NeatHtml Test

Support tables when scripting disabled Simulate browser with scripting disabled Disable NeatHtml to see tests fail

Think you can break it? Fill out the form below and click the submit button. This page automatically runs some or all of the following tests:

The "Markup invasion blocked" test fails if your untrusted content is able to affect the DOM in a way that changes the nextSibling of the DIV in which NeatHtml displays the filtered content.
The "XSS blocked" test fails if your content calls window.alert() or window.resizeTo(). I'm obviously interested in stopping any XSS, but if you want to see the test fail you should try to get untrusted content to call one of those functions. This test is not run if you check the "Simulate browser with scripting disabled" checkbox.
The "ID spoofing blocked" test fails if your content can cause document.getElementById() to return the wrong element for an ID of "trustedLinkBefore" or "trustedLinkAfter". There are links with those IDs before and after the DIV that displays the untrusted content. They are hidden (display:none) just to reduce clutter on the page. This test is not run if you check the "Simulate browser with scripting disabled" checkbox.
The "Filtered content is correct" test will check the filtered content against a value that you specify. This test is only run when the "Compare filtered content against expected value" checkbox is checked. Note: The test content and expected result are initialized to whatever test you last ran. If you modify the test content, you either need to modify the expected result or uncheck the "Compare filtered content against expected value" checkbox.

If you check the "Simulate browser with scripting disabled" checkbox, the test page intercepts and ignores all calls to NeatHtml's JavaScript functions so that the filtered content displayed is what a no-script user would see. Checking that box also causes all calls to window.alert() and window.resizeTo() to be ignored since XSS attacks would not run for no-script users.

Please email me (dean at brettle dot com) if you can make a test fail. I'm also interested in any other failure mode you find. Thanks!

Test Untrusted Content

<div style="margin-top: -50px; height: 50px; background-color: red;">Let me out with a negative margin-top!</div>
			<p>Here is a table with lots of XSS attacks and tag soup markup:</p>
			<table border="1">
				<tr>
					<th>Script attacks
					<td>script element<br/>
						<script>
						window.alert('XSS from script element');
						</script>
						script elem in CDATA<br/>
						<![CDATA[
						<script>
						window.alert('XSS from script element in CDATA section');
						</script>
						]]>						
					<td>
						<a onclick=window.alert('XSS_on_click') href='http://www.google.com/'>on* attr</a><br />
						<a href=javascript:alert('XSS_on_link')>javascript href</a><br />
					<td id='styleXss' style='nonstandard-attribute1: expression(alert(&quot;XSS from style&quot;)); nonstandard-attribute2: expr/**/ession(alert(&quot;XSS from style with comment&quot;)); nonstandard-attribute3: expres\000073ion(alert(&quot;XSS from style with escape&quot;)); background-color: rgb(192,255,192);'>
						green despite script in style
					<td>
						<a id='trustedLinkBefore' href='http://www.google.com/'>spoof existing ID</a><br />
						<a id='trustedLinkAfter' href='http://www.Vicerex.com/'>spoof future ID</a><br />
				<tr>
					<th>CSRF attacks
					<td>trusted image:<br/>
						<img src="tests/trusted/test.png" />
					<td>untrusted images:<br/>
						<img src="tests/untrusted/test.png" />
						<img src="tests/untrusted/test.png" lowsrc="tests/untrusted/test.png" />
					<td>SRC attr in &lt;script&gt;:<br/>
						<script type="text/javascript" src="tests/untrusted/test.js"></script>
					<td>SRC attr in &lt;iframe&gt;:<br/>
						<iframe src="tests/untrusted/test.html"></iframe>
				<tr>
					<th>Tag soup
					<td><ul><li>no &lt;/li> 1/2<li>no &lt;/li> 2/2</ul>
					<td>unmatched &lt;/em> </em>
					<td><B>varying</B> <i>case</I> <U>tags</u>
					<td><p>line<br>break with &lt;br&gt;
				<tr>
					<th>Special characters and attributes
					<td><a implicit_attr href=http://www.google.com/search?hl=en&q=neathtml&btnG=Search>unquoted and unencoded link</a>
					<td><font face='&#9;&#0;'>non-printable</font> and <font face='&#xdead;'>non-ascii</font> attr values
					<td>A B C with entities: &#65;&nbsp;&#x42;&nbsp;&#X43;
					<td>Unencoded <, and &
			</table>
			<br/>
			<table background="http://www.brettle.com/Data/Sites/1/logos/deanatwork_sidesmall.jpg" border="1" style="border-spacing: 0;">
				<tr>
					<td style="counter-increment: trusted-num;">Increment a CSS counter.  For result, see just under the
						untrusted content box.
					</td>
					<td id="innerTableContainer">
						Nested table:
						<table id="innerTable" border="1">
							<tr>
								<td style="background-image: url(http://www.brettle.com/Data/Sites/1/logos/deanatwork_sidesmall.jpg)">style="background-image: url(...)"</td>
								<td style="background-color: rgb(0,255,0);">style="background-color: rgb(...);"</td>
							</tr>
						</table>
					</td>
					<td>
						Try to break out of the layout jail
						<div style="position: absolute; top: 0; right: 0; color: red;">Let me out!</div>
						<div style="position: absolute; top: -100px; right: 0; color: red;">Let me out with a negative top property!</div>
					</td>
				</tr>
			</table>

Try to break out of the markup jail...
			</table>
            </div>
            </div>
            </div>
			"Help! Let me out of this box!"
			Try to pull trusted content into the box...
			<iframe><object><script>

Compare filtered content against expected value

Expected Filtered Untrusted Content

NeatHtml™ is displaying untrusted content in the box below ( view filtered HTML source hide filtered HTML source ):

Let me out with a negative margin-top!

Here is a table with lots of XSS attacks and tag soup markup:

Script attacks	script element script elem in CDATA <script> window.alert('XSS from script element in CDATA section'); </script>	on* attr javascript href	green despite script in style	spoof existing ID spoof future ID
CSRF attacks	trusted image:	untrusted images:	SRC attr in <script>:	SRC attr in <iframe>:
Tag soup	no </li> 1/2 no </li> 2/2	unmatched </em>	varying case tags	line break with <br>
Special characters and attributes	unquoted and unencoded link	non-printable and non-ascii attr values	A B C with entities: A B C	Unencoded <, and &

Increment a CSS counter. For result, see just under the untrusted content box.

Nested table:

style="background-image: url(...)"

style="background-color: rgb(...);"

Try to break out of the layout jail

Let me out!

Let me out with a negative top property!

Try to break out of the markup jail...

"Help! Let me out of this box!" Try to pull trusted content into the box...

If the browser supports the CSS :after pseudo-element and the counter() function, then "#2" should appear to the right -->