7 # Passing semicolons through the url to this script is problematic. The raw
8 # form truncates the input and the %-encoded form isn't being decoded. Hence
9 # this set of hard-coded headers.
10 if ($cgi->param('disable-protection')) {
11 print "X-XSS-Protection: 0\n";
13 if ($cgi->param('enable-full-block')) {
14 print "X-XSS-Protection: 1; mode=block\n";
16 if ($cgi->param('enable-report')) {
17 print "X-XSS-Protection: 1; report=/security/contentSecurityPolicy/resources/save-report.php?test=" . $cgi->param('test') . "\n";
19 if ($cgi->param('enable-full-block-report')) {
20 print "X-XSS-Protection: 1; mode=block; report=/security/contentSecurityPolicy/resources/save-report.php?test=" . $cgi->param('test') . "\n";
23 if ($cgi->param('valid-header')) {
24 if ($cgi->param('valid-header') == 1) {
25 print "X-XSS-Protection: 1 ;MoDe = bLocK \n";
27 if ($cgi->param('valid-header') == 2) {
28 print "X-XSS-Protection: 1; \n";
30 if ($cgi->param('valid-header') == 3) {
31 print "X-XSS-Protection: 1; mode=block; \n";
33 if ($cgi->param('valid-header') == 4) {
34 print "X-XSS-Protection: 1; report=/security/contentSecurityPolicy/resources/nonesuch.php; mode=block; \n";
38 if ($cgi->param('malformed-header')) {
39 if ($cgi->param('malformed-header') == 1) {
40 print "X-XSS-Protection: 12345678901234567\n";
42 if ($cgi->param('malformed-header') == 2) {
43 print "X-XSS-Protection: red\n";
45 if ($cgi->param('malformed-header') == 3) {
46 print "X-XSS-Protection: 1; mode=purple\n";
48 if ($cgi->param('malformed-header') == 4) {
49 print "X-XSS-Protection: 1; mode=block-a-block-block\n";
51 if ($cgi->param('malformed-header') == 5) {
52 print "X-XSS-Protection: 1; mode=block; report\n";
54 if ($cgi->param('malformed-header') == 6) {
55 print "X-XSS-Protection: 1; report= ;\n";
57 if ($cgi->param('malformed-header') == 7) {
58 print "X-XSS-Protection: 1; red\n";
60 if ($cgi->param('malformed-header') == 8) {
61 print "X-XSS-Protection: 1; mode=block; report=/fail; mode=block;\n";
63 if ($cgi->param('malformed-header') == 9) {
64 print "X-XSS-Protection: 1; mode=block; report=/fail; report=/fail;\n";
68 if ($cgi->param('csp') eq '_empty_') {
69 print "Content-Security-Policy: reflected-xss\n";
70 } elsif ($cgi->param('csp')) {
71 print "Content-Security-Policy: reflected-xss " . $cgi->param('csp') . "\n";
74 print "Content-Type: text/html; charset=";
75 print $cgi->param('charset') ? $cgi->param('charset') : "UTF-8";
78 print "<!DOCTYPE html>\n";
80 if ($cgi->param('wait-for-load')) {
82 print "onload = function() {\n";
83 print " window.parent.postMessage('loaded', '*');\n";
87 if ($cgi->param('inHead')) {
92 if ($cgi->param('replaceState')) {
93 print "<script>history.replaceState({}, '', '#must-not-appear');</script>\n";
95 my $reflection = $cgi->param('q');
97 my $replacement = "?";
98 $reflection =~ s/$pattern/$replacement/g; # pretend server translates high character 0xfe into literal "?".
99 print $reflection; # XSS reflected here.
100 if ($cgi->param('script-expression-follows')) {
101 print "\n <script>42;</script>\n";
103 if ($cgi->param('clutter')) {
104 print $cgi->param('clutter');
106 if ($cgi->param('q2')) {
107 print $cgi->param('q2');
109 if ($cgi->param('showAction')) {
111 print " alert('Form action set to ' + document.forms[0].action);\n";
114 if ($cgi->param('showFormaction')) {
116 print " var e = document.querySelector('[formaction]');\n";
118 print " alert('formaction present on ' + e.nodeName + ' with value of ' + e.getAttribute('formaction'));\n";
121 if ($cgi->param('dumpElementBySelector')) {
122 print "<pre id='console'></pre>\n";
124 print " var e = document.querySelector('" . $cgi->param('dumpElementBySelector') . "');\n";
126 print " var log = '" . $cgi->param('dumpElementBySelector') . " => ' + e.nodeName + '\\n';\n";
127 print " for (var i = 0; i < e.attributes.length; i++) {\n";
128 print " log += '* ' + e.attributes[i].name + ': ' + e.attributes[i].value + '\\n';\n";
130 print " document.getElementById('console').innerText = log;\n";
132 print " alert('No element matched the given selector.');\n";
135 if ($cgi->param('notifyDone')) {
137 print "if (window.testRunner)\n";
138 print " testRunner.notifyDone();\n";
141 if ($cgi->param('enable-full-block') || $cgi->param('enable-full-block-report')) {
142 print "<p>If you see this message then the test FAILED.</p>\n";
144 if ($cgi->param('alert-cookie')) {
145 print "<script>if (/xssAuditorTestCookie/.test(document.cookie)) { alert('FAIL: ' + document.cookie); document.cookie = 'xssAuditorTestCookie=remove; max-age=-1'; } else alert('PASS');</script>\n";
147 if ($cgi->param('echo-report')) {
148 print "<script src=/security/contentSecurityPolicy/resources/go-to-echo-report.js></script>\n";
150 print "Page rendered here.\n";
151 if ($cgi->param('inHead')) {