• If you are citizen of an European Union member nation, you may not use this service unless you are at least 16 years old.

  • You already know Dokkio is an AI-powered assistant to organize & manage your digital files & messages. Very soon, Dokkio will support Outlook as well as One Drive. Check it out today!


Script Mapping

This version was saved 12 years, 8 months ago View current version     Page history
Saved by Daniel Herrera
on November 1, 2011 at 4:50:12 pm



The purpose of the WASC Script Mapping Project is to create a comprehensive list of unique vectors that trigger the evocation of the  JavaScript run-time, resulting in JavaScript content to be evaluated and executed.


This list should include the following:


     - Element references (<script>)

     - HTML/XHTML DOM Events (onmousemove , onload)

     - Protocol declarations (javascript: , data:)


We feel this reference will prove useful for: Comprehensive testing of currently implemented Data Validation solutions such as Whitelists, Blacklists or WAFs; For those wishing to build an custom Data Validation systems that handle HTML/XHTML content; As well as other uses.


Originally this project was scoped to check the W3C tags and event attribute combinations to identify which events can be fired in a given tag. After community discussion we extended the project to test for and map the different ways script can be executed by a browser. This will be identified via a combination of custom automated test suites and manual review when applicable. Our long term goal is to completely automate the testing, update, and maintenance of this reference.


Project Status: Version 0.2 is underway... (Always seeking contributors, drop me an email if you are interested in this project.)


Project Leader(s): Daniel Herrera <daherrera101@yahoo.com>, Romain Gaucher <rgaucher@cigital.com>


Project contributors:


Robert Auger (WASC) Kurt Grutzmacher
Roel Bollens Joren McReynolds
Thor Larholm Moritz Naumann (Naumann IT Consulting & Services)
Stefano Di Paola (Mind Security) Susam Pal




For each release, we need verification. If you think one result is not accurate or just wrong, you can review the associated test case and send back your comments. 


Version 0.1


     W3C Event Handlers: Firefox2, IE7, Safari3 (Nov. 26, 2007)(Download) & Test Cases (Download)





To make the data more manageable we will be publishing our results in different phases.


Version 0.2


     HTML/XHTML DOM events


     Protocol References

  • JavaScript (ex: href="/javscript:alert(1)")

  • Data (ex: src="#")


     Cascading Style Sheets

  • W3C (ref 1,2,3)

  • Gecko 

  • WebKit 



Comments (0)

You don't have permission to comment on this page.