RubyGems - immunio - Versions diffs - 0.15.2 - Mend

immunio 0.15.2

Files changed (157) hide show

checksums.yaml +7 -0
data/LICENSE +234 -0
data/README.md +147 -0
data/bin/immunio +5 -0
data/lib/immunio.rb +29 -0
data/lib/immunio/agent.rb +260 -0
data/lib/immunio/authentication.rb +96 -0
data/lib/immunio/blocked_app.rb +38 -0
data/lib/immunio/channel.rb +432 -0
data/lib/immunio/cli.rb +39 -0
data/lib/immunio/context.rb +114 -0
data/lib/immunio/errors.rb +43 -0
data/lib/immunio/immunio_ca.crt +45 -0
data/lib/immunio/logger.rb +87 -0
data/lib/immunio/plugins/action_dispatch.rb +45 -0
data/lib/immunio/plugins/action_view.rb +431 -0
data/lib/immunio/plugins/active_record.rb +707 -0
data/lib/immunio/plugins/active_record_relation.rb +370 -0
data/lib/immunio/plugins/authlogic.rb +80 -0
data/lib/immunio/plugins/csrf.rb +24 -0
data/lib/immunio/plugins/devise.rb +40 -0
data/lib/immunio/plugins/environment_reporter.rb +69 -0
data/lib/immunio/plugins/eval.rb +51 -0
data/lib/immunio/plugins/exception_handler.rb +55 -0
data/lib/immunio/plugins/gems_tracker.rb +5 -0
data/lib/immunio/plugins/haml.rb +36 -0
data/lib/immunio/plugins/http_finisher.rb +50 -0
data/lib/immunio/plugins/http_tracker.rb +203 -0
data/lib/immunio/plugins/io.rb +96 -0
data/lib/immunio/plugins/redirect.rb +42 -0
data/lib/immunio/plugins/warden.rb +66 -0
data/lib/immunio/processor.rb +234 -0
data/lib/immunio/rails.rb +26 -0
data/lib/immunio/request.rb +139 -0
data/lib/immunio/rufus_lua_ext/ref.rb +27 -0
data/lib/immunio/rufus_lua_ext/state.rb +157 -0
data/lib/immunio/rufus_lua_ext/table.rb +137 -0
data/lib/immunio/rufus_lua_ext/utils.rb +13 -0
data/lib/immunio/version.rb +5 -0
data/lib/immunio/vm.rb +291 -0
data/lua-hooks/ext/all.c +78 -0
data/lua-hooks/ext/bitop/README +22 -0
data/lua-hooks/ext/bitop/bit.c +189 -0
data/lua-hooks/ext/extconf.rb +38 -0
data/lua-hooks/ext/libinjection/COPYING +37 -0
data/lua-hooks/ext/libinjection/libinjection.h +65 -0
data/lua-hooks/ext/libinjection/libinjection_html5.c +847 -0
data/lua-hooks/ext/libinjection/libinjection_html5.h +54 -0
data/lua-hooks/ext/libinjection/libinjection_sqli.c +2301 -0
data/lua-hooks/ext/libinjection/libinjection_sqli.h +295 -0
data/lua-hooks/ext/libinjection/libinjection_sqli_data.h +9349 -0
data/lua-hooks/ext/libinjection/libinjection_xss.c +531 -0
data/lua-hooks/ext/libinjection/libinjection_xss.h +21 -0
data/lua-hooks/ext/libinjection/lualib.c +109 -0
data/lua-hooks/ext/lpeg/HISTORY +90 -0
data/lua-hooks/ext/lpeg/lpcap.c +537 -0
data/lua-hooks/ext/lpeg/lpcap.h +43 -0
data/lua-hooks/ext/lpeg/lpcode.c +986 -0
data/lua-hooks/ext/lpeg/lpcode.h +34 -0
data/lua-hooks/ext/lpeg/lpeg-128.gif +0 -0
data/lua-hooks/ext/lpeg/lpeg.html +1429 -0
data/lua-hooks/ext/lpeg/lpprint.c +244 -0
data/lua-hooks/ext/lpeg/lpprint.h +35 -0
data/lua-hooks/ext/lpeg/lptree.c +1238 -0
data/lua-hooks/ext/lpeg/lptree.h +77 -0
data/lua-hooks/ext/lpeg/lptypes.h +149 -0
data/lua-hooks/ext/lpeg/lpvm.c +355 -0
data/lua-hooks/ext/lpeg/lpvm.h +58 -0
data/lua-hooks/ext/lpeg/makefile +55 -0
data/lua-hooks/ext/lpeg/re.html +498 -0
data/lua-hooks/ext/lpeg/test.lua +1409 -0
data/lua-hooks/ext/lua-cmsgpack/CMakeLists.txt +45 -0
data/lua-hooks/ext/lua-cmsgpack/README.md +115 -0
data/lua-hooks/ext/lua-cmsgpack/lua_cmsgpack.c +957 -0
data/lua-hooks/ext/lua-cmsgpack/test.lua +570 -0
data/lua-hooks/ext/lua-snapshot/LICENSE +7 -0
data/lua-hooks/ext/lua-snapshot/Makefile +12 -0
data/lua-hooks/ext/lua-snapshot/README.md +18 -0
data/lua-hooks/ext/lua-snapshot/dump.lua +15 -0
data/lua-hooks/ext/lua-snapshot/snapshot.c +455 -0
data/lua-hooks/ext/lua/COPYRIGHT +34 -0
data/lua-hooks/ext/lua/lapi.c +1087 -0
data/lua-hooks/ext/lua/lapi.h +16 -0
data/lua-hooks/ext/lua/lauxlib.c +652 -0
data/lua-hooks/ext/lua/lauxlib.h +174 -0
data/lua-hooks/ext/lua/lbaselib.c +659 -0
data/lua-hooks/ext/lua/lcode.c +831 -0
data/lua-hooks/ext/lua/lcode.h +76 -0
data/lua-hooks/ext/lua/ldblib.c +398 -0
data/lua-hooks/ext/lua/ldebug.c +638 -0
data/lua-hooks/ext/lua/ldebug.h +33 -0
data/lua-hooks/ext/lua/ldo.c +519 -0
data/lua-hooks/ext/lua/ldo.h +57 -0
data/lua-hooks/ext/lua/ldump.c +164 -0
data/lua-hooks/ext/lua/lfunc.c +174 -0
data/lua-hooks/ext/lua/lfunc.h +34 -0
data/lua-hooks/ext/lua/lgc.c +710 -0
data/lua-hooks/ext/lua/lgc.h +110 -0
data/lua-hooks/ext/lua/linit.c +38 -0
data/lua-hooks/ext/lua/liolib.c +556 -0
data/lua-hooks/ext/lua/llex.c +463 -0
data/lua-hooks/ext/lua/llex.h +81 -0
data/lua-hooks/ext/lua/llimits.h +128 -0
data/lua-hooks/ext/lua/lmathlib.c +263 -0
data/lua-hooks/ext/lua/lmem.c +86 -0
data/lua-hooks/ext/lua/lmem.h +49 -0
data/lua-hooks/ext/lua/loadlib.c +705 -0
data/lua-hooks/ext/lua/loadlib_rel.c +760 -0
data/lua-hooks/ext/lua/lobject.c +214 -0
data/lua-hooks/ext/lua/lobject.h +381 -0
data/lua-hooks/ext/lua/lopcodes.c +102 -0
data/lua-hooks/ext/lua/lopcodes.h +268 -0
data/lua-hooks/ext/lua/loslib.c +243 -0
data/lua-hooks/ext/lua/lparser.c +1339 -0
data/lua-hooks/ext/lua/lparser.h +82 -0
data/lua-hooks/ext/lua/lstate.c +214 -0
data/lua-hooks/ext/lua/lstate.h +169 -0
data/lua-hooks/ext/lua/lstring.c +111 -0
data/lua-hooks/ext/lua/lstring.h +31 -0
data/lua-hooks/ext/lua/lstrlib.c +871 -0
data/lua-hooks/ext/lua/ltable.c +588 -0
data/lua-hooks/ext/lua/ltable.h +40 -0
data/lua-hooks/ext/lua/ltablib.c +287 -0
data/lua-hooks/ext/lua/ltm.c +75 -0
data/lua-hooks/ext/lua/ltm.h +54 -0
data/lua-hooks/ext/lua/lua.c +392 -0
data/lua-hooks/ext/lua/lua.def +131 -0
data/lua-hooks/ext/lua/lua.h +388 -0
data/lua-hooks/ext/lua/lua.rc +28 -0
data/lua-hooks/ext/lua/lua_dll.rc +26 -0
data/lua-hooks/ext/lua/luac.c +200 -0
data/lua-hooks/ext/lua/luac.rc +1 -0
data/lua-hooks/ext/lua/luaconf.h +763 -0
data/lua-hooks/ext/lua/luaconf.h.in +724 -0
data/lua-hooks/ext/lua/luaconf.h.orig +763 -0
data/lua-hooks/ext/lua/lualib.h +53 -0
data/lua-hooks/ext/lua/lundump.c +227 -0
data/lua-hooks/ext/lua/lundump.h +36 -0
data/lua-hooks/ext/lua/lvm.c +767 -0
data/lua-hooks/ext/lua/lvm.h +36 -0
data/lua-hooks/ext/lua/lzio.c +82 -0
data/lua-hooks/ext/lua/lzio.h +67 -0
data/lua-hooks/ext/lua/print.c +227 -0
data/lua-hooks/ext/luautf8/README.md +152 -0
data/lua-hooks/ext/luautf8/lutf8lib.c +1274 -0
data/lua-hooks/ext/luautf8/unidata.h +3064 -0
data/lua-hooks/lib/boot.lua +254 -0
data/lua-hooks/lib/encode.lua +4 -0
data/lua-hooks/lib/lexers/LICENSE +21 -0
data/lua-hooks/lib/lexers/bash.lua +134 -0
data/lua-hooks/lib/lexers/bash_dqstr.lua +62 -0
data/lua-hooks/lib/lexers/css.lua +216 -0
data/lua-hooks/lib/lexers/html.lua +106 -0
data/lua-hooks/lib/lexers/javascript.lua +68 -0
data/lua-hooks/lib/lexers/lexer.lua +1575 -0
data/lua-hooks/lib/lexers/markers.lua +33 -0
metadata +308 -0

data/lua-hooks/ext/libinjection/libinjection_xss.c ADDED

@@ -0,0 +1,531 @@
+#include "libinjection.h"
+#include "libinjection_xss.h"
+#include "libinjection_html5.h"
+#include <assert.h>
+#include <stdio.h>
+typedef enum attribute {
+    TYPE_NONE
+    , TYPE_BLACK     /* ban always */
+    , TYPE_ATTR_URL   /* attribute value takes a URL-like object */
+    , TYPE_STYLE
+    , TYPE_ATTR_INDIRECT  /* attribute *name* is given in *value* */
+} attribute_t;
+static attribute_t is_black_attr(const char* s, size_t len);
+static int is_black_tag(const char* s, size_t len);
+static int is_black_url(const char* s, size_t len);
+static int cstrcasecmp_with_null(const char *a, const char *b, size_t n);
+static int html_decode_char_at(const char* src, size_t len, size_t* consumed);
+static int htmlencode_startswith(const char* prefix, const char *src, size_t n);
+typedef struct stringtype {
+    const char* name;
+    attribute_t atype;
+} stringtype_t;
+static const int gsHexDecodeMap[256] = {
+    256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
+    256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
+    256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
+    256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
+    0,   1,   2,   3,   4,   5,   6,   7,   8,   9, 256, 256,
+    256, 256, 256, 256, 256,  10,  11,  12,  13,  14,  15, 256,
+    256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
+    256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
+    256,  10,  11,  12,  13,  14,  15, 256, 256, 256, 256, 256,
+    256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
+    256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
+    256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
+    256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
+    256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
+    256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
+    256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
+    256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
+    256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
+    256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
+    256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
+    256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
+    256, 256, 256, 256
+};
+static int html_decode_char_at(const char* src, size_t len, size_t* consumed)
+{
+    int val = 0;
+    size_t i;
+    int ch;
+    if (len == 0 || src == NULL) {
+        *consumed = 0;
+        return -1;
+    }
+    *consumed = 1;
+    if (*src != '&' || len < 2) {
+        return (unsigned char)(*src);
+    }
+    if (*(src+1) != '#') {
+        /* normally this would be for named entities
+         * but for this case we don't actually care
+         */
+        return '&';
+    }
+    if (*(src+2) == 'x' || *(src+2) == 'X') {
+        ch = (unsigned char) (*(src+3));
+        ch = gsHexDecodeMap[ch];
+        if (ch == 256) {
+            /* degenerate case  '&#[?]' */
+            return '&';
+        }
+        val = ch;
+        i = 4;
+        while (i < len) {
+            ch = (unsigned char) src[i];
+            if (ch == ';') {
+                *consumed = i + 1;
+                return val;
+            }
+            ch = gsHexDecodeMap[ch];
+            if (ch == 256) {
+                *consumed = i;
+                return val;
+            }
+            val = (val * 16) + ch;
+            if (val > 0x1000FF) {
+                return '&';
+            }
+            ++i;
+        }
+        *consumed = i;
+        return val;
+    } else {
+        i = 2;
+        ch = (unsigned char) src[i];
+        if (ch < '0' || ch > '9') {
+            return '&';
+        }
+        val = ch - '0';
+        i += 1;
+        while (i < len) {
+            ch = (unsigned char) src[i];
+            if (ch == ';') {
+                *consumed = i + 1;
+                return val;
+            }
+            if (ch < '0' || ch > '9') {
+                *consumed = i;
+                return val;
+            }
+            val = (val * 10) + (ch - '0');
+            if (val > 0x1000FF) {
+                return '&';
+            }
+            ++i;
+        }
+        *consumed = i;
+        return val;
+    }
+}
+/*
+ * view-source:
+ * data:
+ * javascript:
+ */
+static stringtype_t BLACKATTR[] = {
+    { "ACTION", TYPE_ATTR_URL }     /* form */
+    , { "ATTRIBUTENAME", TYPE_ATTR_INDIRECT } /* SVG allow indirection of attribute names */
+    , { "BY", TYPE_ATTR_URL }         /* SVG */
+    , { "BACKGROUND", TYPE_ATTR_URL } /* IE6, O11 */
+    , { "DATAFORMATAS", TYPE_BLACK }  /* IE */
+    , { "DATASRC", TYPE_BLACK }       /* IE */
+    , { "DYNSRC", TYPE_ATTR_URL }     /* Obsolete img attribute */
+    , { "FILTER", TYPE_STYLE }        /* Opera, SVG inline style */
+    , { "FORMACTION", TYPE_ATTR_URL } /* HTML5 */
+    , { "FOLDER", TYPE_ATTR_URL }     /* Only on A tags, IE-only */
+    , { "FROM", TYPE_ATTR_URL }       /* SVG */
+    , { "HANDLER", TYPE_ATTR_URL }    /* SVG Tiny, Opera */
+    , { "HREF", TYPE_ATTR_URL }
+    , { "LOWSRC", TYPE_ATTR_URL }     /* Obsolete img attribute */
+    , { "POSTER", TYPE_ATTR_URL }     /* Opera 10,11 */
+    , { "SRC", TYPE_ATTR_URL }
+    , { "STYLE", TYPE_STYLE }
+    , { "TO", TYPE_ATTR_URL }         /* SVG */
+    , { "VALUES", TYPE_ATTR_URL }     /* SVG */
+    , { "XLINK:HREF", TYPE_ATTR_URL }
+    , { NULL, TYPE_NONE }
+};
+/* xmlns */
+/* xml-stylesheet > <eval>, <if expr=> */
+/*
+  static const char* BLACKATTR[] = {
+  "ATTRIBUTENAME",
+  "BACKGROUND",
+  "DATAFORMATAS",
+  "HREF",
+  "SCROLL",
+  "SRC",
+  "STYLE",
+  "SRCDOC",
+  NULL
+  };
+*/
+static const char* BLACKTAG[] = {
+    "APPLET"
+    /*    , "AUDIO" */
+    , "BASE"
+    , "COMMENT"  /* IE http://html5sec.org/#38 */
+    , "EMBED"
+    /*   ,  "FORM" */
+    , "FRAME"
+    , "FRAMESET"
+    , "HANDLER" /* Opera SVG, effectively a script tag */
+    , "IFRAME"
+    , "IMPORT"
+    , "ISINDEX"
+    , "LINK"
+    , "LISTENER"
+    /*    , "MARQUEE" */
+    , "META"
+    , "NOSCRIPT"
+    , "OBJECT"
+    , "SCRIPT"
+    , "STYLE"
+    /*    , "VIDEO" */
+    , "VMLFRAME"
+    , "XML"
+    , "XSS"
+    , NULL
+};
+static int cstrcasecmp_with_null(const char *a, const char *b, size_t n)
+{
+    char ca;
+    char cb;
+    /* printf("Comparing to %s %.*s\n", a, (int)n, b); */
+    while (n-- > 0) {
+        cb = *b++;
+        if (cb == '\0') continue;
+        ca = *a++;
+        if (cb >= 'a' && cb <= 'z') {
+            cb -= 0x20;
+        }
+        /* printf("Comparing %c vs %c with %d left\n", ca, cb, (int)n); */
+        if (ca != cb) {
+            return 1;
+        }
+    }
+    if (*a == 0) {
+        /* printf(" MATCH \n"); */
+        return 0;
+    } else {
+        return 1;
+    }
+}
+/*
+ * Does an HTML encoded  binary string (const char*, lenght) start with
+ * a all uppercase c-string (null terminated), case insenstive!
+ *
+ * also ignore any embedded nulls in the HTML string!
+ *
+ * return 1 if match / starts with
+ * return 0 if not
+ */
+static int htmlencode_startswith(const char *a, const char *b, size_t n)
+{
+    size_t consumed;
+    int cb;
+    int first = 1;
+    /* printf("Comparing %s with %.*s\n", a,(int)n,b); */
+    while (n > 0) {
+        if (*a == 0) {
+            /* printf("Match EOL!\n"); */
+            return 1;
+        }
+        cb = html_decode_char_at(b, n, &consumed);
+        b += consumed;
+        n -= consumed;
+        if (first && cb <= 32) {
+            /* ignore all leading whitespace and control characters */
+            continue;
+        }
+        first = 0;
+        if (cb == 0) {
+            /* always ignore null characters in user input */
+            continue;
+        }
+        if (cb == 10) {
+            /* always ignore vtab characters in user input */
+            /* who allows this?? */
+            continue;
+        }
+        if (cb >= 'a' && cb <= 'z') {
+            /* upcase */
+            cb -= 0x20;
+        }
+        if (*a != (char) cb) {
+            /* printf("    %c != %c\n", *a, cb); */
+            /* mismatch */
+            return 0;
+        }
+        a++;
+    }
+    return (*a == 0) ? 1 : 0;
+}
+static int is_black_tag(const char* s, size_t len)
+{
+    const char** black;
+    if (len < 3) {
+        return 0;
+    }
+    black = BLACKTAG;
+    while (*black != NULL) {
+        if (cstrcasecmp_with_null(*black, s, len) == 0) {
+            /* printf("Got black tag %s\n", *black); */
+            return 1;
+        }
+        black += 1;
+    }
+    /* anything SVG related */
+    if ((s[0] == 's' || s[0] == 'S') &&
+        (s[1] == 'v' || s[1] == 'V') &&
+        (s[2] == 'g' || s[2] == 'G')) {
+        /*        printf("Got SVG tag \n"); */
+        return 1;
+    }
+    /* Anything XSL(t) related */
+    if ((s[0] == 'x' || s[0] == 'X') &&
+        (s[1] == 's' || s[1] == 'S') &&
+        (s[2] == 'l' || s[2] == 'L')) {
+        /*      printf("Got XSL tag\n"); */
+        return 1;
+    }
+    return 0;
+}
+static attribute_t is_black_attr(const char* s, size_t len)
+{
+    stringtype_t* black;
+    if (len < 2) {
+        return TYPE_NONE;
+    }
+    /* javascript on.* */
+    if ((s[0] == 'o' || s[0] == 'O') && (s[1] == 'n' || s[1] == 'N')) {
+        /* printf("Got javascript on- attribute name\n"); */
+        return TYPE_BLACK;
+    }
+    if (len >= 5) {
+        /* XMLNS can be used to create arbitrary tags */
+        if (cstrcasecmp_with_null("XMLNS", s, 5) == 0 || cstrcasecmp_with_null("XLINK", s, 5) == 0) {
+            /*      printf("Got XMLNS and XLINK tags\n"); */
+            return TYPE_BLACK;
+        }
+    }
+    black = BLACKATTR;
+    while (black->name != NULL) {
+        if (cstrcasecmp_with_null(black->name, s, len) == 0) {
+            /*      printf("Got banned attribute name %s\n", black->name); */
+            return black->atype;
+        }
+        black += 1;
+    }
+    return TYPE_NONE;
+}
+static int is_black_url(const char* s, size_t len)
+{
+    static const char* data_url = "DATA";
+    static const char* viewsource_url = "VIEW-SOURCE";
+    /* obsolete but interesting signal */
+    static const char* vbscript_url = "VBSCRIPT";
+    /* covers JAVA, JAVASCRIPT, + colon */
+    static const char* javascript_url = "JAVA";
+    /* skip whitespace */
+    while (len > 0 && (*s <= 32 || *s >= 127)) {
+        /*
+         * HEY: this is a signed character.
+         *  We are intentionally skipping high-bit characters too
+         *  since they are not ascii, and Opera sometimes uses UTF8 whitespace.
+         *
+         * Also in EUC-JP some of the high bytes are just ignored.
+         */
+        ++s;
+        --len;
+    }
+    if (htmlencode_startswith(data_url, s, len)) {
+        return 1;
+    }
+    if (htmlencode_startswith(viewsource_url, s, len)) {
+        return 1;
+    }
+    if (htmlencode_startswith(javascript_url, s, len)) {
+        return 1;
+    }
+    if (htmlencode_startswith(vbscript_url, s, len)) {
+        return 1;
+    }
+    return 0;
+}
+int libinjection_is_xss(const char* s, size_t len, int flags)
+{
+    h5_state_t h5;
+    attribute_t attr = TYPE_NONE;
+    libinjection_h5_init(&h5, s, len, (enum html5_flags) flags);
+    while (libinjection_h5_next(&h5)) {
+        if (h5.token_type != ATTR_VALUE) {
+            attr = TYPE_NONE;
+        }
+        if (h5.token_type == DOCTYPE) {
+            return 1;
+        } else if (h5.token_type == TAG_NAME_OPEN) {
+            if (is_black_tag(h5.token_start, h5.token_len)) {
+                return 1;
+            }
+        } else if (h5.token_type == ATTR_NAME) {
+            attr = is_black_attr(h5.token_start, h5.token_len);
+        } else if (h5.token_type == ATTR_VALUE) {
+            /*
+             * IE6,7,8 parsing works a bit differently so
+             * a whole <script> or other black tag might be hiding
+             * inside an attribute value under HTML5 parsing
+             * See http://html5sec.org/#102
+             * to avoid doing a full reparse of the value, just
+             * look for "<".  This probably need adjusting to
+             * handle escaped characters
+             */
+            /*
+              if (memchr(h5.token_start, '<', h5.token_len) != NULL) {
+              return 1;
+              }
+            */
+            switch (attr) {
+            case TYPE_NONE:
+                break;
+            case TYPE_BLACK:
+                return 1;
+            case TYPE_ATTR_URL:
+                if (is_black_url(h5.token_start, h5.token_len)) {
+                    return 1;
+                }
+                break;
+            case TYPE_STYLE:
+                return 1;
+            case TYPE_ATTR_INDIRECT:
+                /* an attribute name is specified in a _value_ */
+                if (is_black_attr(h5.token_start, h5.token_len)) {
+                    return 1;
+                }
+                break;
+/*
+  default:
+  assert(0);
+*/
+            }
+            attr = TYPE_NONE;
+        } else if (h5.token_type == TAG_COMMENT) {
+            /* IE uses a "`" as a tag ending char */
+            if (memchr(h5.token_start, '`', h5.token_len) != NULL) {
+                return 1;
+            }
+            /* IE conditional comment */
+            if (h5.token_len > 3) {
+                if (h5.token_start[0] == '[' &&
+                    (h5.token_start[1] == 'i' || h5.token_start[1] == 'I') &&
+                    (h5.token_start[2] == 'f' || h5.token_start[2] == 'F')) {
+                    return 1;
+                }
+                if ((h5.token_start[0] == 'x' || h5.token_start[1] == 'X') &&
+                    (h5.token_start[1] == 'm' || h5.token_start[1] == 'M') &&
+                    (h5.token_start[2] == 'l' || h5.token_start[2] == 'L')) {
+                    return 1;
+                }
+            }
+            if (h5.token_len > 5) {
+                /*  IE <?import pseudo-tag */
+                if (cstrcasecmp_with_null("IMPORT", h5.token_start, 6) == 0) {
+                    return 1;
+                }
+                /*  XML Entity definition */
+                if (cstrcasecmp_with_null("ENTITY", h5.token_start, 6) == 0) {
+                    return 1;
+                }
+            }
+        }
+    }
+    return 0;
+}
+/*
+ * wrapper
+ */
+int libinjection_xss(const char* s, size_t len)
+{
+    if (libinjection_is_xss(s, len, DATA_STATE)) {
+        return 1;
+    }
+    if (libinjection_is_xss(s, len, VALUE_NO_QUOTE)) {
+        return 1;
+    }
+    if (libinjection_is_xss(s, len, VALUE_SINGLE_QUOTE)) {
+        return 1;
+    }
+    if (libinjection_is_xss(s, len, VALUE_DOUBLE_QUOTE)) {
+        return 1;
+    }
+    if (libinjection_is_xss(s, len, VALUE_BACK_QUOTE)) {
+        return 1;
+    }
+    return 0;
+}