{"id":15499632,"url":"https://github.com/mitar/html-sanitizer-testbed","last_synced_at":"2026-01-21T11:33:14.466Z","repository":{"id":140632509,"uuid":"45705066","full_name":"mitar/html-sanitizer-testbed","owner":"mitar","description":"Automatically exported from code.google.com/p/html-sanitizer-testbed","archived":false,"fork":false,"pushed_at":"2015-11-06T20:18:01.000Z","size":0,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-04-09T20:50:31.817Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"HTML","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mitar.png","metadata":{"files":{"readme":"README","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2015-11-06T20:15:28.000Z","updated_at":"2015-11-06T20:16:11.000Z","dependencies_parsed_at":"2023-03-23T15:36:49.481Z","dependency_job_id":null,"html_url":"https://github.com/mitar/html-sanitizer-testbed","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/mitar/html-sanitizer-testbed","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mitar%2Fhtml-sanitizer-testbed","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mitar%2Fhtml-sanitizer-testbed/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mitar%2Fhtml-sanitizer-testbed/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mitar%2Fhtml-sanitizer-testbed/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mitar","download_url":"https://codeload.github.com/mitar/html-sanitizer-testbed/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mitar%2Fhtml-sanitizer-testbed/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28632771,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-21T04:47:28.174Z","status":"ssl_error","status_checked_at":"2026-01-21T04:47:22.943Z","response_time":86,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-10-02T08:54:13.059Z","updated_at":"2026-01-21T11:33:14.451Z","avatar_url":"https://github.com/mitar.png","language":"HTML","funding_links":[],"categories":[],"sub_categories":[],"readme":"This is a testbed for testing the security of HTML\nsanitization programs.\n\nA HTML sanitization program is one that takes a HTML document\nand tries to remove all active content (e.g., all Javascript,\nFlash, Java, etc.) as well as filtering out all other potentially\nharmless stuff.\n\nThis testbed contains a bunch of test cases, as well as some\nJavascript that runs in your browser to try to autodetect whether\nany of those test cases managed to fool the HTML sanitizer.  A\ntestcase is listed as failing if it looks like that testcase\nmay have uncovered a security breach in the HTML sanitizer.\n\nTo use this testsuite:\n1. For each file matching testcases/t*.html, run your HTML\nsanitizer on that file (replacing the original file with your\nsanitized version).\n2. Start up Firefox.\n3. Install Firebug.\n4. Enable Firebug's console and script debugger (for the site\nyou'll load the file from, in step 5).\n5. Load testbed.html in your browser -- e.g., using file://path/to/testbed.html.\nFirefox should pause for a long time (around 45-60 seconds), then\nproduce a ton of output on the Firebug console window.\n6. Did any alert boxes pop up?  If so, there's definitely a hole\nin your HTML sanitizer -- script got executed.\n7. Look through the copious output on the Firebug console window.\nDid any tests fail?  If so, that indicates that my scripts found\nsomething suspicious which indicates that something bad *might* have\ngotten through the HTML filter -- but you'll have to examine the\nHTML sanitizer's output manually to check.  Examine the output\non the Firebug console window for clues about what looked suspicious,\nand examine the HTML document prodcued by the HTML sanitizer, and\ntry to understand whether this is dangerous or not.  (If necessary,\nyou could load that document on a few different browsers to see\nif any of them exhibit dangerous behavior.)  You may experience some\nfalse positives -- my testing scripts are biased towards producing\n\"fail\"s if in doubt.\n\n\nThis was tested with Firefox 3.6.23 and Firebug 1.7.3.\nI haven't tested it with any other browser; I make no claims about\nportability -- it might work with other browsers, but it might not.\n\nIt's possible this might work without Firebug (I didn't test it),\nbut you'll get less detailed output about failing tests and other\ndebugging information, so I highly recommend installing Firebug.\n\nThis suite comes with no support.  If it works for you, great!\nIf it doesn't, you're on your own.\n\n\nTODO: Add the unit tests here: http://feedparser.org/tests/wellformed/sanitize/\nhttp://xssdb.net/\nand some stuff mentioned here:\nhttp://blog.astrumfutura.com/2010/08/html-sanitisation-the-devils-in-the-details-and-the-vulnerabilities/\nhttp://html5sec.org/\nhttp://blog.kotowicz.net/2012/04/fun-with-data-urls.html\nhttp://i8jesus.com/?p=48\n\nCredits:\nhttp://chxo.com/scripts/safe_html/tests.php\nhttp://ha.ckers.org/xss.html\nhttp://applesoup.googlepages.com/bypass_filter.txt\nand many other web sites that I forgot to make a note of\n\n-- David Wagner http://www.cs.berkeley.edu/~daw/\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmitar%2Fhtml-sanitizer-testbed","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmitar%2Fhtml-sanitizer-testbed","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmitar%2Fhtml-sanitizer-testbed/lists"}