test: use CSS hex-encoded strings to test sanitization

flavorjones / loofah

Ruby library for HTML/XML transformation and sanitization

MIT License

934 stars 137 forks source link

Closed flavorjones closed 3 years ago

flavorjones commented 3 years ago

This adds onto #205. The original reported exploit in 2006 used CSS hex encoding (e.g., "\0075" for "u"), which was ...

mistakenly put into a double-quoted Ruby string in the Instiki test suite in 2007,
then copied into html5lib-ruby's test suite,
then copied into html5lib-python's suite,
then finally copied into the html5lib shared suite,
which was imported into Loofah