4 releases (breaking)
Uses old Rust 2015
0.4.0 | Apr 15, 2018 |
---|---|
0.3.0 | Apr 15, 2018 |
0.2.0 | Apr 15, 2018 |
0.1.0 | Apr 15, 2018 |
#59 in #injection
6KB
A variety of tests for malicious code injection.
Everything here is safe to click (brson). Anyl local paths work on Win 10.
javascript links
Case matters:
local links
inline html and scripts
an inline html that invokes a script:
<script type="text/javascript"> function clickme() { alert(1); } </script> click mean inline script:
<script type="text/javascript"> document.write("if you are seeing this it was injected via javascript"); </script>inline html with script onclick: click me
funky images
js image:
local file:
local text file:
regular non-local image:
non-local html served as image:
non-local html served as gif (I actually can't trick GitHub inter serving this as non-html ContentType)
non-local html served as gif (I actually can't trick GitHub inter serving this as non-html ContentType)
(I can't actually find a service that will serve a .jpg-named html as mimetype text/html - and the browser mime sniffer would probably figure it out anyway)