RubyGems - immunio - Versions diffs - 1.2.1 → 2.0.2 - Mend

immunio 1.2.1 → 2.0.2

Files changed (291) hide show

checksums.yaml +4 -4
data/README.md +13 -5
data/ext/immunio/Rakefile +14 -6
data/lib/immunio/context.rb +2 -0
data/lib/immunio/plugins/action_view.rb +7 -668
data/lib/immunio/plugins/action_view/action_view.rb +22 -0
data/lib/immunio/plugins/action_view/active_support_hash.rb +29 -0
data/lib/immunio/plugins/action_view/cache_store.rb +24 -0
data/lib/immunio/plugins/action_view/erubi.rb +38 -0
data/lib/immunio/plugins/action_view/erubis.rb +39 -0
data/lib/immunio/plugins/action_view/fragment_caching.rb +29 -0
data/lib/immunio/plugins/action_view/haml.rb +46 -0
data/lib/immunio/plugins/action_view/slim.rb +42 -0
data/lib/immunio/plugins/action_view/template.rb +431 -0
data/lib/immunio/plugins/action_view/template_rendering.rb +45 -0
data/lib/immunio/plugins/http_tracker.rb +2 -0
data/lib/immunio/plugins/io.rb +34 -0
data/lib/immunio/version.rb +1 -1
data/lua-hooks/Makefile +36 -9
data/lua-hooks/ext/luajit/COPYRIGHT +1 -1
data/lua-hooks/ext/luajit/Makefile +22 -15
data/lua-hooks/ext/luajit/README +2 -2
data/lua-hooks/ext/luajit/doc/bluequad-print.css +1 -1
data/lua-hooks/ext/luajit/doc/bluequad.css +1 -1
data/lua-hooks/ext/luajit/doc/changes.html +69 -3
data/lua-hooks/ext/luajit/doc/contact.html +10 -3
data/lua-hooks/ext/luajit/doc/ext_c_api.html +2 -2
data/lua-hooks/ext/luajit/doc/ext_ffi.html +2 -2
data/lua-hooks/ext/luajit/doc/ext_ffi_api.html +2 -2
data/lua-hooks/ext/luajit/doc/ext_ffi_semantics.html +3 -4
data/lua-hooks/ext/luajit/doc/ext_ffi_tutorial.html +2 -2
data/lua-hooks/ext/luajit/doc/ext_jit.html +3 -3
data/lua-hooks/ext/luajit/doc/ext_profiler.html +2 -2
data/lua-hooks/ext/luajit/doc/extensions.html +47 -20
data/lua-hooks/ext/luajit/doc/faq.html +2 -2
data/lua-hooks/ext/luajit/doc/install.html +74 -45
data/lua-hooks/ext/luajit/doc/luajit.html +5 -5
data/lua-hooks/ext/luajit/doc/running.html +3 -3
data/lua-hooks/ext/luajit/doc/status.html +13 -8
data/lua-hooks/ext/luajit/dynasm/dasm_arm.h +1 -1
data/lua-hooks/ext/luajit/dynasm/dasm_arm.lua +1 -1
data/lua-hooks/ext/luajit/dynasm/dasm_arm64.h +1 -1
data/lua-hooks/ext/luajit/dynasm/dasm_arm64.lua +1 -1
data/lua-hooks/ext/luajit/dynasm/dasm_mips.h +8 -5
data/lua-hooks/ext/luajit/dynasm/dasm_mips.lua +66 -11
data/lua-hooks/ext/luajit/dynasm/dasm_mips64.lua +12 -0
data/lua-hooks/ext/luajit/dynasm/dasm_ppc.h +1 -1
data/lua-hooks/ext/luajit/dynasm/dasm_ppc.lua +1 -1
data/lua-hooks/ext/luajit/dynasm/dasm_proto.h +1 -1
data/lua-hooks/ext/luajit/dynasm/dasm_x64.lua +1 -1
data/lua-hooks/ext/luajit/dynasm/dasm_x86.h +1 -1
data/lua-hooks/ext/luajit/dynasm/dasm_x86.lua +5 -1
data/lua-hooks/ext/luajit/dynasm/dynasm.lua +2 -2
data/lua-hooks/ext/luajit/etc/luajit.1 +1 -1
data/lua-hooks/ext/luajit/etc/luajit.pc +1 -1
data/lua-hooks/ext/luajit/src/Makefile +15 -11
data/lua-hooks/ext/luajit/src/Makefile.dep +16 -16
data/lua-hooks/ext/luajit/src/host/buildvm.c +2 -2
data/lua-hooks/ext/luajit/src/host/buildvm.h +1 -1
data/lua-hooks/ext/luajit/src/host/buildvm_asm.c +9 -4
data/lua-hooks/ext/luajit/src/host/buildvm_fold.c +2 -2
data/lua-hooks/ext/luajit/src/host/buildvm_lib.c +1 -1
data/lua-hooks/ext/luajit/src/host/buildvm_libbc.h +14 -3
data/lua-hooks/ext/luajit/src/host/buildvm_peobj.c +27 -3
data/lua-hooks/ext/luajit/src/host/genlibbc.lua +1 -1
data/lua-hooks/ext/luajit/src/host/genminilua.lua +6 -5
data/lua-hooks/ext/luajit/src/host/minilua.c +1 -1
data/lua-hooks/ext/luajit/src/jit/bc.lua +1 -1
data/lua-hooks/ext/luajit/src/jit/bcsave.lua +8 -8
data/lua-hooks/ext/luajit/src/jit/dis_arm.lua +2 -2
data/lua-hooks/ext/luajit/src/jit/dis_arm64.lua +1216 -0
data/lua-hooks/ext/luajit/src/jit/dis_arm64be.lua +12 -0
data/lua-hooks/ext/luajit/src/jit/dis_mips.lua +35 -20
data/lua-hooks/ext/luajit/src/jit/dis_mips64.lua +17 -0
data/lua-hooks/ext/luajit/src/jit/dis_mips64el.lua +17 -0
data/lua-hooks/ext/luajit/src/jit/dis_mipsel.lua +1 -1
data/lua-hooks/ext/luajit/src/jit/dis_ppc.lua +2 -2
data/lua-hooks/ext/luajit/src/jit/dis_x64.lua +1 -1
data/lua-hooks/ext/luajit/src/jit/dis_x86.lua +7 -4
data/lua-hooks/ext/luajit/src/jit/dump.lua +17 -12
data/lua-hooks/ext/luajit/src/jit/p.lua +3 -2
data/lua-hooks/ext/luajit/src/jit/v.lua +2 -2
data/lua-hooks/ext/luajit/src/jit/zone.lua +1 -1
data/lua-hooks/ext/luajit/src/lauxlib.h +14 -20
data/lua-hooks/ext/luajit/src/lib_aux.c +38 -27
data/lua-hooks/ext/luajit/src/lib_base.c +12 -5
data/lua-hooks/ext/luajit/src/lib_bit.c +1 -1
data/lua-hooks/ext/luajit/src/lib_debug.c +5 -5
data/lua-hooks/ext/luajit/src/lib_ffi.c +2 -2
data/lua-hooks/ext/luajit/src/lib_init.c +16 -16
data/lua-hooks/ext/luajit/src/lib_io.c +6 -7
data/lua-hooks/ext/luajit/src/lib_jit.c +14 -4
data/lua-hooks/ext/luajit/src/lib_math.c +1 -5
data/lua-hooks/ext/luajit/src/lib_os.c +1 -1
data/lua-hooks/ext/luajit/src/lib_package.c +14 -23
data/lua-hooks/ext/luajit/src/lib_string.c +1 -5
data/lua-hooks/ext/luajit/src/lib_table.c +21 -1
data/lua-hooks/ext/luajit/src/lj.supp +3 -3
data/lua-hooks/ext/luajit/src/lj_alloc.c +174 -83
data/lua-hooks/ext/luajit/src/lj_api.c +97 -18
data/lua-hooks/ext/luajit/src/lj_arch.h +54 -22
data/lua-hooks/ext/luajit/src/lj_asm.c +172 -53
data/lua-hooks/ext/luajit/src/lj_asm.h +1 -1
data/lua-hooks/ext/luajit/src/lj_asm_arm.h +19 -16
data/lua-hooks/ext/luajit/src/lj_asm_arm64.h +2022 -0
data/lua-hooks/ext/luajit/src/lj_asm_mips.h +564 -158
data/lua-hooks/ext/luajit/src/lj_asm_ppc.h +19 -18
data/lua-hooks/ext/luajit/src/lj_asm_x86.h +578 -92
data/lua-hooks/ext/luajit/src/lj_bc.c +1 -1
data/lua-hooks/ext/luajit/src/lj_bc.h +1 -1
data/lua-hooks/ext/luajit/src/lj_bcdump.h +1 -1
data/lua-hooks/ext/luajit/src/lj_bcread.c +1 -1
data/lua-hooks/ext/luajit/src/lj_bcwrite.c +1 -1
data/lua-hooks/ext/luajit/src/lj_buf.c +1 -1
data/lua-hooks/ext/luajit/src/lj_buf.h +1 -1
data/lua-hooks/ext/luajit/src/lj_carith.c +1 -1
data/lua-hooks/ext/luajit/src/lj_carith.h +1 -1
data/lua-hooks/ext/luajit/src/lj_ccall.c +172 -7
data/lua-hooks/ext/luajit/src/lj_ccall.h +21 -5
data/lua-hooks/ext/luajit/src/lj_ccallback.c +71 -17
data/lua-hooks/ext/luajit/src/lj_ccallback.h +1 -1
data/lua-hooks/ext/luajit/src/lj_cconv.c +4 -2
data/lua-hooks/ext/luajit/src/lj_cconv.h +1 -1
data/lua-hooks/ext/luajit/src/lj_cdata.c +7 -5
data/lua-hooks/ext/luajit/src/lj_cdata.h +1 -1
data/lua-hooks/ext/luajit/src/lj_clib.c +5 -5
data/lua-hooks/ext/luajit/src/lj_clib.h +1 -1
data/lua-hooks/ext/luajit/src/lj_cparse.c +11 -6
data/lua-hooks/ext/luajit/src/lj_cparse.h +1 -1
data/lua-hooks/ext/luajit/src/lj_crecord.c +70 -14
data/lua-hooks/ext/luajit/src/lj_crecord.h +1 -1
data/lua-hooks/ext/luajit/src/lj_ctype.c +1 -1
data/lua-hooks/ext/luajit/src/lj_ctype.h +8 -8
data/lua-hooks/ext/luajit/src/lj_debug.c +1 -1
data/lua-hooks/ext/luajit/src/lj_debug.h +1 -1
data/lua-hooks/ext/luajit/src/lj_def.h +6 -9
data/lua-hooks/ext/luajit/src/lj_dispatch.c +3 -3
data/lua-hooks/ext/luajit/src/lj_dispatch.h +2 -1
data/lua-hooks/ext/luajit/src/lj_emit_arm.h +5 -4
data/lua-hooks/ext/luajit/src/lj_emit_arm64.h +419 -0
data/lua-hooks/ext/luajit/src/lj_emit_mips.h +100 -20
data/lua-hooks/ext/luajit/src/lj_emit_ppc.h +4 -4
data/lua-hooks/ext/luajit/src/lj_emit_x86.h +116 -25
data/lua-hooks/ext/luajit/src/lj_err.c +34 -13
data/lua-hooks/ext/luajit/src/lj_err.h +1 -1
data/lua-hooks/ext/luajit/src/lj_errmsg.h +1 -1
data/lua-hooks/ext/luajit/src/lj_ff.h +1 -1
data/lua-hooks/ext/luajit/src/lj_ffrecord.c +58 -49
data/lua-hooks/ext/luajit/src/lj_ffrecord.h +1 -1
data/lua-hooks/ext/luajit/src/lj_frame.h +33 -6
data/lua-hooks/ext/luajit/src/lj_func.c +4 -2
data/lua-hooks/ext/luajit/src/lj_func.h +1 -1
data/lua-hooks/ext/luajit/src/lj_gc.c +16 -7
data/lua-hooks/ext/luajit/src/lj_gc.h +1 -1
data/lua-hooks/ext/luajit/src/lj_gdbjit.c +31 -1
data/lua-hooks/ext/luajit/src/lj_gdbjit.h +1 -1
data/lua-hooks/ext/luajit/src/lj_ir.c +69 -96
data/lua-hooks/ext/luajit/src/lj_ir.h +29 -18
data/lua-hooks/ext/luajit/src/lj_ircall.h +24 -30
data/lua-hooks/ext/luajit/src/lj_iropt.h +9 -9
data/lua-hooks/ext/luajit/src/lj_jit.h +67 -9
data/lua-hooks/ext/luajit/src/lj_lex.c +1 -1
data/lua-hooks/ext/luajit/src/lj_lex.h +1 -1
data/lua-hooks/ext/luajit/src/lj_lib.c +1 -1
data/lua-hooks/ext/luajit/src/lj_lib.h +1 -1
data/lua-hooks/ext/luajit/src/lj_load.c +1 -1
data/lua-hooks/ext/luajit/src/lj_mcode.c +11 -10
data/lua-hooks/ext/luajit/src/lj_mcode.h +1 -1
data/lua-hooks/ext/luajit/src/lj_meta.c +1 -1
data/lua-hooks/ext/luajit/src/lj_meta.h +1 -1
data/lua-hooks/ext/luajit/src/lj_obj.c +1 -1
data/lua-hooks/ext/luajit/src/lj_obj.h +7 -3
data/lua-hooks/ext/luajit/src/lj_opt_dce.c +1 -1
data/lua-hooks/ext/luajit/src/lj_opt_fold.c +84 -17
data/lua-hooks/ext/luajit/src/lj_opt_loop.c +1 -1
data/lua-hooks/ext/luajit/src/lj_opt_mem.c +3 -3
data/lua-hooks/ext/luajit/src/lj_opt_narrow.c +24 -22
data/lua-hooks/ext/luajit/src/lj_opt_sink.c +11 -6
data/lua-hooks/ext/luajit/src/lj_opt_split.c +11 -2
data/lua-hooks/ext/luajit/src/lj_parse.c +9 -7
data/lua-hooks/ext/luajit/src/lj_parse.h +1 -1
data/lua-hooks/ext/luajit/src/lj_profile.c +1 -1
data/lua-hooks/ext/luajit/src/lj_profile.h +1 -1
data/lua-hooks/ext/luajit/src/lj_record.c +201 -117
data/lua-hooks/ext/luajit/src/lj_record.h +1 -1
data/lua-hooks/ext/luajit/src/lj_snap.c +72 -26
data/lua-hooks/ext/luajit/src/lj_snap.h +1 -1
data/lua-hooks/ext/luajit/src/lj_state.c +6 -6
data/lua-hooks/ext/luajit/src/lj_state.h +2 -2
data/lua-hooks/ext/luajit/src/lj_str.c +1 -1
data/lua-hooks/ext/luajit/src/lj_str.h +1 -1
data/lua-hooks/ext/luajit/src/lj_strfmt.c +7 -3
data/lua-hooks/ext/luajit/src/lj_strfmt.h +1 -1
data/lua-hooks/ext/luajit/src/lj_strfmt_num.c +4 -3
data/lua-hooks/ext/luajit/src/lj_strscan.c +1 -1
data/lua-hooks/ext/luajit/src/lj_strscan.h +1 -1
data/lua-hooks/ext/luajit/src/lj_tab.c +1 -2
data/lua-hooks/ext/luajit/src/lj_tab.h +1 -1
data/lua-hooks/ext/luajit/src/lj_target.h +3 -3
data/lua-hooks/ext/luajit/src/lj_target_arm.h +1 -1
data/lua-hooks/ext/luajit/src/lj_target_arm64.h +239 -7
data/lua-hooks/ext/luajit/src/lj_target_mips.h +111 -22
data/lua-hooks/ext/luajit/src/lj_target_ppc.h +1 -1
data/lua-hooks/ext/luajit/src/lj_target_x86.h +21 -4
data/lua-hooks/ext/luajit/src/lj_trace.c +63 -18
data/lua-hooks/ext/luajit/src/lj_trace.h +2 -1
data/lua-hooks/ext/luajit/src/lj_traceerr.h +1 -1
data/lua-hooks/ext/luajit/src/lj_udata.c +1 -1
data/lua-hooks/ext/luajit/src/lj_udata.h +1 -1
data/lua-hooks/ext/luajit/src/lj_vm.h +5 -1
data/lua-hooks/ext/luajit/src/lj_vmevent.c +1 -1
data/lua-hooks/ext/luajit/src/lj_vmevent.h +1 -1
data/lua-hooks/ext/luajit/src/lj_vmmath.c +1 -1
data/lua-hooks/ext/luajit/src/ljamalg.c +1 -1
data/lua-hooks/ext/luajit/src/lua.h +9 -1
data/lua-hooks/ext/luajit/src/luaconf.h +3 -7
data/lua-hooks/ext/luajit/src/luajit.c +69 -54
data/lua-hooks/ext/luajit/src/luajit.h +4 -4
data/lua-hooks/ext/luajit/src/lualib.h +1 -1
data/lua-hooks/ext/luajit/src/msvcbuild.bat +12 -4
data/lua-hooks/ext/luajit/src/vm_arm.dasc +1 -1
data/lua-hooks/ext/luajit/src/vm_arm64.dasc +255 -32
data/lua-hooks/ext/luajit/src/vm_mips.dasc +26 -23
data/lua-hooks/ext/luajit/src/vm_mips64.dasc +5062 -0
data/lua-hooks/ext/luajit/src/vm_ppc.dasc +1 -1
data/lua-hooks/ext/luajit/src/vm_x64.dasc +24 -25
data/lua-hooks/ext/luajit/src/vm_x86.dasc +77 -4
data/lua-hooks/libluahooks.darwin.a +0 -0
data/lua-hooks/libluahooks.linux.a +0 -0
data/lua-hooks/options.mk +1 -1
metadata +37 -77
data/lua-hooks/ext/all.c +0 -69
data/lua-hooks/ext/libinjection/COPYING +0 -37
data/lua-hooks/ext/libinjection/libinjection.h +0 -65
data/lua-hooks/ext/libinjection/libinjection_html5.c +0 -847
data/lua-hooks/ext/libinjection/libinjection_html5.h +0 -54
data/lua-hooks/ext/libinjection/libinjection_sqli.c +0 -2301
data/lua-hooks/ext/libinjection/libinjection_sqli.h +0 -295
data/lua-hooks/ext/libinjection/libinjection_sqli_data.h +0 -9349
data/lua-hooks/ext/libinjection/libinjection_xss.c +0 -531
data/lua-hooks/ext/libinjection/libinjection_xss.h +0 -21
data/lua-hooks/ext/libinjection/lualib.c +0 -145
data/lua-hooks/ext/libinjection/module.mk +0 -5
data/lua-hooks/ext/lpeg/HISTORY +0 -96
data/lua-hooks/ext/lpeg/lpcap.c +0 -537
data/lua-hooks/ext/lpeg/lpcap.h +0 -56
data/lua-hooks/ext/lpeg/lpcode.c +0 -1014
data/lua-hooks/ext/lpeg/lpcode.h +0 -40
data/lua-hooks/ext/lpeg/lpeg-128.gif +0 -0
data/lua-hooks/ext/lpeg/lpeg.html +0 -1445
data/lua-hooks/ext/lpeg/lpprint.c +0 -244
data/lua-hooks/ext/lpeg/lpprint.h +0 -36
data/lua-hooks/ext/lpeg/lptree.c +0 -1303
data/lua-hooks/ext/lpeg/lptree.h +0 -82
data/lua-hooks/ext/lpeg/lptypes.h +0 -149
data/lua-hooks/ext/lpeg/lpvm.c +0 -364
data/lua-hooks/ext/lpeg/lpvm.h +0 -58
data/lua-hooks/ext/lpeg/makefile +0 -55
data/lua-hooks/ext/lpeg/module.mk +0 -6
data/lua-hooks/ext/lpeg/re.html +0 -498
data/lua-hooks/ext/lua-cmsgpack/.gitignore +0 -13
data/lua-hooks/ext/lua-cmsgpack/CMakeLists.txt +0 -45
data/lua-hooks/ext/lua-cmsgpack/README.md +0 -115
data/lua-hooks/ext/lua-cmsgpack/lua_cmsgpack.c +0 -970
data/lua-hooks/ext/lua-cmsgpack/module.mk +0 -2
data/lua-hooks/ext/lua-cmsgpack/test.lua +0 -570
data/lua-hooks/ext/lua-snapshot/LICENSE +0 -7
data/lua-hooks/ext/lua-snapshot/Makefile +0 -12
data/lua-hooks/ext/lua-snapshot/README.md +0 -18
data/lua-hooks/ext/lua-snapshot/dump.lua +0 -15
data/lua-hooks/ext/lua-snapshot/module.mk +0 -2
data/lua-hooks/ext/lua-snapshot/snapshot.c +0 -462
data/lua-hooks/ext/luautf8/README.md +0 -152
data/lua-hooks/ext/luautf8/lutf8lib.c +0 -1274
data/lua-hooks/ext/luautf8/module.mk +0 -2
data/lua-hooks/ext/luautf8/unidata.h +0 -3064
data/lua-hooks/ext/module.mk +0 -15
data/lua-hooks/ext/modules.h +0 -17
data/lua-hooks/ext/perf/luacpu.c +0 -114
data/lua-hooks/ext/perf/lualoadavg.c +0 -40
data/lua-hooks/ext/perf/luameminfo.c +0 -38
data/lua-hooks/ext/perf/luaoslib.c +0 -203
data/lua-hooks/ext/perf/module.mk +0 -5
data/lua-hooks/ext/sha1/luasha1.c +0 -74
data/lua-hooks/ext/sha1/module.mk +0 -5
data/lua-hooks/ext/sha1/sha1.c +0 -145
data/lua-hooks/ext/sha2/luasha256.c +0 -77
data/lua-hooks/ext/sha2/module.mk +0 -5
data/lua-hooks/ext/sha2/sha256.c +0 -196
data/lua-hooks/ext/sysutils/lua_utils.c +0 -56
data/lua-hooks/ext/sysutils/module.mk +0 -2

data/lua-hooks/ext/libinjection/libinjection_xss.c DELETED

@@ -1,531 +0,0 @@
-#include "libinjection.h"
-#include "libinjection_xss.h"
-#include "libinjection_html5.h"
-#include <assert.h>
-#include <stdio.h>
-typedef enum attribute {
-    TYPE_NONE
-    , TYPE_BLACK     /* ban always */
-    , TYPE_ATTR_URL   /* attribute value takes a URL-like object */
-    , TYPE_STYLE
-    , TYPE_ATTR_INDIRECT  /* attribute *name* is given in *value* */
-} attribute_t;
-static attribute_t is_black_attr(const char* s, size_t len);
-static int is_black_tag(const char* s, size_t len);
-static int is_black_url(const char* s, size_t len);
-static int cstrcasecmp_with_null(const char *a, const char *b, size_t n);
-static int html_decode_char_at(const char* src, size_t len, size_t* consumed);
-static int htmlencode_startswith(const char* prefix, const char *src, size_t n);
-typedef struct stringtype {
-    const char* name;
-    attribute_t atype;
-} stringtype_t;
-static const int gsHexDecodeMap[256] = {
-    256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
-    256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
-    256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
-    256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
-    0,   1,   2,   3,   4,   5,   6,   7,   8,   9, 256, 256,
-    256, 256, 256, 256, 256,  10,  11,  12,  13,  14,  15, 256,
-    256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
-    256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
-    256,  10,  11,  12,  13,  14,  15, 256, 256, 256, 256, 256,
-    256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
-    256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
-    256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
-    256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
-    256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
-    256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
-    256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
-    256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
-    256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
-    256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
-    256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
-    256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
-    256, 256, 256, 256
-};
-static int html_decode_char_at(const char* src, size_t len, size_t* consumed)
-{
-    int val = 0;
-    size_t i;
-    int ch;
-    if (len == 0 || src == NULL) {
-        *consumed = 0;
-        return -1;
-    }
-    *consumed = 1;
-    if (*src != '&' || len < 2) {
-        return (unsigned char)(*src);
-    }
-    if (*(src+1) != '#') {
-        /* normally this would be for named entities
-         * but for this case we don't actually care
-         */
-        return '&';
-    }
-    if (*(src+2) == 'x' || *(src+2) == 'X') {
-        ch = (unsigned char) (*(src+3));
-        ch = gsHexDecodeMap[ch];
-        if (ch == 256) {
-            /* degenerate case  '&#[?]' */
-            return '&';
-        }
-        val = ch;
-        i = 4;
-        while (i < len) {
-            ch = (unsigned char) src[i];
-            if (ch == ';') {
-                *consumed = i + 1;
-                return val;
-            }
-            ch = gsHexDecodeMap[ch];
-            if (ch == 256) {
-                *consumed = i;
-                return val;
-            }
-            val = (val * 16) + ch;
-            if (val > 0x1000FF) {
-                return '&';
-            }
-            ++i;
-        }
-        *consumed = i;
-        return val;
-    } else {
-        i = 2;
-        ch = (unsigned char) src[i];
-        if (ch < '0' || ch > '9') {
-            return '&';
-        }
-        val = ch - '0';
-        i += 1;
-        while (i < len) {
-            ch = (unsigned char) src[i];
-            if (ch == ';') {
-                *consumed = i + 1;
-                return val;
-            }
-            if (ch < '0' || ch > '9') {
-                *consumed = i;
-                return val;
-            }
-            val = (val * 10) + (ch - '0');
-            if (val > 0x1000FF) {
-                return '&';
-            }
-            ++i;
-        }
-        *consumed = i;
-        return val;
-    }
-}
-/*
- * view-source:
- * data:
- * javascript:
- */
-static stringtype_t BLACKATTR[] = {
-    { "ACTION", TYPE_ATTR_URL }     /* form */
-    , { "ATTRIBUTENAME", TYPE_ATTR_INDIRECT } /* SVG allow indirection of attribute names */
-    , { "BY", TYPE_ATTR_URL }         /* SVG */
-    , { "BACKGROUND", TYPE_ATTR_URL } /* IE6, O11 */
-    , { "DATAFORMATAS", TYPE_BLACK }  /* IE */
-    , { "DATASRC", TYPE_BLACK }       /* IE */
-    , { "DYNSRC", TYPE_ATTR_URL }     /* Obsolete img attribute */
-    , { "FILTER", TYPE_STYLE }        /* Opera, SVG inline style */
-    , { "FORMACTION", TYPE_ATTR_URL } /* HTML5 */
-    , { "FOLDER", TYPE_ATTR_URL }     /* Only on A tags, IE-only */
-    , { "FROM", TYPE_ATTR_URL }       /* SVG */
-    , { "HANDLER", TYPE_ATTR_URL }    /* SVG Tiny, Opera */
-    , { "HREF", TYPE_ATTR_URL }
-    , { "LOWSRC", TYPE_ATTR_URL }     /* Obsolete img attribute */
-    , { "POSTER", TYPE_ATTR_URL }     /* Opera 10,11 */
-    , { "SRC", TYPE_ATTR_URL }
-    , { "STYLE", TYPE_STYLE }
-    , { "TO", TYPE_ATTR_URL }         /* SVG */
-    , { "VALUES", TYPE_ATTR_URL }     /* SVG */
-    , { "XLINK:HREF", TYPE_ATTR_URL }
-    , { NULL, TYPE_NONE }
-};
-/* xmlns */
-/* xml-stylesheet > <eval>, <if expr=> */
-/*
-  static const char* BLACKATTR[] = {
-  "ATTRIBUTENAME",
-  "BACKGROUND",
-  "DATAFORMATAS",
-  "HREF",
-  "SCROLL",
-  "SRC",
-  "STYLE",
-  "SRCDOC",
-  NULL
-  };
-*/
-static const char* BLACKTAG[] = {
-    "APPLET"
-    /*    , "AUDIO" */
-    , "BASE"
-    , "COMMENT"  /* IE http://html5sec.org/#38 */
-    , "EMBED"
-    /*   ,  "FORM" */
-    , "FRAME"
-    , "FRAMESET"
-    , "HANDLER" /* Opera SVG, effectively a script tag */
-    , "IFRAME"
-    , "IMPORT"
-    , "ISINDEX"
-    , "LINK"
-    , "LISTENER"
-    /*    , "MARQUEE" */
-    , "META"
-    , "NOSCRIPT"
-    , "OBJECT"
-    , "SCRIPT"
-    , "STYLE"
-    /*    , "VIDEO" */
-    , "VMLFRAME"
-    , "XML"
-    , "XSS"
-    , NULL
-};
-static int cstrcasecmp_with_null(const char *a, const char *b, size_t n)
-{
-    char ca;
-    char cb;
-    /* printf("Comparing to %s %.*s\n", a, (int)n, b); */
-    while (n-- > 0) {
-        cb = *b++;
-        if (cb == '\0') continue;
-        ca = *a++;
-        if (cb >= 'a' && cb <= 'z') {
-            cb -= 0x20;
-        }
-        /* printf("Comparing %c vs %c with %d left\n", ca, cb, (int)n); */
-        if (ca != cb) {
-            return 1;
-        }
-    }
-    if (*a == 0) {
-        /* printf(" MATCH \n"); */
-        return 0;
-    } else {
-        return 1;
-    }
-}
-/*
- * Does an HTML encoded  binary string (const char*, lenght) start with
- * a all uppercase c-string (null terminated), case insenstive!
- *
- * also ignore any embedded nulls in the HTML string!
- *
- * return 1 if match / starts with
- * return 0 if not
- */
-static int htmlencode_startswith(const char *a, const char *b, size_t n)
-{
-    size_t consumed;
-    int cb;
-    int first = 1;
-    /* printf("Comparing %s with %.*s\n", a,(int)n,b); */
-    while (n > 0) {
-        if (*a == 0) {
-            /* printf("Match EOL!\n"); */
-            return 1;
-        }
-        cb = html_decode_char_at(b, n, &consumed);
-        b += consumed;
-        n -= consumed;
-        if (first && cb <= 32) {
-            /* ignore all leading whitespace and control characters */
-            continue;
-        }
-        first = 0;
-        if (cb == 0) {
-            /* always ignore null characters in user input */
-            continue;
-        }
-        if (cb == 10) {
-            /* always ignore vtab characters in user input */
-            /* who allows this?? */
-            continue;
-        }
-        if (cb >= 'a' && cb <= 'z') {
-            /* upcase */
-            cb -= 0x20;
-        }
-        if (*a != (char) cb) {
-            /* printf("    %c != %c\n", *a, cb); */
-            /* mismatch */
-            return 0;
-        }
-        a++;
-    }
-    return (*a == 0) ? 1 : 0;
-}
-static int is_black_tag(const char* s, size_t len)
-{
-    const char** black;
-    if (len < 3) {
-        return 0;
-    }
-    black = BLACKTAG;
-    while (*black != NULL) {
-        if (cstrcasecmp_with_null(*black, s, len) == 0) {
-            /* printf("Got black tag %s\n", *black); */
-            return 1;
-        }
-        black += 1;
-    }
-    /* anything SVG related */
-    if ((s[0] == 's' || s[0] == 'S') &&
-        (s[1] == 'v' || s[1] == 'V') &&
-        (s[2] == 'g' || s[2] == 'G')) {
-        /*        printf("Got SVG tag \n"); */
-        return 1;
-    }
-    /* Anything XSL(t) related */
-    if ((s[0] == 'x' || s[0] == 'X') &&
-        (s[1] == 's' || s[1] == 'S') &&
-        (s[2] == 'l' || s[2] == 'L')) {
-        /*      printf("Got XSL tag\n"); */
-        return 1;
-    }
-    return 0;
-}
-static attribute_t is_black_attr(const char* s, size_t len)
-{
-    stringtype_t* black;
-    if (len < 2) {
-        return TYPE_NONE;
-    }
-    /* javascript on.* */
-    if ((s[0] == 'o' || s[0] == 'O') && (s[1] == 'n' || s[1] == 'N')) {
-        /* printf("Got javascript on- attribute name\n"); */
-        return TYPE_BLACK;
-    }
-    if (len >= 5) {
-        /* XMLNS can be used to create arbitrary tags */
-        if (cstrcasecmp_with_null("XMLNS", s, 5) == 0 || cstrcasecmp_with_null("XLINK", s, 5) == 0) {
-            /*      printf("Got XMLNS and XLINK tags\n"); */
-            return TYPE_BLACK;
-        }
-    }
-    black = BLACKATTR;
-    while (black->name != NULL) {
-        if (cstrcasecmp_with_null(black->name, s, len) == 0) {
-            /*      printf("Got banned attribute name %s\n", black->name); */
-            return black->atype;
-        }
-        black += 1;
-    }
-    return TYPE_NONE;
-}
-static int is_black_url(const char* s, size_t len)
-{
-    static const char* data_url = "DATA";
-    static const char* viewsource_url = "VIEW-SOURCE";
-    /* obsolete but interesting signal */
-    static const char* vbscript_url = "VBSCRIPT";
-    /* covers JAVA, JAVASCRIPT, + colon */
-    static const char* javascript_url = "JAVA";
-    /* skip whitespace */
-    while (len > 0 && (*s <= 32 || *s >= 127)) {
-        /*
-         * HEY: this is a signed character.
-         *  We are intentionally skipping high-bit characters too
-         *  since they are not ascii, and Opera sometimes uses UTF8 whitespace.
-         *
-         * Also in EUC-JP some of the high bytes are just ignored.
-         */
-        ++s;
-        --len;
-    }
-    if (htmlencode_startswith(data_url, s, len)) {
-        return 1;
-    }
-    if (htmlencode_startswith(viewsource_url, s, len)) {
-        return 1;
-    }
-    if (htmlencode_startswith(javascript_url, s, len)) {
-        return 1;
-    }
-    if (htmlencode_startswith(vbscript_url, s, len)) {
-        return 1;
-    }
-    return 0;
-}
-int libinjection_is_xss(const char* s, size_t len, int flags)
-{
-    h5_state_t h5;
-    attribute_t attr = TYPE_NONE;
-    libinjection_h5_init(&h5, s, len, (enum html5_flags) flags);
-    while (libinjection_h5_next(&h5)) {
-        if (h5.token_type != ATTR_VALUE) {
-            attr = TYPE_NONE;
-        }
-        if (h5.token_type == DOCTYPE) {
-            return 1;
-        } else if (h5.token_type == TAG_NAME_OPEN) {
-            if (is_black_tag(h5.token_start, h5.token_len)) {
-                return 1;
-            }
-        } else if (h5.token_type == ATTR_NAME) {
-            attr = is_black_attr(h5.token_start, h5.token_len);
-        } else if (h5.token_type == ATTR_VALUE) {
-            /*
-             * IE6,7,8 parsing works a bit differently so
-             * a whole <script> or other black tag might be hiding
-             * inside an attribute value under HTML5 parsing
-             * See http://html5sec.org/#102
-             * to avoid doing a full reparse of the value, just
-             * look for "<".  This probably need adjusting to
-             * handle escaped characters
-             */
-            /*
-              if (memchr(h5.token_start, '<', h5.token_len) != NULL) {
-              return 1;
-              }
-            */
-            switch (attr) {
-            case TYPE_NONE:
-                break;
-            case TYPE_BLACK:
-                return 1;
-            case TYPE_ATTR_URL:
-                if (is_black_url(h5.token_start, h5.token_len)) {
-                    return 1;
-                }
-                break;
-            case TYPE_STYLE:
-                return 1;
-            case TYPE_ATTR_INDIRECT:
-                /* an attribute name is specified in a _value_ */
-                if (is_black_attr(h5.token_start, h5.token_len)) {
-                    return 1;
-                }
-                break;
-/*
-  default:
-  assert(0);
-*/
-            }
-            attr = TYPE_NONE;
-        } else if (h5.token_type == TAG_COMMENT) {
-            /* IE uses a "`" as a tag ending char */
-            if (memchr(h5.token_start, '`', h5.token_len) != NULL) {
-                return 1;
-            }
-            /* IE conditional comment */
-            if (h5.token_len > 3) {
-                if (h5.token_start[0] == '[' &&
-                    (h5.token_start[1] == 'i' || h5.token_start[1] == 'I') &&
-                    (h5.token_start[2] == 'f' || h5.token_start[2] == 'F')) {
-                    return 1;
-                }
-                if ((h5.token_start[0] == 'x' || h5.token_start[1] == 'X') &&
-                    (h5.token_start[1] == 'm' || h5.token_start[1] == 'M') &&
-                    (h5.token_start[2] == 'l' || h5.token_start[2] == 'L')) {
-                    return 1;
-                }
-            }
-            if (h5.token_len > 5) {
-                /*  IE <?import pseudo-tag */
-                if (cstrcasecmp_with_null("IMPORT", h5.token_start, 6) == 0) {
-                    return 1;
-                }
-                /*  XML Entity definition */
-                if (cstrcasecmp_with_null("ENTITY", h5.token_start, 6) == 0) {
-                    return 1;
-                }
-            }
-        }
-    }
-    return 0;
-}
-/*
- * wrapper
- */
-int libinjection_xss(const char* s, size_t len)
-{
-    if (libinjection_is_xss(s, len, DATA_STATE)) {
-        return 1;
-    }
-    if (libinjection_is_xss(s, len, VALUE_NO_QUOTE)) {
-        return 1;
-    }
-    if (libinjection_is_xss(s, len, VALUE_SINGLE_QUOTE)) {
-        return 1;
-    }
-    if (libinjection_is_xss(s, len, VALUE_DOUBLE_QUOTE)) {
-        return 1;
-    }
-    if (libinjection_is_xss(s, len, VALUE_BACK_QUOTE)) {
-        return 1;
-    }
-    return 0;
-}