Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <!DOCTYPE html>
- <html>
- <head>
- <title>XSS Test</title>
- <meta charset="utf-8">
- <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js" type="text/javascript"></script>
- <!-- Show that jQuery events still work normally -->
- <script type="text/javascript">
- $(function () {
- $('.red').click(function () { alert('jQuery Event'); });
- });
- </script>
- </head>
- <body>
- <script type="text/javascript">
- (function () {
- // Remove the body from the DOM so scripts don't execute as they load
- var parent = document.body.parentNode,
- body = document.body.parentNode.removeChild(document.body);
- document.addEventListener('DOMContentLoaded', function (e) {
- var elements,
- scripts,
- attributes,
- ii,
- jj;
- // Remove events inside the body
- elements = body.querySelectorAll('*');
- for (ii = 0; ii < elements.length; ii += 1) {
- attributes = elements[ii].attributes;
- for (jj = 0; jj < attributes.length; jj += 1) {
- if (attributes[jj].nodeName.substr(0, 2) === 'on') {
- elements[ii].removeAttribute(attributes[jj].nodeName);
- }
- }
- }
- // Remove script tags inside the body.
- while (true) {
- scripts = body.getElementsByTagName('script'); // For some reason one pass
- if (scripts.length === 0) { // doesn't always remove all of the
- break; // script tags, so lather, rinse, repeat!
- }
- for (ii = 0; ii < scripts.length; ii += 1) {
- scripts[ii].parentNode.removeChild(scripts[ii]);
- }
- }
- // Reinsert the body into the document after it's been cleaned
- parent.appendChild(body);
- }, false);
- }());
- </script>
- <div class="red" onclick="alert('Failed! onclick was executed.')">hello world</div>
- <img src="http://example.com/failure.png" onerror="alert('Failed! onerror was executed.');"/>
- <script>
- alert('Failed! Script tag was executed.');
- </script>
- </body>
- </html>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
