Skip to content

Security check

Jump to bottom
Maximilian Krug edited this page Jun 28, 2024 · 2 revisions

This page is dedicated to the request our IP had, regarding the security of the (ix-)input fields. The issue is that the input fields might render html, js and css code.

Therefore, we ALL the newly created input fields must be checked for the following list of code snippets.


List of already checked input fields

Login Page: Username and Password
Create Case: Title and Description
Case Details: Title and Description



List of twenty commands for testing

Test if a simple tag is rendered:

<b>Bold Text</b>

Tests self-closing tags:

<img src="x" onerror="alert('XSS')">

Tests for nested HTML tags:

<div><p>Nested Paragraph</p></div>

Tests inline CSS:

<p style="color: red;">Red Text</p>

Tests for multiple inline CSS:

<div style="background-color: yellow; border: 1px solid black;">Styled Div</div>

Tests for CSS within a <style> tag:

<style>body { background-color: pink; }</style>

Tests for JavaScript alerts:

<script>alert('Hello');</script>

Tests JavaScript execution within HTML:

<img src="x" onerror="alert('Error')">

Tests for inline event:

<button onclick="alert('Clicked!')">Click Me</button>

Tests HTML, CSS, and JavaScript combined:

<div style="color: blue;" onclick="alert('Div Clicked')">Clickable Div</div>

Tests if JavaScript changes CSS styles:

<script>document.body.style.background = 'green';</script>

Tests multiple script tags:

<script>alert('First');</script><script>alert('Second');</script>

Tests if external scripts are loaded:

<script src="https://example.com/exploit.js"></script>

Tests nested HTML with JavaScript:

<div><img src="x" onerror="alert('Nested Error')"></div>

Tests for empty script tags:

<script></script>

Tests unclosed tags:

<div><p>Unclosed Div

Tests if JavaScript in CSS:

<style>body {background: url('x' onerror='alert(1)');}</style>

Tests if HTML entities are decoded and executed:

&lt;script&gt;alert('Entity')&lt;/script&gt;

Checks if JavaScript can manipulate the DOM:

<script>document.body.innerHTML += '<p>Injected Paragraph</p>';</script>

Tests if JavaScript loops are executed:

<script>for(let i=0; i<5; i++) { alert('Loop ' + i); }</script>
Clone this wiki locally