style="{{dangerous style attribute}}"></div>
!! result
-<div></div>
+<div style="/* insecure input */"></div>
!! end
!! input
{{div style|width: expression(alert(document.cookie))}}
!! result
-<div>Magic div</div>
+<div style="/* insecure input */">Magic div</div>
!! end
!! input
<div style="<nowiki>border-left:expression(alert(document.cookie))</nowiki>"></div>
!! result
-<div></div>
+<div style="/* insecure input */"></div>
!! end
!! input
<div style="background-image:u\rl(javascript:alert('boo'))">evil</div>
!! result
-<div>evil</div>
+<div style="/* insecure input */">evil</div>
!! end
!! input
<div style="background-image:u\72l(javascript:alert('boo'))">evil</div>
!! result
-<div>evil</div>
+<div style="/* insecure input */">evil</div>
!! end
!! result
<table>
<tr>
-<th> status
+<th style="/* insecure input */"> status
</th></tr></table>
!! end
!! input
<div style="background-image: u\ rl(test.jpg);"></div>
!! result
-<div></div>
+<div style="/* insecure input */"></div>
!! end
!! input
<div style="background-image: u\ rl(test.jpg); "></div>
!! result
-<div></div>
+<div style="/* insecure input */"></div>
!! end
scripts.mit.edu / autoinstallsdev / mediawiki.git / blobdiff