Merge pull request #205 from flavorjones/flavorjones-test-unicode-enc…

…oded-exploit

test: actually test against a working unicode-encoded exploit

test/assets/testdata_sanitizer_tests1.dat

@@ -34,11 +34,33 @@
   },
 
   {
+    /* original */
     "name": "div_background_image_unicode_encoded",
     "input": "<div style=\"background-image:\u00a5\u00a2\u006C\u0028'\u006a\u0061\u00a6\u0061\u00a3\u0063\u00a2\u0069\u00a0\u00a4\u003a\u0061\u006c\u0065\u00a2\u00a4\u0028.1027\u0058.1053\u0053\u0027\u0029'\u0029\">foo</div>",
     "output": "<div>foo</div>"
   },
 
+  {
+    /* from https://owasp.org/www-community/xss-filter-evasion-cheatsheet */
+    "name": "div_background_image_unicode_encoded2",
+    "input": "<DIV STYLE=\"background-image:\u0075\u0072\u006C\u0028'\u006a\u0061\u0076\u0061\u0073\u0063\u0072\u0069\u0070\u0074\u003a\u0061\u006c\u0065\u0072\u0074\u0028.1027\u0058.1053\u0053\u0027\u0029'\u0029\">foo</div>",
+    "output": "<div>foo</div>"
+  },
+
+  {
+    /* uh, fix what appear to be typos that have propagated over the years */
+    "name": "div_background_image_unicode_encoded3",
+    "input": "<DIV STYLE=\"background-image:\u0075\u0072\u006C\u0028'\u006a\u0061\u0076\u0061\u0073\u0063\u0072\u0069\u0070\u0074\u003a\u0061\u006c\u0065\u0072\u0074\u0028\u0027\u0058\u0053\u0053\u0027\u0029'\u0029\">foo</div>",
+    "output": "<div>foo</div>"
+  },
+
+  {
+    /* and finally a version that has a chance of actually demonstrating a javascript vulnerability */
+    "name": "div_background_image_unicode_encoded4",
+    "input": "<DIV STYLE=\"background-image:\u0075\u0072\u006C\u0028'\u006a\u0061\u0076\u0061\u0073\u0063\u0072\u0069\u0070\u0074\u003a\u0061\u006c\u0065\u0072\u0074\u0028\u0031\u0032\u0033\u0034\u0029'\u0029\">foo</div>",
+    "output": "<div>foo</div>"
+  },
+
   {
     "name": "div_expression",
     "input": "<div style=\"width: expression(alert('XSS'));\">foo</div>",