All, See the attached. At some point, I'd like to get these worked into our test suite (once they've been converted over to Atom). We currently have element and text filtering capabilities and it would be cool if we had a default implementation that addressed these issues.
I'm posting it here just as an FYI and mostly as a reminder to myself, but if others want to jump in, feel free :-) - James -------- Original Message -------- From: - Mon Aug 7 06:54:02 2006 X-Account-Key: account2 X-UIDL: GmailId10ce8a3971764f74 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 X-Gmail-Received: fec69efdaa4ba213c4e74023b9fc27fc1e311336 Delivered-To: [EMAIL PROTECTED] Received: by 10.66.251.8 with SMTP id y8cs396108ugh; Mon, 7 Aug 2006 05:37:53 -0700 (PDT) Received: by 10.35.20.14 with SMTP id x14mr12168597pyi; Mon, 07 Aug 2006 05:37:50 -0700 (PDT) Return-Path: <[EMAIL PROTECTED]> Received: from bay0-omc1-s5.bay0.hotmail.com (bay0-omc1-s5.bay0.hotmail.com [65.54.246.77]) by mx.gmail.com with ESMTP id n78si3621527pyf.2006.08.07.05.37.50; Mon, 07 Aug 2006 05:37:50 -0700 (PDT) Received-SPF: pass (gmail.com: domain of [EMAIL PROTECTED] designates 65.54.246.77 as permitted sender) Received: from hotmail.com ([64.4.19.86]) by bay0-omc1-s5.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.1830); Sat, 5 Aug 2006 19:14:10 -0700 Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Sat, 5 Aug 2006 19:14:10 -0700 Message-ID: <[EMAIL PROTECTED]> Received: from 81.179.67.181 by BAY109-DAV14.phx.gbl with DAV; Sun, 06 Aug 2006 02:14:05 +0000 X-Originating-IP: [81.179.67.181] X-Originating-Email: [EMAIL PROTECTED] X-Sender: [EMAIL PROTECTED] From: James Holderness <[EMAIL PROTECTED]> To: James M Snell <[EMAIL PROTECTED]> Subject: javascript test feed Date: Sun, 6 Aug 2006 03:11:59 +0100 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="Windows-1252"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2869 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.2869 X-OriginalArrivalTime: 06 Aug 2006 02:14:10.0448 (UTC) FILETIME=[00FDE100:01C6B8FE] Return-Path: [EMAIL PROTECTED] Hi James You're welcome to add anything you find useful to Abdera's test suite. Included below is my stock reply with information about the tests. Regards James First I should stress that these tests aren't particularly thorough. They're mostly targeted at IE since they were originally designed for testing our desktop client which uses IE as a renderer. Also there's a lot of stuff I didn't bother testing because I was fairly sure it wouldn't affect our code. I probably will add more when I get the time, but that may be never. For now, the feed with the full set of tests can be found here: http://216.93.169.119/tests/rss/security/everything.rss However, if you need to test in smaller groups you can use a URL like this (say you just want tests 10 to 20): http://216.93.169.119/tests/rss/security/10_20.rss For an individual test, you can use something like this: http://216.93.169.119/tests/rss/security/15.rss There are currently 85 tests in total, and each one tries to popup an alert window saying "Security Test #x" where x is the test number (makes it easy to tell exactly which tests are failing). One of the tests (currently #12) is testing onmouseover so it won't trigger automatically. You should be warned that some aggregators will go into an infinite loop on certain tests, popping up the alert over and over again making it very difficult to shut down the aggregator and/or unsubscribe from the feed. The tests most likely to cause that problem are in the range 77 to 81. Test number 8 has also made the feed fail completely in some aggregators so if that happens you should try testing 1 to 7 and 9 to 85 separately. A lot of the tests are just variations of the same basic attack so more often than not you'll find aggregators failing them in sets, but I prefer to leave in as many variations as possible just to be safe. The feed automatically regenerates every couple of days with a new set of dates (makes it easier for me to test aggregators that only show recent items), so don't be surprised if you subscribe to it and suddenly find everything showing up as new again. If you're testing online aggregators, IE6 is the best browser to use since it tends to show up more errors than Firefox and IE7. Actually the same goes for desktop clients that use IE as a renderer - test with IE6 where possible. I haven't done much testing with other browsers. I think that's basically all you need to know. Feel free to email if you have any questions.
