| Parsing test.cs |
| |
| Start of File |
| |
| |
| Blah == wow |
| |
| |
| |
| |
| |
| |
| wow (true) |
| |
| |
| |
| This is True |
| |
| |
| |
| |
| |
| wow |
| |
| |
| |
| I'm in test2.cs |
| |
| |
| wow2 |
| |
| |
| I'm in test2.cs |
| |
| |
| wow2 |
| |
| |
| escape: not used |
| UrlArg: Secret Password~!@#$%^&*()+=-_|\[]{}:";'<>,.? |
| BlahJs: quote ' backslash \ semicolon ; end tag </script> |
| Title: </title><script>alert(1)</script> |
| |
| |
| escape: none |
| UrlArg: Secret Password~!@#$%^&*()+=-_|\[]{}:";'<>,.? |
| BlahJs: quote ' backslash \ semicolon ; end tag </script> |
| Title: </title><script>alert(1)</script> |
| |
| |
| |
| escape: html |
| UrlArg: Secret Password~!@#$%^&*()+=-_|\[]{}:";'<>,.? |
| BlahJs: quote ' backslash \ semicolon ; end tag </script> |
| Title: </title><script>alert(1)</script> |
| |
| |
| |
| escape: js |
| UrlArg: Secret Password~!@#$%^\x26*()+=-_|\x5C[]{}:\x22\x3B\x27\x3C\x3E,.? |
| BlahJs: quote \x27 backslash \x5C semicolon \x3B end tag \x3C\x2Fscript\x3E |
| Title: \x3C\x2Ftitle\x3E\x3Cscript\x3Ealert(1)\x3C\x2Fscript\x3E |
| |
| |
| |
| escape: url |
| UrlArg: Secret+Password%7E!%40%23%24%25%5E%26*()%2B%3D-_%7C%5C%5B%5D%7B%7D%3A%22%3B%27%3C%3E%2C.%3F |
| BlahJs: quote+%27+backslash+%5C+semicolon+%3B+end+tag+%3C%2Fscript%3E |
| Title: %3C%2Ftitle%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E |
| |
| |
| |
| Nested escaping: html |
| The internal calls should take precedence |
| url -> UrlArg: Secret+Password%7E!%40%23%24%25%5E%26*()%2B%3D-_%7C%5C%5B%5D%7B%7D%3A%22%3B%27%3C%3E%2C.%3F |
| js -> BlahJs: quote \x27 backslash \x5C semicolon \x3B end tag \x3C\x2Fscript\x3E |
| html -> Title: </title><script>alert(1)</script> |
| |
| |
| Defining the macro echo_all inside of a "html" escape. |
| |
| |
| Calling echo_all() macro: |
| |
| not used: </title><script>alert(1)</script>quote ' backslash \ semicolon ; end tag </script> |
| none: </title><script>alert(1)</script>quote ' backslash \ semicolon ; end tag </script> |
| url: %3C%2Ftitle%3E%3Cscript%3Ealert(1)%3C%2Fscript%3Equote+%27+backslash+%5C+semicolon+%3B+end+tag+%3C%2Fscript%3E |
| js: \x3C\x2Ftitle\x3E\x3Cscript\x3Ealert(1)\x3C\x2Fscript\x3Equote \x27 backslash \x5C semicolon \x3B end tag \x3C\x2Fscript\x3E |
| html: </title><script>alert(1)</script>quote ' backslash \ semicolon ; end tag </script> |
| |
| |
| |
| Calling echo_all() macro from within "html": |
| |
| not used: </title><script>alert(1)</script>quote ' backslash \ semicolon ; end tag </script> |
| none: </title><script>alert(1)</script>quote ' backslash \ semicolon ; end tag </script> |
| url: %3C%2Ftitle%3E%3Cscript%3Ealert(1)%3C%2Fscript%3Equote+%27+backslash+%5C+semicolon+%3B+end+tag+%3C%2Fscript%3E |
| js: \x3C\x2Ftitle\x3E\x3Cscript\x3Ealert(1)\x3C\x2Fscript\x3Equote \x27 backslash \x5C semicolon \x3B end tag \x3C\x2Fscript\x3E |
| html: </title><script>alert(1)</script>quote ' backslash \ semicolon ; end tag </script> |
| |
| |
| |
| |
| Calling echo_all() macro from within "js": |
| |
| not used: \x3C\x2Ftitle\x3E\x3Cscript\x3Ealert(1)\x3C\x2Fscript\x3Equote \x27 backslash \x5C semicolon \x3B end tag \x3C\x2Fscript\x3E |
| none: </title><script>alert(1)</script>quote ' backslash \ semicolon ; end tag </script> |
| url: %3C%2Ftitle%3E%3Cscript%3Ealert(1)%3C%2Fscript%3Equote+%27+backslash+%5C+semicolon+%3B+end+tag+%3C%2Fscript%3E |
| js: \x3C\x2Ftitle\x3E\x3Cscript\x3Ealert(1)\x3C\x2Fscript\x3Equote \x27 backslash \x5C semicolon \x3B end tag \x3C\x2Fscript\x3E |
| html: </title><script>alert(1)</script>quote ' backslash \ semicolon ; end tag </script> |
| |
| |
| |
| |
| Calling echo_all() macro from within "url": |
| |
| not used: %3C%2Ftitle%3E%3Cscript%3Ealert(1)%3C%2Fscript%3Equote+%27+backslash+%5C+semicolon+%3B+end+tag+%3C%2Fscript%3E |
| none: </title><script>alert(1)</script>quote ' backslash \ semicolon ; end tag </script> |
| url: %3C%2Ftitle%3E%3Cscript%3Ealert(1)%3C%2Fscript%3Equote+%27+backslash+%5C+semicolon+%3B+end+tag+%3C%2Fscript%3E |
| js: \x3C\x2Ftitle\x3E\x3Cscript\x3Ealert(1)\x3C\x2Fscript\x3Equote \x27 backslash \x5C semicolon \x3B end tag \x3C\x2Fscript\x3E |
| html: </title><script>alert(1)</script>quote ' backslash \ semicolon ; end tag </script> |
| |
| |
| |
| |
| not used: </title><script>alert(1)</script> |
| none: </title><script>alert(1)</script> |
| url: %3C%2Ftitle%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E |
| js: \x3C\x2Ftitle\x3E\x3Cscript\x3Ealert(1)\x3C\x2Fscript\x3E |
| html: </title><script>alert(1)</script> |
| |
| |
| |
| x = zero |
| x.num = #0 |
| |
| |
| This is True. |
| |
| wow |
| |
| x = one |
| x.num = |
| |
| |
| This is True. |
| |
| wow |
| |
| x = two |
| x.num = #2 |
| |
| |
| This is True. |
| |
| wow |
| |
| x = three |
| x.num = |
| |
| |
| This is True. |
| |
| wow |
| |
| |
| |
| |
| This is False. |
| |
| |
| |
| Outside 0 |
| |
| Inside = 0 |
| |
| Inside = 1 |
| |
| |
| Outside 1 |
| |
| Inside = 2 |
| |
| Inside = 3 |
| |
| |
| Outside 2 |
| |
| Inside = 2 |
| |
| Inside = 3 |
| |
| |
| Outside 3 |
| |
| |
| |
| |
| TestIf == 0 |
| |
| |
| |
| Correct, "1" == "1" |
| |
| |
| |
| |
| between comments |
| |
| |
| |
| More? |