• If you are citizen of an European Union member nation, you may not use this service unless you are at least 16 years old.

  • You already know Dokkio is an AI-powered assistant to organize & manage your digital files & messages. Very soon, Dokkio will support Outlook as well as One Drive. Check it out today!


Script Mapping

This version was saved 15 years ago View current version     Page history
Saved by Romain Gaucher
on July 11, 2009 at 2:46:14 pm


The purpose of the WASC Script Mapping Project is to come up with an exhaustive list of vectors to cause a script to be executed within a web page without the use of <script> tags. This data can be useful when testing poorly implemented Cross-site Scripting blacklist filters, for those wishing to build an html white list system, as well as other uses.


Originally this project was scoped to check the W3C tags and event attribute combinations to identify which events can be fired in a given tag. After community discussion we extended the project to test for and map the different ways script can be executed by a browser without the use of the script tag. This will be identified via a combination of custom automated test suites and manual review when applicable. 


Project status: Seeking for contributors. Drop me an email if you are interested in this project.


Project leader: Romain Gaucher <r ~AT~ rgaucher ~D0T~ info>


Project contributors: Robert Auger (WASC), Roel Bollens, Thor Larholm, Stefano Di Paola (Mind Security), Kurt Grutzmacher, Joren McReynolds, Moritz Naumann (Naumann IT Consulting & Services) and Susam Pal



For each release, we need verification. If you think one result is not accurate or just wrong, you can review the associated test case and send back your comments. 



To make the data more manageable we will be publishing our results in different phases.


HTML/XHTML event attributes


Script engine calls

  • JavaScript (ex, href="/javscript:alert("foo')")

  • VBScript


Cascading Style Sheets

  • W3C (ref 1,2,3)

  • Gecko 

  • WebKit 



Comments (0)

You don't have permission to comment on this page.