Description
The purpose of the WASC Script Mapping Project is to create a comprehensive list of unique vectors that trigger the evocation of the JavaScript run-time, resulting in JavaScript content to be evaluated and executed.
This list should include the following:
- Element references (<script>)
- HTML/XHTML DOM Events (onmousemove , onload)
- Protocol declarations (javascript: , data:)
We feel this reference will prove useful for: Comprehensive testing of currently implemented Data Validation solutions such as Whitelists, Blacklists or WAFs; For those wishing to build an custom Data Validation systems that handle HTML/XHTML/XML content; As well as other uses.
Originally this project was scoped to check the W3C tags and event attribute combinations to identify which events can be fired in a given tag. After community discussion we extended the project to test for and map the different ways script can be executed by a browser. This will be identified via a combination of custom automated test suites and manual review when applicable. Our long term goal is to completely automate the testing, update, and maintenance of this reference.
Project Status: Version 0.2 is underway... (Always seeking contributors, drop me an email if you are interested in this project.)
Project Leader(s): Daniel Herrera <daherrera101@yahoo.com>, Romain Gaucher <rgaucher@cigital.com>
Project contributors:
Robert Auger (WASC) |
Kurt Grutzmacher |
Roel Bollens |
Joren McReynolds |
Thor Larholm |
Moritz Naumann (Naumann IT Consulting & Services) |
Stefano Di Paola (Mind Security) |
Susam Pal |
Releases
For each release, we need verification. If you think one result is not accurate or just wrong, you can review the associated test case and send back your comments.
Version 0.1
W3C Event Handlers: Firefox2, IE7, Safari3 (Nov. 26, 2007)(Download) & Test Cases (Download)

Phases
To make the data more manageable we will be publishing our results in different phases. Please stay tuned for additional details regarding the release phases and an associated time line.
Version 0.2
HTML/XHTML DOM events
Version 0.3
Protocol References
Cascading Style Sheets
-
W3C (ref 1,2,3)
-
Gecko
-
WebKit
Comments (1)
Daniel Herrera said
at 3:18 pm on Nov 2, 2011
UPDATE:
I had a few people contact me regarding the broken images in the v0.1 release.
This occurred when we migrated to this wiki, the original release contained relative paths for the image references.
To correct this in the current release, and all future releases, the icon images are now self contained with the <img> tags as base64 encoded strings. The modified release has been uploaded and all related references have been pointed to the new modified version.
You should now be able to view/download v0.1 without any issues. Please email me if you experience anything to the contrary.
Regards,
Daniel
You don't have permission to comment on this page.