DEF",
+ "
test",
+ "
test",
+ "
test",
+ "
test",
+ "
test",
+ "
test",
+ "
test",
+ "
test",
+ "
test",
+ "
test",
+ "
test",
+ "
test",
+ "
test",
+ "
test",
+ "
test",
+ "
test",
+ "
test",
+ "
test",
+ "
test",
+ "
test",
+ "
test",
+ "
test",
+ "
test",
+ "
test",
+ "
test",
+ "
test",
+ "
test",
+ "
test",
+ "
test",
+ "
test",
+ "
test",
+ "
test",
+ "
test",
+ "
test",
+ "
test",
+ "
test",
+ "
test",
+ "
test",
+ "
test",
+ "
test",
+ "
test",
+ "
test",
+ "
test",
+ "
test",
+ "
test",
+ "
test",
+ "
test",
+ "
test",
+ "
test",
+ "
test",
+ "
test",
+ "
test",
+ "
test",
+ "
test",
+ "
test",
+ "
test",
+ "
test",
+ "`\"'>
",
+ "`\"'>
",
+ "`\"'>
",
+ "`\"'>
",
+ "`\"'>
",
+ "`\"'>
",
+ "`\"'>
",
+ "`\"'>
",
+ "`\"'>
",
+ "`\"'>
",
+ "\"`'>",
+ "\"`'>",
+ "\"`'>",
+ "\"`'>",
+ "\"`'>",
+ "\"`'>",
+ "\"`'>",
+ "\"`'>",
+ "\"`'>",
+ "\"`'>",
+ "\"`'>",
+ "\"`'>",
+ "\"`'>",
+ "\"`'>",
+ "\"`'>",
+ "\"`'>",
+ "\"`'>",
+ "\"`'>",
+ "\"`'>",
+ "\"`'>",
+ "\"`'>",
+ "\"`'>",
+ "\"`'>",
+ "\"`'>",
+ "\"`'>",
+ "\"`'>",
+ "\"`'>",
+ "\"`'>",
+ "\"`'>",
+ "\"`'>",
+ "\"`'>",
+ "\"`'>",
+ "\"`'>",
+ "\"`'>",
+ "\"`'>",
+ "\"`'>",
+ "\"`'>",
+ "
![]()
",
+ "
![]()
",
+ "
![]()
",
+ "
![]()
",
+ "
",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "![]()
",
+ "![]()
",
+ "![]()
",
+ "![]()
",
+ "![]()
",
+ "![]()
",
+ "![]()
",
+ "![]()
",
+ "![]()
",
+ "![]()
",
+ "![]()
",
+ "![]()
",
+ "![](x\\x09onerror=\"javascript:alert(1)\")
",
+ "![](x\\x10onerror=\"javascript:alert(1)\")
",
+ "![](x\\x11onerror=\"javascript:alert(1)\")
",
+ "![](x\\x12onerror=\"javascript:alert(1)\")
",
+ "![](x\\x13onerror=\"javascript:alert(1)\")
",
+ "",
+ "
",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "XXX",
+ "![](\"x`)
javascript:alert(1)\"` `>",
+ "![]()
",
+ "",
+ "<a href=http://foo.bar/#x=`y></a><img alt=\"`><img src=x:x onerror=javascript:alert(1)></a>\">",
+ "<!--[if]><script>javascript:alert(1)</script -->",
+ "<!--[if<img src=x onerror=javascript:alert(1)//]> -->",
+ "<script src=\"/\\%(jscript)s\"></script>",
+ "<script src=\"\\\\%(jscript)s\"></script>",
+ "<IMG \"\"\"><SCRIPT>alert(\"XSS\")</SCRIPT>\">",
+ "<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>",
+ "<IMG SRC=# onmouseover=\"alert('xxs')\">",
+ "<IMG SRC= onmouseover=\"alert('xxs')\">",
+ "<IMG onmouseover=\"alert('xxs')\">",
+ "<IMG SRC=javascript:alert('XSS')>",
+ "<IMG SRC=javascript:alert('XSS')>",
+ "<IMG SRC=javascript:alert('XSS')>",
+ "<IMG SRC=\"jav ascript:alert('XSS');\">",
+ "<IMG SRC=\"jav ascript:alert('XSS');\">",
+ "<IMG SRC=\"jav
ascript:alert('XSS');\">",
+ "<IMG SRC=\"jav
ascript:alert('XSS');\">",
+ "perl -e 'print \"<IMG SRC=java\\0script:alert(\\\"XSS\\\")>\";' > out",
+ "<IMG SRC=\" � javascript:alert('XSS');\">",
+ "<SCRIPT/XSS SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>",
+ "<BODY onload!#$%&()*~+-_.,:;?@[/|\\]^`=alert(\"XSS\")>",
+ "<SCRIPT/SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>",
+ "<<SCRIPT>alert(\"XSS\");//<</SCRIPT>",
+ "<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >",
+ "<SCRIPT SRC=//ha.ckers.org/.j>",
+ "<IMG SRC=\"javascript:alert('XSS')\"",
+ "<iframe src=http://ha.ckers.org/scriptlet.html <",
+ "\\\";alert('XSS');//",
+ "<u oncopy=alert()> Copy me</u>",
+ "<i onwheel=alert(1)> Scroll over me </i>",
+ "<plaintext>",
+ "http://a/%%30%30",
+ "</textarea><script>alert(123)</script>",
+ "1;DROP TABLE users",
+ "1'; DROP TABLE users-- 1",
+ "' OR 1=1 -- 1",
+ "' OR '1'='1",
+ "'; EXEC sp_MSForEachTable 'DROP TABLE ?'; --",
+ " ",
+ "%",
+ "_",
+ "-",
+ "--",
+ "--version",
+ "--help",
+ "$USER",
+ "/dev/null; touch /tmp/blns.fail ; echo",
+ "`touch /tmp/blns.fail`",
+ "$(touch /tmp/blns.fail)",
+ "@{[system \"touch /tmp/blns.fail\"]}",
+ "eval(\"puts 'hello world'\")",
+ "System(\"ls -al /\")",
+ "`ls -al /`",
+ "Kernel.exec(\"ls -al /\")",
+ "Kernel.exit(1)",
+ "%x('ls -al /')",
+ "<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?><!DOCTYPE foo [ <!ELEMENT foo ANY ><!ENTITY xxe SYSTEM \"file:///etc/passwd\" >]><foo>&xxe;</foo>",
+ "$HOME",
+ "$ENV{'HOME'}",
+ "%d",
+ "%s%s%s%s%s",
+ "{0}",
+ "%*.*s",
+ "%@",
+ "%n",
+ "File:///",
+ "../../../../../../../../../../../etc/passwd%00",
+ "../../../../../../../../../../../etc/hosts",
+ "() { 0; }; touch /tmp/blns.shellshock1.fail;",
+ "() { _; } >_[$($())] { touch /tmp/blns.shellshock2.fail; }",
+ "<<< %s(un='%s') = %u",
+ "+++ATH0",
+ "CON",
+ "PRN",
+ "AUX",
+ "CLOCK$",
+ "NUL",
+ "A:",
+ "ZZ:",
+ "COM1",
+ "LPT1",
+ "LPT2",
+ "LPT3",
+ "COM2",
+ "COM3",
+ "COM4",
+ "DCC SEND STARTKEYLOGGER 0 0 0",
+ "Scunthorpe General Hospital",
+ "Penistone Community Church",
+ "Lightwater Country Park",
+ "Jimmy Clitheroe",
+ "Horniman Museum",
+ "shitake mushrooms",
+ "RomansInSussex.co.uk",
+ "http://www.cum.qc.ca/",
+ "Craig Cockburn, Software Specialist",
+ "Linda Callahan",
+ "Dr. Herman I. Libshitz",
+ "magna cum laude",
+ "Super Bowl XXX",
+ "medieval erection of parapets",
+ "evaluate",
+ "mocha",
+ "expression",
+ "Arsenal canal",
+ "classic",
+ "Tyson Gay",
+ "Dick Van Dyke",
+ "basement",
+ "If you're reading this, you've been in a coma for almost 20 years now. We're trying a new technique. We don't know where this message will end up in your dream, but we hope it works. Please wake up, we miss you.",
+ "Roses are \u001b[0;31mred\u001b[0m, violets are \u001b[0;34mblue. Hope you enjoy terminal hue",
+ "But now...\u001b[20Cfor my greatest trick...\u001b[8m",
+ "The quic\b\b\b\b\b\bk brown fo\u0007\u0007\u0007\u0007\u0007\u0007\u0007\u0007\u0007\u0007\u0007x... [Beeeep]",
+ "Powerلُلُصّبُلُلصّبُررً ॣ ॣh ॣ ॣ冗",
+ "🏳0🌈️",
+ "జ్ఞా",
+ "گچپژ",
+ "{% print 'x' * 64 * 1024**3 %}",
+ "{{ \"\".__class__.__mro__[2].__subclasses__()[40](\"/etc/passwd\").read() }}"
+]
diff --git a/extension/blns/src/main/resources/blns.txt b/extension/blns/src/main/resources/blns.txt
new file mode 100644
index 000000000..7c27bbd7e
--- /dev/null
+++ b/extension/blns/src/main/resources/blns.txt
@@ -0,0 +1,742 @@
+# Reserved Strings
+#
+# Strings which may be used elsewhere in code
+
+undefined
+undef
+null
+NULL
+(null)
+nil
+NIL
+true
+false
+True
+False
+TRUE
+FALSE
+None
+hasOwnProperty
+then
+constructor
+\
+\\
+
+# Numeric Strings
+#
+# Strings which can be interpreted as numeric
+
+0
+1
+1.00
+$1.00
+1/2
+1E2
+1E02
+1E+02
+-1
+-1.00
+-$1.00
+-1/2
+-1E2
+-1E02
+-1E+02
+1/0
+0/0
+-2147483648/-1
+-9223372036854775808/-1
+-0
+-0.0
++0
++0.0
+0.00
+0..0
+.
+0.0.0
+0,00
+0,,0
+,
+0,0,0
+0.0/0
+1.0/0.0
+0.0/0.0
+1,0/0,0
+0,0/0,0
+--1
+-
+-.
+-,
+999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999
+NaN
+Infinity
+-Infinity
+INF
+1#INF
+-1#IND
+1#QNAN
+1#SNAN
+1#IND
+0x0
+0xffffffff
+0xffffffffffffffff
+0xabad1dea
+123456789012345678901234567890123456789
+1,000.00
+1 000.00
+1'000.00
+1,000,000.00
+1 000 000.00
+1'000'000.00
+1.000,00
+1 000,00
+1'000,00
+1.000.000,00
+1 000 000,00
+1'000'000,00
+01000
+08
+09
+2.2250738585072011e-308
+
+# Special Characters
+#
+# ASCII punctuation. All of these characters may need to be escaped in some
+# contexts. Divided into three groups based on (US-layout) keyboard position.
+
+,./;'[]\-=
+<>?:"{}|_+
+!@#$%^&*()`~
+
+# Non-whitespace C0 controls: U+0001 through U+0008, U+000E through U+001F,
+# and U+007F (DEL)
+# Often forbidden to appear in various text-based file formats (e.g. XML),
+# or reused for internal delimiters on the theory that they should never
+# appear in input.
+# The next line may appear to be blank or mojibake in some viewers.
+��������������������������
+
+# Non-whitespace C1 controls: U+0080 through U+0084 and U+0086 through U+009F.
+# Commonly misinterpreted as additional graphic characters.
+# The next line may appear to be blank, mojibake, or dingbats in some viewers.
+
+
+# Whitespace: all of the characters with category Zs, Zl, or Zp (in Unicode
+# version 8.0.0), plus U+0009 (HT), U+000B (VT), U+000C (FF), U+0085 (NEL),
+# and U+200B (ZERO WIDTH SPACE), which are in the C categories but are often
+# treated as whitespace in some contexts.
+# This file unfortunately cannot express strings containing
+# U+0000, U+000A, or U+000D (NUL, LF, CR).
+# The next line may appear to be blank or mojibake in some viewers.
+# The next line may be flagged for "trailing whitespace" in some viewers.
+ ��
+
+# Unicode additional control characters: all of the characters with
+# general category Cf (in Unicode 8.0.0).
+# The next line may appear to be blank or mojibake in some viewers.
+
+
+# "Byte order marks", U+FEFF and U+FFFE, each on its own line.
+# The next two lines may appear to be blank or mojibake in some viewers.
+
+
+
+# Unicode Symbols
+#
+# Strings which contain common unicode symbols (e.g. smart quotes)
+
+Ω≈ç√∫˜µ≤≥÷
+åß∂ƒ©˙∆˚¬…æ
+œ∑´®†¥¨ˆøπ“‘
+¡™£¢∞§¶•ªº–≠
+¸˛Ç◊ı˜Â¯˘¿
+ÅÍÎÏ˝ÓÔÒÚÆ☃
+Œ„´‰ˇÁ¨ˆØ∏”’
+`⁄€‹›fifl‡°·‚—±
+⅛⅜⅝⅞
+ЁЂЃЄЅІЇЈЉЊЋЌЍЎЏАБВГДЕЖЗИЙКЛМНОПРСТУФХЦЧШЩЪЫЬЭЮЯабвгдежзийклмнопрстуфхцчшщъыьэюя
+٠١٢٣٤٥٦٧٨٩
+
+# Unicode Subscript/Superscript/Accents
+#
+# Strings which contain unicode subscripts/superscripts; can cause rendering issues
+
+⁰⁴⁵
+₀₁₂
+⁰⁴⁵₀₁₂
+ด้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็ ด้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็ ด้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็
+
+# Quotation Marks
+#
+# Strings which contain misplaced quotation marks; can cause encoding errors
+
+'
+"
+''
+""
+'"'
+"''''"'"
+"'"'"''''"
+<foo val=“bar” />
+<foo val=“bar” />
+<foo val=”bar“ />
+<foo val=`bar' />
+
+# Two-Byte Characters
+#
+# Strings which contain two-byte characters: can cause rendering issues or character-length issues
+
+田中さんにあげて下さい
+パーティーへ行かないか
+和製漢語
+部落格
+사회과학원 어학연구소
+찦차를 타고 온 펲시맨과 쑛다리 똠방각하
+社會科學院語學研究所
+울란바토르
+𠜎𠜱𠝹𠱓𠱸𠲖𠳏
+
+# Strings which contain two-byte letters: can cause issues with naïve UTF-16 capitalizers which think that 16 bits == 1 character
+
+𐐜 𐐔𐐇𐐝𐐀𐐡𐐇𐐓 𐐙𐐊𐐡𐐝𐐓/𐐝𐐇𐐗𐐊𐐤𐐔 𐐒𐐋𐐗 𐐒𐐌 𐐜 𐐡𐐀𐐖𐐇𐐤𐐓𐐝 𐐱𐑂 𐑄 𐐔𐐇𐐝𐐀𐐡𐐇𐐓 𐐏𐐆𐐅𐐤𐐆𐐚𐐊𐐡𐐝𐐆𐐓𐐆
+
+# Special Unicode Characters Union
+#
+# A super string recommended by VMware Inc. Globalization Team: can effectively cause rendering issues or character-length issues to validate product globalization readiness.
+#
+# 表 CJK_UNIFIED_IDEOGRAPHS (U+8868)
+# ポ KATAKANA LETTER PO (U+30DD)
+# あ HIRAGANA LETTER A (U+3042)
+# A LATIN CAPITAL LETTER A (U+0041)
+# 鷗 CJK_UNIFIED_IDEOGRAPHS (U+9DD7)
+# ΠLATIN SMALL LIGATURE OE (U+0153)
+# é LATIN SMALL LETTER E WITH ACUTE (U+00E9)
+# B FULLWIDTH LATIN CAPITAL LETTER B (U+FF22)
+# 逍 CJK_UNIFIED_IDEOGRAPHS (U+900D)
+# Ü LATIN SMALL LETTER U WITH DIAERESIS (U+00FC)
+# ß LATIN SMALL LETTER SHARP S (U+00DF)
+# ª FEMININE ORDINAL INDICATOR (U+00AA)
+# ą LATIN SMALL LETTER A WITH OGONEK (U+0105)
+# ñ LATIN SMALL LETTER N WITH TILDE (U+00F1)
+# 丂 CJK_UNIFIED_IDEOGRAPHS (U+4E02)
+# 㐀 CJK Ideograph Extension A, First (U+3400)
+# 𠀀 CJK Ideograph Extension B, First (U+20000)
+
+表ポあA鷗ŒéB逍Üߪąñ丂㐀𠀀
+
+# Changing length when lowercased
+#
+# Characters which increase in length (2 to 3 bytes) when lowercased
+# Credit: https://twitter.com/jifa/status/625776454479970304
+
+Ⱥ
+Ⱦ
+
+# Japanese Emoticons
+#
+# Strings which consists of Japanese-style emoticons which are popular on the web
+
+ヽ༼ຈل͜ຈ༽ノ ヽ༼ຈل͜ຈ༽ノ
+(。◕ ∀ ◕。)
+`ィ(´∀`∩
+__ロ(,_,*)
+・( ̄∀ ̄)・:*:
+゚・✿ヾ╲(。◕‿◕。)╱✿・゚
+,。・:*:・゜’( ☻ ω ☻ )。・:*:・゜’
+(╯°□°)╯︵ ┻━┻)
+(ノಥ益ಥ)ノ ┻━┻
+┬─┬ノ( º _ ºノ)
+( ͡° ͜ʖ ͡°)
+¯\_(ツ)_/¯
+
+# Emoji
+#
+# Strings which contain Emoji; should be the same behavior as two-byte characters, but not always
+
+😍
+👩🏽
+👨🦰 👨🏿🦰 👨🦱 👨🏿🦱 🦹🏿♂️
+👾 🙇 💁 🙅 🙆 🙋 🙎 🙍
+🐵 🙈 🙉 🙊
+❤️ 💔 💌 💕 💞 💓 💗 💖 💘 💝 💟 💜 💛 💚 💙
+✋🏿 💪🏿 👐🏿 🙌🏿 👏🏿 🙏🏿
+👨👩👦 👨👩👧👦 👨👨👦 👩👩👧 👨👦 👨👧👦 👩👦 👩👧👦
+🚾 🆒 🆓 🆕 🆖 🆗 🆙 🏧
+0️⃣ 1️⃣ 2️⃣ 3️⃣ 4️⃣ 5️⃣ 6️⃣ 7️⃣ 8️⃣ 9️⃣ 🔟
+
+# Regional Indicator Symbols
+#
+# Regional Indicator Symbols can be displayed differently across
+# fonts, and have a number of special behaviors
+
+🇺🇸🇷🇺🇸 🇦🇫🇦🇲🇸
+🇺🇸🇷🇺🇸🇦🇫🇦🇲
+🇺🇸🇷🇺🇸🇦
+
+# Unicode Numbers
+#
+# Strings which contain unicode numbers; if the code is localized, it should see the input as numeric
+
+123
+١٢٣
+
+# Right-To-Left Strings
+#
+# Strings which contain text that should be rendered RTL if possible (e.g. Arabic, Hebrew)
+
+ثم نفس سقطت وبالتحديد،, جزيرتي باستخدام أن دنو. إذ هنا؟ الستار وتنصيب كان. أهّل ايطاليا، بريطانيا-فرنسا قد أخذ. سليمان، إتفاقية بين ما, يذكر الحدود أي بعد, معاملة بولندا، الإطلاق عل إيو.
+בְּרֵאשִׁית, בָּרָא אֱלֹהִים, אֵת הַשָּׁמַיִם, וְאֵת הָאָרֶץ
+הָיְתָהtestالصفحات التّحول
+﷽
+ﷺ
+مُنَاقَشَةُ سُبُلِ اِسْتِخْدَامِ اللُّغَةِ فِي النُّظُمِ الْقَائِمَةِ وَفِيم يَخُصَّ التَّطْبِيقَاتُ الْحاسُوبِيَّةُ،
+الكل في المجمو عة (5)
+
+# Ogham Text
+#
+# The only unicode alphabet to use a space which isn't empty but should still act like a space.
+
+᚛ᚄᚓᚐᚋᚒᚄ ᚑᚄᚂᚑᚏᚅ᚜
+᚛ ᚜
+
+# Trick Unicode
+#
+# Strings which contain unicode with unusual properties (e.g. Right-to-left override) (c.f. http://www.unicode.org/charts/PDF/U2000.pdf)
+
+test
+test
+
test
+testtest
+test
+
+# Zalgo Text
+#
+# Strings which contain "corrupted" text. The corruption will not appear in non-HTML text, however. (via http://www.eeemo.net)
+
+Ṱ̺̺̕o͞ ̷i̲̬͇̪͙n̝̗͕v̟̜̘̦͟o̶̙̰̠kè͚̮̺̪̹̱̤ ̖t̝͕̳̣̻̪͞h̼͓̲̦̳̘̲e͇̣̰̦̬͎ ̢̼̻̱̘h͚͎͙̜̣̲ͅi̦̲̣̰̤v̻͍e̺̭̳̪̰-m̢iͅn̖̺̞̲̯̰d̵̼̟͙̩̼̘̳ ̞̥̱̳̭r̛̗̘e͙p͠r̼̞̻̭̗e̺̠̣͟s̘͇̳͍̝͉e͉̥̯̞̲͚̬͜ǹ̬͎͎̟̖͇̤t͍̬̤͓̼̭͘ͅi̪̱n͠g̴͉ ͏͉ͅc̬̟h͡a̫̻̯͘o̫̟̖͍̙̝͉s̗̦̲.̨̹͈̣
+̡͓̞ͅI̗̘̦͝n͇͇͙v̮̫ok̲̫̙͈i̖͙̭̹̠̞n̡̻̮̣̺g̲͈͙̭͙̬͎ ̰t͔̦h̞̲e̢̤ ͍̬̲͖f̴̘͕̣è͖ẹ̥̩l͖͔͚i͓͚̦͠n͖͍̗͓̳̮g͍ ̨o͚̪͡f̘̣̬ ̖̘͖̟͙̮c҉͔̫͖͓͇͖ͅh̵̤̣͚͔á̗̼͕ͅo̼̣̥s̱͈̺̖̦̻͢.̛̖̞̠̫̰
+̗̺͖̹̯͓Ṯ̤͍̥͇͈h̲́e͏͓̼̗̙̼̣͔ ͇̜̱̠͓͍ͅN͕͠e̗̱z̘̝̜̺͙p̤̺̹͍̯͚e̠̻̠͜r̨̤͍̺̖͔̖̖d̠̟̭̬̝͟i̦͖̩͓͔̤a̠̗̬͉̙n͚͜ ̻̞̰͚ͅh̵͉i̳̞v̢͇ḙ͎͟-҉̭̩̼͔m̤̭̫i͕͇̝̦n̗͙ḍ̟ ̯̲͕͞ǫ̟̯̰̲͙̻̝f ̪̰̰̗̖̭̘͘c̦͍̲̞͍̩̙ḥ͚a̮͎̟̙͜ơ̩̹͎s̤.̝̝ ҉Z̡̖̜͖̰̣͉̜a͖̰͙̬͡l̲̫̳͍̩g̡̟̼̱͚̞̬ͅo̗͜.̟
+̦H̬̤̗̤͝e͜ ̜̥̝̻͍̟́w̕h̖̯͓o̝͙̖͎̱̮ ҉̺̙̞̟͈W̷̼̭a̺̪͍į͈͕̭͙̯̜t̶̼̮s̘͙͖̕ ̠̫̠B̻͍͙͉̳ͅe̵h̵̬͇̫͙i̹͓̳̳̮͎̫̕n͟d̴̪̜̖ ̰͉̩͇͙̲͞ͅT͖̼͓̪͢h͏͓̮̻e̬̝̟ͅ ̤̹̝W͙̞̝͔͇͝ͅa͏͓͔̹̼̣l̴͔̰̤̟͔ḽ̫.͕
+Z̮̞̠͙͔ͅḀ̗̞͈̻̗Ḷ͙͎̯̹̞͓G̻O̭̗̮
+
+# Unicode Upsidedown
+#
+# Strings which contain unicode with an "upsidedown" effect (via http://www.upsidedowntext.com)
+
+˙ɐnbᴉlɐ ɐuƃɐɯ ǝɹolop ʇǝ ǝɹoqɐl ʇn ʇunpᴉpᴉɔuᴉ ɹodɯǝʇ poɯsnᴉǝ op pǝs 'ʇᴉlǝ ƃuᴉɔsᴉdᴉpɐ ɹnʇǝʇɔǝsuoɔ 'ʇǝɯɐ ʇᴉs ɹolop ɯnsdᴉ ɯǝɹo˥
+00˙Ɩ$-
+
+# Unicode font
+#
+# Strings which contain bold/italic/etc. versions of normal characters
+
+The quick brown fox jumps over the lazy dog
+𝐓𝐡𝐞 𝐪𝐮𝐢𝐜𝐤 𝐛𝐫𝐨𝐰𝐧 𝐟𝐨𝐱 𝐣𝐮𝐦𝐩𝐬 𝐨𝐯𝐞𝐫 𝐭𝐡𝐞 𝐥𝐚𝐳𝐲 𝐝𝐨𝐠
+𝕿𝖍𝖊 𝖖𝖚𝖎𝖈𝖐 𝖇𝖗𝖔𝖜𝖓 𝖋𝖔𝖝 𝖏𝖚𝖒𝖕𝖘 𝖔𝖛𝖊𝖗 𝖙𝖍𝖊 𝖑𝖆𝖟𝖞 𝖉𝖔𝖌
+𝑻𝒉𝒆 𝒒𝒖𝒊𝒄𝒌 𝒃𝒓𝒐𝒘𝒏 𝒇𝒐𝒙 𝒋𝒖𝒎𝒑𝒔 𝒐𝒗𝒆𝒓 𝒕𝒉𝒆 𝒍𝒂𝒛𝒚 𝒅𝒐𝒈
+𝓣𝓱𝓮 𝓺𝓾𝓲𝓬𝓴 𝓫𝓻𝓸𝔀𝓷 𝓯𝓸𝔁 𝓳𝓾𝓶𝓹𝓼 𝓸𝓿𝓮𝓻 𝓽𝓱𝓮 𝓵𝓪𝔃𝔂 𝓭𝓸𝓰
+𝕋𝕙𝕖 𝕢𝕦𝕚𝕔𝕜 𝕓𝕣𝕠𝕨𝕟 𝕗𝕠𝕩 𝕛𝕦𝕞𝕡𝕤 𝕠𝕧𝕖𝕣 𝕥𝕙𝕖 𝕝𝕒𝕫𝕪 𝕕𝕠𝕘
+𝚃𝚑𝚎 𝚚𝚞𝚒𝚌𝚔 𝚋𝚛𝚘𝚠𝚗 𝚏𝚘𝚡 𝚓𝚞𝚖𝚙𝚜 𝚘𝚟𝚎𝚛 𝚝𝚑𝚎 𝚕𝚊𝚣𝚢 𝚍𝚘𝚐
+⒯⒣⒠ ⒬⒰⒤⒞⒦ ⒝⒭⒪⒲⒩ ⒡⒪⒳ ⒥⒰⒨⒫⒮ ⒪⒱⒠⒭ ⒯⒣⒠ ⒧⒜⒵⒴ ⒟⒪⒢
+
+# Script Injection
+#
+# Strings which attempt to invoke a benign script injection; shows vulnerability to XSS
+
+<script>alert(0)</script>
+<script>alert('1');</script>
+<img src=x onerror=alert(2) />
+<svg><script>123<1>alert(3)</script>
+"><script>alert(4)</script>
+'><script>alert(5)</script>
+><script>alert(6)</script>
+</script><script>alert(7)</script>
+< / script >< script >alert(8)< / script >
+ onfocus=JaVaSCript:alert(9) autofocus
+" onfocus=JaVaSCript:alert(10) autofocus
+' onfocus=JaVaSCript:alert(11) autofocus
+<script>alert(12)</script>
+<sc<script>ript>alert(13)</sc</script>ript>
+--><script>alert(14)</script>
+";alert(15);t="
+';alert(16);t='
+JavaSCript:alert(17)
+;alert(18);
+src=JaVaSCript:prompt(19)
+"><script>alert(20);</script x="
+'><script>alert(21);</script x='
+><script>alert(22);</script x=
+" autofocus onkeyup="javascript:alert(23)
+' autofocus onkeyup='javascript:alert(24)
+<script\x20type="text/javascript">javascript:alert(25);</script>
+<script\x3Etype="text/javascript">javascript:alert(26);</script>
+<script\x0Dtype="text/javascript">javascript:alert(27);</script>
+<script\x09type="text/javascript">javascript:alert(28);</script>
+<script\x0Ctype="text/javascript">javascript:alert(29);</script>
+<script\x2Ftype="text/javascript">javascript:alert(30);</script>
+<script\x0Atype="text/javascript">javascript:alert(31);</script>
+'`"><\x3Cscript>javascript:alert(32)</script>
+'`"><\x00script>javascript:alert(33)</script>
+ABC<div style="x\x3Aexpression(javascript:alert(34)">DEF
+ABC<div style="x:expression\x5C(javascript:alert(35)">DEF
+ABC<div style="x:expression\x00(javascript:alert(36)">DEF
+ABC<div style="x:exp\x00ression(javascript:alert(37)">DEF
+ABC<div style="x:exp\x5Cression(javascript:alert(38)">DEF
+ABC<div style="x:\x0Aexpression(javascript:alert(39)">DEF
+ABC<div style="x:\x09expression(javascript:alert(40)">DEF
+ABC<div style="x:\xE3\x80\x80expression(javascript:alert(41)">DEF
+ABC<div style="x:\xE2\x80\x84expression(javascript:alert(42)">DEF
+ABC<div style="x:\xC2\xA0expression(javascript:alert(43)">DEF
+ABC<div style="x:\xE2\x80\x80expression(javascript:alert(44)">DEF
+ABC<div style="x:\xE2\x80\x8Aexpression(javascript:alert(45)">DEF
+ABC<div style="x:\x0Dexpression(javascript:alert(46)">DEF
+ABC<div style="x:\x0Cexpression(javascript:alert(47)">DEF
+ABC<div style="x:\xE2\x80\x87expression(javascript:alert(48)">DEF
+ABC<div style="x:\xEF\xBB\xBFexpression(javascript:alert(49)">DEF
+ABC<div style="x:\x20expression(javascript:alert(50)">DEF
+ABC<div style="x:\xE2\x80\x88expression(javascript:alert(51)">DEF
+ABC<div style="x:\x00expression(javascript:alert(52)">DEF
+ABC<div style="x:\xE2\x80\x8Bexpression(javascript:alert(53)">DEF
+ABC<div style="x:\xE2\x80\x86expression(javascript:alert(54)">DEF
+ABC<div style="x:\xE2\x80\x85expression(javascript:alert(55)">DEF
+ABC<div style="x:\xE2\x80\x82expression(javascript:alert(56)">DEF
+ABC<div style="x:\x0Bexpression(javascript:alert(57)">DEF
+ABC<div style="x:\xE2\x80\x81expression(javascript:alert(58)">DEF
+ABC<div style="x:\xE2\x80\x83expression(javascript:alert(59)">DEF
+ABC<div style="x:\xE2\x80\x89expression(javascript:alert(60)">DEF
+<a href="\x0Bjavascript:javascript:alert(61)" id="fuzzelement1">test</a>
+<a href="\x0Fjavascript:javascript:alert(62)" id="fuzzelement1">test</a>
+<a href="\xC2\xA0javascript:javascript:alert(63)" id="fuzzelement1">test</a>
+<a href="\x05javascript:javascript:alert(64)" id="fuzzelement1">test</a>
+<a href="\xE1\xA0\x8Ejavascript:javascript:alert(65)" id="fuzzelement1">test</a>
+<a href="\x18javascript:javascript:alert(66)" id="fuzzelement1">test</a>
+<a href="\x11javascript:javascript:alert(67)" id="fuzzelement1">test</a>
+<a href="\xE2\x80\x88javascript:javascript:alert(68)" id="fuzzelement1">test</a>
+<a href="\xE2\x80\x89javascript:javascript:alert(69)" id="fuzzelement1">test</a>
+<a href="\xE2\x80\x80javascript:javascript:alert(70)" id="fuzzelement1">test</a>
+<a href="\x17javascript:javascript:alert(71)" id="fuzzelement1">test</a>
+<a href="\x03javascript:javascript:alert(72)" id="fuzzelement1">test</a>
+<a href="\x0Ejavascript:javascript:alert(73)" id="fuzzelement1">test</a>
+<a href="\x1Ajavascript:javascript:alert(74)" id="fuzzelement1">test</a>
+<a href="\x00javascript:javascript:alert(75)" id="fuzzelement1">test</a>
+<a href="\x10javascript:javascript:alert(76)" id="fuzzelement1">test</a>
+<a href="\xE2\x80\x82javascript:javascript:alert(77)" id="fuzzelement1">test</a>
+<a href="\x20javascript:javascript:alert(78)" id="fuzzelement1">test</a>
+<a href="\x13javascript:javascript:alert(79)" id="fuzzelement1">test</a>
+<a href="\x09javascript:javascript:alert(80)" id="fuzzelement1">test</a>
+<a href="\xE2\x80\x8Ajavascript:javascript:alert(81)" id="fuzzelement1">test</a>
+<a href="\x14javascript:javascript:alert(82)" id="fuzzelement1">test</a>
+<a href="\x19javascript:javascript:alert(83)" id="fuzzelement1">test</a>
+<a href="\xE2\x80\xAFjavascript:javascript:alert(84)" id="fuzzelement1">test</a>
+<a href="\x1Fjavascript:javascript:alert(85)" id="fuzzelement1">test</a>
+<a href="\xE2\x80\x81javascript:javascript:alert(86)" id="fuzzelement1">test</a>
+<a href="\x1Djavascript:javascript:alert(87)" id="fuzzelement1">test</a>
+<a href="\xE2\x80\x87javascript:javascript:alert(88)" id="fuzzelement1">test</a>
+<a href="\x07javascript:javascript:alert(89)" id="fuzzelement1">test</a>
+<a href="\xE1\x9A\x80javascript:javascript:alert(90)" id="fuzzelement1">test</a>
+<a href="\xE2\x80\x83javascript:javascript:alert(91)" id="fuzzelement1">test</a>
+<a href="\x04javascript:javascript:alert(92)" id="fuzzelement1">test</a>
+<a href="\x01javascript:javascript:alert(93)" id="fuzzelement1">test</a>
+<a href="\x08javascript:javascript:alert(94)" id="fuzzelement1">test</a>
+<a href="\xE2\x80\x84javascript:javascript:alert(95)" id="fuzzelement1">test</a>
+<a href="\xE2\x80\x86javascript:javascript:alert(96)" id="fuzzelement1">test</a>
+<a href="\xE3\x80\x80javascript:javascript:alert(97)" id="fuzzelement1">test</a>
+<a href="\x12javascript:javascript:alert(98)" id="fuzzelement1">test</a>
+<a href="\x0Djavascript:javascript:alert(99)" id="fuzzelement1">test</a>
+<a href="\x0Ajavascript:javascript:alert(100)" id="fuzzelement1">test</a>
+<a href="\x0Cjavascript:javascript:alert(101)" id="fuzzelement1">test</a>
+<a href="\x15javascript:javascript:alert(102)" id="fuzzelement1">test</a>
+<a href="\xE2\x80\xA8javascript:javascript:alert(103)" id="fuzzelement1">test</a>
+<a href="\x16javascript:javascript:alert(104)" id="fuzzelement1">test</a>
+<a href="\x02javascript:javascript:alert(105)" id="fuzzelement1">test</a>
+<a href="\x1Bjavascript:javascript:alert(106)" id="fuzzelement1">test</a>
+<a href="\x06javascript:javascript:alert(107)" id="fuzzelement1">test</a>
+<a href="\xE2\x80\xA9javascript:javascript:alert(108)" id="fuzzelement1">test</a>
+<a href="\xE2\x80\x85javascript:javascript:alert(109)" id="fuzzelement1">test</a>
+<a href="\x1Ejavascript:javascript:alert(110)" id="fuzzelement1">test</a>
+<a href="\xE2\x81\x9Fjavascript:javascript:alert(111)" id="fuzzelement1">test</a>
+<a href="\x1Cjavascript:javascript:alert(112)" id="fuzzelement1">test</a>
+<a href="javascript\x00:javascript:alert(113)" id="fuzzelement1">test</a>
+<a href="javascript\x3A:javascript:alert(114)" id="fuzzelement1">test</a>
+<a href="javascript\x09:javascript:alert(115)" id="fuzzelement1">test</a>
+<a href="javascript\x0D:javascript:alert(116)" id="fuzzelement1">test</a>
+<a href="javascript\x0A:javascript:alert(117)" id="fuzzelement1">test</a>
+`"'><img src=xxx:x \x0Aonerror=javascript:alert(118)>
+`"'><img src=xxx:x \x22onerror=javascript:alert(119)>
+`"'><img src=xxx:x \x0Bonerror=javascript:alert(120)>
+`"'><img src=xxx:x \x0Donerror=javascript:alert(121)>
+`"'><img src=xxx:x \x2Fonerror=javascript:alert(122)>
+`"'><img src=xxx:x \x09onerror=javascript:alert(123)>
+`"'><img src=xxx:x \x0Conerror=javascript:alert(124)>
+`"'><img src=xxx:x \x00onerror=javascript:alert(125)>
+`"'><img src=xxx:x \x27onerror=javascript:alert(126)>
+`"'><img src=xxx:x \x20onerror=javascript:alert(127)>
+"`'><script>\x3Bjavascript:alert(128)</script>
+"`'><script>\x0Djavascript:alert(129)</script>
+"`'><script>\xEF\xBB\xBFjavascript:alert(130)</script>
+"`'><script>\xE2\x80\x81javascript:alert(131)</script>
+"`'><script>\xE2\x80\x84javascript:alert(132)</script>
+"`'><script>\xE3\x80\x80javascript:alert(133)</script>
+"`'><script>\x09javascript:alert(134)</script>
+"`'><script>\xE2\x80\x89javascript:alert(135)</script>
+"`'><script>\xE2\x80\x85javascript:alert(136)</script>
+"`'><script>\xE2\x80\x88javascript:alert(137)</script>
+"`'><script>\x00javascript:alert(138)</script>
+"`'><script>\xE2\x80\xA8javascript:alert(139)</script>
+"`'><script>\xE2\x80\x8Ajavascript:alert(140)</script>
+"`'><script>\xE1\x9A\x80javascript:alert(141)</script>
+"`'><script>\x0Cjavascript:alert(142)</script>
+"`'><script>\x2Bjavascript:alert(143)</script>
+"`'><script>\xF0\x90\x96\x9Ajavascript:alert(144)</script>
+"`'><script>-javascript:alert(145)</script>
+"`'><script>\x0Ajavascript:alert(146)</script>
+"`'><script>\xE2\x80\xAFjavascript:alert(147)</script>
+"`'><script>\x7Ejavascript:alert(148)</script>
+"`'><script>\xE2\x80\x87javascript:alert(149)</script>
+"`'><script>\xE2\x81\x9Fjavascript:alert(150)</script>
+"`'><script>\xE2\x80\xA9javascript:alert(151)</script>
+"`'><script>\xC2\x85javascript:alert(152)</script>
+"`'><script>\xEF\xBF\xAEjavascript:alert(153)</script>
+"`'><script>\xE2\x80\x83javascript:alert(154)</script>
+"`'><script>\xE2\x80\x8Bjavascript:alert(155)</script>
+"`'><script>\xEF\xBF\xBEjavascript:alert(156)</script>
+"`'><script>\xE2\x80\x80javascript:alert(157)</script>
+"`'><script>\x21javascript:alert(158)</script>
+"`'><script>\xE2\x80\x82javascript:alert(159)</script>
+"`'><script>\xE2\x80\x86javascript:alert(160)</script>
+"`'><script>\xE1\xA0\x8Ejavascript:alert(161)</script>
+"`'><script>\x0Bjavascript:alert(162)</script>
+"`'><script>\x20javascript:alert(163)</script>
+"`'><script>\xC2\xA0javascript:alert(164)</script>
+<img \x00src=x onerror="alert(165)">
+<img \x47src=x onerror="javascript:alert(166)">
+<img \x11src=x onerror="javascript:alert(167)">
+<img \x12src=x onerror="javascript:alert(168)">
+<img\x47src=x onerror="javascript:alert(169)">
+<img\x10src=x onerror="javascript:alert(170)">
+<img\x13src=x onerror="javascript:alert(171)">
+<img\x32src=x onerror="javascript:alert(172)">
+<img\x47src=x onerror="javascript:alert(173)">
+<img\x11src=x onerror="javascript:alert(174)">
+<img \x47src=x onerror="javascript:alert(175)">
+<img \x34src=x onerror="javascript:alert(176)">
+<img \x39src=x onerror="javascript:alert(177)">
+<img \x00src=x onerror="javascript:alert(178)">
+<img src\x09=x onerror="javascript:alert(179)">
+<img src\x10=x onerror="javascript:alert(180)">
+<img src\x13=x onerror="javascript:alert(181)">
+<img src\x32=x onerror="javascript:alert(182)">
+<img src\x12=x onerror="javascript:alert(183)">
+<img src\x11=x onerror="javascript:alert(184)">
+<img src\x00=x onerror="javascript:alert(185)">
+<img src\x47=x onerror="javascript:alert(186)">
+<img src=x\x09onerror="javascript:alert(187)">
+<img src=x\x10onerror="javascript:alert(188)">
+<img src=x\x11onerror="javascript:alert(189)">
+<img src=x\x12onerror="javascript:alert(190)">
+<img src=x\x13onerror="javascript:alert(191)">
+<img[a][b][c]src[d]=x[e]onerror=[f]"alert(192)">
+<img src=x onerror=\x09"javascript:alert(193)">
+<img src=x onerror=\x10"javascript:alert(194)">
+<img src=x onerror=\x11"javascript:alert(195)">
+<img src=x onerror=\x12"javascript:alert(196)">
+<img src=x onerror=\x32"javascript:alert(197)">
+<img src=x onerror=\x00"javascript:alert(198)">
+<a href=java����������script:javascript:alert(199)>XXX</a>
+<img src="x` `<script>javascript:alert(200)</script>"` `>
+<img src onerror /" '"= alt=javascript:alert(201)//">
+<title onpropertychange=javascript:alert(202)>
+<a href=http://foo.bar/#x=`y></a><img alt="`><img src=x:x onerror=javascript:alert(203)></a>">
+<!--[if]><script>javascript:alert(204)</script -->
+<!--[if<img src=x onerror=javascript:alert(205)//]> -->
+<script src="/\%(jscript)s"></script>
+<script src="\\%(jscript)s"></script>
+<IMG """><SCRIPT>alert("206")</SCRIPT>">
+<IMG SRC=javascript:alert(String.fromCharCode(50,48,55))>
+<IMG SRC=# onmouseover="alert('208')">
+<IMG SRC= onmouseover="alert('209')">
+<IMG onmouseover="alert('210')">
+<IMG SRC=javascript:alert('211')>
+<IMG SRC=javascript:alert('212')>
+<IMG SRC=javascript:alert('213')>
+<IMG SRC="jav ascript:alert('214');">
+<IMG SRC="jav ascript:alert('215');">
+<IMG SRC="jav
ascript:alert('216');">
+<IMG SRC="jav
ascript:alert('217');">
+perl -e 'print "<IMG SRC=java\0script:alert(\"218\")>";' > out
+<IMG SRC=" � javascript:alert('219');">
+<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>
+<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("220")>
+<SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT>
+<<SCRIPT>alert("221");//<</SCRIPT>
+<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >
+<SCRIPT SRC=//ha.ckers.org/.j>
+<IMG SRC="javascript:alert('222')"
+<iframe src=http://ha.ckers.org/scriptlet.html <
+\";alert('223');//
+<u oncopy=alert()> Copy me</u>
+<i onwheel=alert(224)> Scroll over me </i>
+<plaintext>
+http://a/%%30%30
+</textarea><script>alert(225)</script>
+
+# SQL Injection
+#
+# Strings which can cause a SQL injection if inputs are not sanitized
+
+1;DROP TABLE users
+1'; DROP TABLE users-- 1
+' OR 1=1 -- 1
+' OR '1'='1
+'; EXEC sp_MSForEachTable 'DROP TABLE ?'; --
+
+%
+_
+
+# Server Code Injection
+#
+# Strings which can cause user to run code on server as a privileged user (c.f. https://news.ycombinator.com/item?id=7665153)
+
+-
+--
+--version
+--help
+$USER
+/dev/null; touch /tmp/blns.fail ; echo
+`touch /tmp/blns.fail`
+$(touch /tmp/blns.fail)
+@{[system "touch /tmp/blns.fail"]}
+
+# Command Injection (Ruby)
+#
+# Strings which can call system commands within Ruby/Rails applications
+
+eval("puts 'hello world'")
+System("ls -al /")
+`ls -al /`
+Kernel.exec("ls -al /")
+Kernel.exit(1)
+%x('ls -al /')
+
+# XXE Injection (XML)
+#
+# String which can reveal system files when parsed by a badly configured XML parser
+
+<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [ <!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>
+
+# Unwanted Interpolation
+#
+# Strings which can be accidentally expanded into different strings if evaluated in the wrong context, e.g. used as a printf format string or via Perl or shell eval. Might expose sensitive data from the program doing the interpolation, or might just represent the wrong string.
+
+$HOME
+$ENV{'HOME'}
+%d
+%s%s%s%s%s
+{0}
+%*.*s
+%@
+%n
+File:///
+
+# File Inclusion
+#
+# Strings which can cause user to pull in files that should not be a part of a web server
+
+../../../../../../../../../../../etc/passwd%00
+../../../../../../../../../../../etc/hosts
+
+# Known CVEs and Vulnerabilities
+#
+# Strings that test for known vulnerabilities
+
+() { 0; }; touch /tmp/blns.shellshock1.fail;
+() { _; } >_[$($())] { touch /tmp/blns.shellshock2.fail; }
+<<< %s(un='%s') = %u
++++ATH0
+
+# MSDOS/Windows Special Filenames
+#
+# Strings which are reserved characters in MSDOS/Windows
+
+CON
+PRN
+AUX
+CLOCK$
+NUL
+A:
+ZZ:
+COM1
+LPT1
+LPT2
+LPT3
+COM2
+COM3
+COM4
+
+# IRC specific strings
+#
+# Strings that may occur on IRC clients that make security products freak out
+
+DCC SEND STARTKEYLOGGER 0 0 0
+
+# Scunthorpe Problem
+#
+# Innocuous strings which may be blocked by profanity filters (https://en.wikipedia.org/wiki/Scunthorpe_problem)
+
+Scunthorpe General Hospital
+Penistone Community Church
+Lightwater Country Park
+Jimmy Clitheroe
+Horniman Museum
+shitake mushrooms
+RomansInSussex.co.uk
+http://www.cum.qc.ca/
+Craig Cockburn, Software Specialist
+Linda Callahan
+Dr. Herman I. Libshitz
+magna cum laude
+Super Bowl XXX
+medieval erection of parapets
+evaluate
+mocha
+expression
+Arsenal canal
+classic
+Tyson Gay
+Dick Van Dyke
+basement
+
+# Human injection
+#
+# Strings which may cause human to reinterpret worldview
+
+If you're reading this, you've been in a coma for almost 20 years now. We're trying a new technique. We don't know where this message will end up in your dream, but we hope it works. Please wake up, we miss you.
+
+# Terminal escape codes
+#
+# Strings which punish the fools who use cat/type on this file
+
+Roses are �[0;31mred�[0m, violets are �[0;34mblue. Hope you enjoy terminal hue
+But now...�[20Cfor my greatest trick...�[8m
+The quic������k brown fo�����������x... [Beeeep]
+
+# iOS Vulnerabilities
+#
+# Strings which crashed iMessage in various versions of iOS
+
+Powerلُلُصّبُلُلصّبُررً ॣ ॣh ॣ ॣ冗
+🏳0🌈️
+జ్ఞా
+
+# Persian special characters
+#
+# This is a four characters string which includes Persian special characters (گچپژ)
+
+گچپژ
+
+# jinja2 injection
+#
+# first one is supposed to raise "MemoryError" exception
+# second, obviously, prints contents of /etc/passwd
+
+{% print 'x' * 64 * 1024**3 %}
+{{ "".__class__.__mro__[2].__subclasses__()[40]("/etc/passwd").read() }}
diff --git a/extension/blns/src/main/resources/blns_LICENSE.txt b/extension/blns/src/main/resources/blns_LICENSE.txt
new file mode 100644
index 000000000..0eda15e1e
--- /dev/null
+++ b/extension/blns/src/main/resources/blns_LICENSE.txt
@@ -0,0 +1,22 @@
+The MIT License (MIT)
+
+Copyright (c) 2015-2020 Max Woolf
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+
diff --git a/extension/blns/src/main/resources/blns_categories.json b/extension/blns/src/main/resources/blns_categories.json
new file mode 100644
index 000000000..bedbc1095
--- /dev/null
+++ b/extension/blns/src/main/resources/blns_categories.json
@@ -0,0 +1,599 @@
+{
+ "reserved": [
+ "",
+ "undefined",
+ "undef",
+ "null",
+ "NULL",
+ "(null)",
+ "nil",
+ "NIL",
+ "true",
+ "false",
+ "True",
+ "False",
+ "TRUE",
+ "FALSE",
+ "None",
+ "hasOwnProperty",
+ "then",
+ "\\",
+ "\\\\"
+ ],
+ "numeric": [
+ "0",
+ "1",
+ "1.00",
+ "$1.00",
+ "1/2",
+ "1E2",
+ "1E02",
+ "1E+02",
+ "-1",
+ "-1.00",
+ "-$1.00",
+ "-1/2",
+ "-1E2",
+ "-1E02",
+ "-1E+02",
+ "1/0",
+ "0/0",
+ "-2147483648/-1",
+ "-9223372036854775808/-1",
+ "-0",
+ "-0.0",
+ "+0",
+ "+0.0",
+ "0.00",
+ "0..0",
+ ".",
+ "0.0.0",
+ "0,00",
+ "0,,0",
+ ",",
+ "0,0,0",
+ "0.0/0",
+ "1.0/0.0",
+ "0.0/0.0",
+ "1,0/0,0",
+ "0,0/0,0",
+ "--1",
+ "-",
+ "-.",
+ "-,",
+ "999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999",
+ "NaN",
+ "Infinity",
+ "-Infinity",
+ "INF",
+ "1#INF",
+ "-1#IND",
+ "1#QNAN",
+ "1#SNAN",
+ "1#IND",
+ "0x0",
+ "0xffffffff",
+ "0xffffffffffffffff",
+ "0xabad1dea",
+ "123456789012345678901234567890123456789",
+ "1,000.00",
+ "1 000.00",
+ "1'000.00",
+ "1,000,000.00",
+ "1 000 000.00",
+ "1'000'000.00",
+ "1.000,00",
+ "1 000,00",
+ "1'000,00",
+ "1.000.000,00",
+ "1 000 000,00",
+ "1'000'000,00",
+ "01000",
+ "08",
+ "09",
+ "2.2250738585072011e-308"
+ ],
+ "special": [
+ ",./;'[]\\-=",
+ "<>?:\"{}|_+",
+ "!@#$%^&*()`~"
+ ],
+ "c0_controls": [
+ "\u0001\u0002\u0003\u0004\u0005\u0006\u0007\b\u000e\u000f\u0010\u0011\u0012\u0013\u0014\u0015\u0016\u0017\u0018\u0019\u001a\u001b\u001c\u001d\u001e\u001f"
+ ],
+ "c1_controls": [
+ ""
+ ],
+ "whitespace": [
+ "\t\u000b\f
"
+ ],
+ "unicode_additional_control": [
+ ""
+ ],
+ "byte_order_marks": [
+ "",
+ ""
+ ],
+ "unicode_symbols": [
+ "Ω≈ç√∫˜µ≤≥÷",
+ "åß∂ƒ©˙∆˚¬…æ",
+ "œ∑´®†¥¨ˆøπ“‘",
+ "¡™£¢∞§¶•ªº–≠",
+ "¸˛Ç◊ı˜Â¯˘¿",
+ "ÅÍÎÏ˝ÓÔÒÚÆ☃",
+ "Œ„´‰ˇÁ¨ˆØ∏”’",
+ "`⁄€‹›fifl‡°·‚—±",
+ "⅛⅜⅝⅞",
+ "ЁЂЃЄЅІЇЈЉЊЋЌЍЎЏАБВГДЕЖЗИЙКЛМНОПРСТУФХЦЧШЩЪЫЬЭЮЯабвгдежзийклмнопрстуфхцчшщъыьэюя",
+ "٠١٢٣٤٥٦٧٨٩"
+ ],
+ "unicode_accents": [
+ "⁰⁴⁵",
+ "₀₁₂",
+ "⁰⁴⁵₀₁₂",
+ "ด้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็ ด้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็ ด้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็"
+ ],
+ "quotation_marks": [
+ "'",
+ "\"",
+ "''",
+ "\"\"",
+ "'\"'",
+ "\"''''\"'\"",
+ "\"'\"'\"''''\"",
+ "<foo val=“bar” />",
+ "<foo val=“bar” />",
+ "<foo val=”bar“ />",
+ "<foo val=`bar' />"
+ ],
+ "two_byte_chars": [
+ "田中さんにあげて下さい",
+ "パーティーへ行かないか",
+ "和製漢語",
+ "部落格",
+ "사회과학원 어학연구소",
+ "찦차를 타고 온 펲시맨과 쑛다리 똠방각하",
+ "社會科學院語學研究所",
+ "울란바토르",
+ "𠜎𠜱𠝹𠱓𠱸𠲖𠳏"
+ ],
+ "two_byte_letters": [
+ "𐐜 𐐔𐐇𐐝𐐀𐐡𐐇𐐓 𐐙𐐊𐐡𐐝𐐓/𐐝𐐇𐐗𐐊𐐤𐐔 𐐒𐐋𐐗 𐐒𐐌 𐐜 𐐡𐐀𐐖𐐇𐐤𐐓𐐝 𐐱𐑂 𐑄 𐐔𐐇𐐝𐐀𐐡𐐇𐐓 𐐏𐐆𐐅𐐤𐐆𐐚𐐊𐐡𐐝𐐆𐐓𐐆"
+ ],
+ "unicode_special_char_union": [
+ "表ポあA鷗ŒéB逍Üߪąñ丂㐀𠀀"
+ ],
+ "variable_case_length": [
+ "Ⱥ",
+ "Ⱦ"
+ ],
+ "kaomoji": [
+ "ヽ༼ຈل͜ຈ༽ノ ヽ༼ຈل͜ຈ༽ノ",
+ "(。◕ ∀ ◕。)",
+ "`ィ(´∀`∩",
+ "__ロ(,_,*)",
+ "・( ̄∀ ̄)・:*:",
+ "゚・✿ヾ╲(。◕‿◕。)╱✿・゚",
+ ",。・:*:・゜’( ☻ ω ☻ )。・:*:・゜’",
+ "(╯°□°)╯︵ ┻━┻)",
+ "(ノಥ益ಥ)ノ ┻━┻",
+ "┬─┬ノ( º _ ºノ)",
+ "( ͡° ͜ʖ ͡°)",
+ "¯\\_(ツ)_/¯"
+ ],
+ "emoji": [
+ "😍",
+ "👩🏽",
+ "👨🦰 👨🏿🦰 👨🦱 👨🏿🦱 🦹🏿♂️",
+ "👾 🙇 💁 🙅 🙆 🙋 🙎 🙍",
+ "🐵 🙈 🙉 🙊",
+ "❤️ 💔 💌 💕 💞 💓 💗 💖 💘 💝 💟 💜 💛 💚 💙",
+ "✋🏿 💪🏿 👐🏿 🙌🏿 👏🏿 🙏🏿",
+ "👨👩👦 👨👩👧👦 👨👨👦 👩👩👧 👨👦 👨👧👦 👩👦 👩👧👦",
+ "🚾 🆒 🆓 🆕 🆖 🆗 🆙 🏧",
+ "0️⃣ 1️⃣ 2️⃣ 3️⃣ 4️⃣ 5️⃣ 6️⃣ 7️⃣ 8️⃣ 9️⃣ 🔟",
+ "🇺🇸🇷🇺🇸 🇦🇫🇦🇲🇸"
+ ],
+ "regional_symbols": [
+ "🇺🇸🇷🇺🇸🇦🇫🇦🇲",
+ "🇺🇸🇷🇺🇸🇦"
+ ],
+ "unicode_numbers": [
+ "123",
+ "١٢٣"
+ ],
+ "right_to_left_strings": [
+ "ثم نفس سقطت وبالتحديد،, جزيرتي باستخدام أن دنو. إذ هنا؟ الستار وتنصيب كان. أهّل ايطاليا، بريطانيا-فرنسا قد أخذ. سليمان، إتفاقية بين ما, يذكر الحدود أي بعد, معاملة بولندا، الإطلاق عل إيو.",
+ "בְּרֵאשִׁית, בָּרָא אֱלֹהִים, אֵת הַשָּׁמַיִם, וְאֵת הָאָרֶץ",
+ "הָיְתָהtestالصفحات التّحول",
+ "﷽",
+ "ﷺ",
+ "مُنَاقَشَةُ سُبُلِ اِسْتِخْدَامِ اللُّغَةِ فِي النُّظُمِ الْقَائِمَةِ وَفِيم يَخُصَّ التَّطْبِيقَاتُ الْحاسُوبِيَّةُ، "
+ ],
+ "ogham_text": [
+ "᚛ᚄᚓᚐᚋᚒᚄ ᚑᚄᚂᚑᚏᚅ᚜",
+ "᚛ ᚜"
+ ],
+ "unicode_tricks": [
+ "test",
+ "test",
+ "
test
",
+ "testtest",
+ "test"
+ ],
+ "zalgo_text": [
+ "Ṱ̺̺̕o͞ ̷i̲̬͇̪͙n̝̗͕v̟̜̘̦͟o̶̙̰̠kè͚̮̺̪̹̱̤ ̖t̝͕̳̣̻̪͞h̼͓̲̦̳̘̲e͇̣̰̦̬͎ ̢̼̻̱̘h͚͎͙̜̣̲ͅi̦̲̣̰̤v̻͍e̺̭̳̪̰-m̢iͅn̖̺̞̲̯̰d̵̼̟͙̩̼̘̳ ̞̥̱̳̭r̛̗̘e͙p͠r̼̞̻̭̗e̺̠̣͟s̘͇̳͍̝͉e͉̥̯̞̲͚̬͜ǹ̬͎͎̟̖͇̤t͍̬̤͓̼̭͘ͅi̪̱n͠g̴͉ ͏͉ͅc̬̟h͡a̫̻̯͘o̫̟̖͍̙̝͉s̗̦̲.̨̹͈̣",
+ "̡͓̞ͅI̗̘̦͝n͇͇͙v̮̫ok̲̫̙͈i̖͙̭̹̠̞n̡̻̮̣̺g̲͈͙̭͙̬͎ ̰t͔̦h̞̲e̢̤ ͍̬̲͖f̴̘͕̣è͖ẹ̥̩l͖͔͚i͓͚̦͠n͖͍̗͓̳̮g͍ ̨o͚̪͡f̘̣̬ ̖̘͖̟͙̮c҉͔̫͖͓͇͖ͅh̵̤̣͚͔á̗̼͕ͅo̼̣̥s̱͈̺̖̦̻͢.̛̖̞̠̫̰",
+ "̗̺͖̹̯͓Ṯ̤͍̥͇͈h̲́e͏͓̼̗̙̼̣͔ ͇̜̱̠͓͍ͅN͕͠e̗̱z̘̝̜̺͙p̤̺̹͍̯͚e̠̻̠͜r̨̤͍̺̖͔̖̖d̠̟̭̬̝͟i̦͖̩͓͔̤a̠̗̬͉̙n͚͜ ̻̞̰͚ͅh̵͉i̳̞v̢͇ḙ͎͟-҉̭̩̼͔m̤̭̫i͕͇̝̦n̗͙ḍ̟ ̯̲͕͞ǫ̟̯̰̲͙̻̝f ̪̰̰̗̖̭̘͘c̦͍̲̞͍̩̙ḥ͚a̮͎̟̙͜ơ̩̹͎s̤.̝̝ ҉Z̡̖̜͖̰̣͉̜a͖̰͙̬͡l̲̫̳͍̩g̡̟̼̱͚̞̬ͅo̗͜.̟",
+ "̦H̬̤̗̤͝e͜ ̜̥̝̻͍̟́w̕h̖̯͓o̝͙̖͎̱̮ ҉̺̙̞̟͈W̷̼̭a̺̪͍į͈͕̭͙̯̜t̶̼̮s̘͙͖̕ ̠̫̠B̻͍͙͉̳ͅe̵h̵̬͇̫͙i̹͓̳̳̮͎̫̕n͟d̴̪̜̖ ̰͉̩͇͙̲͞ͅT͖̼͓̪͢h͏͓̮̻e̬̝̟ͅ ̤̹̝W͙̞̝͔͇͝ͅa͏͓͔̹̼̣l̴͔̰̤̟͔ḽ̫.͕",
+ "Z̮̞̠͙͔ͅḀ̗̞͈̻̗Ḷ͙͎̯̹̞͓G̻O̭̗̮"
+ ],
+ "unicode_upside_down": [
+ "˙ɐnbᴉlɐ ɐuƃɐɯ ǝɹolop ʇǝ ǝɹoqɐl ʇn ʇunpᴉpᴉɔuᴉ ɹodɯǝʇ poɯsnᴉǝ op pǝs 'ʇᴉlǝ ƃuᴉɔsᴉdᴉpɐ ɹnʇǝʇɔǝsuoɔ 'ʇǝɯɐ ʇᴉs ɹolop ɯnsdᴉ ɯǝɹo˥",
+ "00˙Ɩ$-"
+ ],
+ "unicode_font": [
+ "The quick brown fox jumps over the lazy dog",
+ "𝐓𝐡𝐞 𝐪𝐮𝐢𝐜𝐤 𝐛𝐫𝐨𝐰𝐧 𝐟𝐨𝐱 𝐣𝐮𝐦𝐩𝐬 𝐨𝐯𝐞𝐫 𝐭𝐡𝐞 𝐥𝐚𝐳𝐲 𝐝𝐨𝐠",
+ "𝕿𝖍𝖊 𝖖𝖚𝖎𝖈𝖐 𝖇𝖗𝖔𝖜𝖓 𝖋𝖔𝖝 𝖏𝖚𝖒𝖕𝖘 𝖔𝖛𝖊𝖗 𝖙𝖍𝖊 𝖑𝖆𝖟𝖞 𝖉𝖔𝖌",
+ "𝑻𝒉𝒆 𝒒𝒖𝒊𝒄𝒌 𝒃𝒓𝒐𝒘𝒏 𝒇𝒐𝒙 𝒋𝒖𝒎𝒑𝒔 𝒐𝒗𝒆𝒓 𝒕𝒉𝒆 𝒍𝒂𝒛𝒚 𝒅𝒐𝒈",
+ "𝓣𝓱𝓮 𝓺𝓾𝓲𝓬𝓴 𝓫𝓻𝓸𝔀𝓷 𝓯𝓸𝔁 𝓳𝓾𝓶𝓹𝓼 𝓸𝓿𝓮𝓻 𝓽𝓱𝓮 𝓵𝓪𝔃𝔂 𝓭𝓸𝓰",
+ "𝕋𝕙𝕖 𝕢𝕦𝕚𝕔𝕜 𝕓𝕣𝕠𝕨𝕟 𝕗𝕠𝕩 𝕛𝕦𝕞𝕡𝕤 𝕠𝕧𝕖𝕣 𝕥𝕙𝕖 𝕝𝕒𝕫𝕪 𝕕𝕠𝕘",
+ "𝚃𝚑𝚎 𝚚𝚞𝚒𝚌𝚔 𝚋𝚛𝚘𝚠𝚗 𝚏𝚘𝚡 𝚓𝚞𝚖𝚙𝚜 𝚘𝚟𝚎𝚛 𝚝𝚑𝚎 𝚕𝚊𝚣𝚢 𝚍𝚘𝚐",
+ "⒯⒣⒠ ⒬⒰⒤⒞⒦ ⒝⒭⒪⒲⒩ ⒡⒪⒳ ⒥⒰⒨⒫⒮ ⒪⒱⒠⒭ ⒯⒣⒠ ⒧⒜⒵⒴ ⒟⒪⒢"
+ ],
+ "script_injection": [
+ "<script>alert(123)</script>",
+ "<script>alert('123');</script>",
+ "<img src=x onerror=alert(123) />",
+ "<svg><script>123<1>alert(123)</script>",
+ "\"><script>alert(123)</script>",
+ "'><script>alert(123)</script>",
+ "><script>alert(123)</script>",
+ "</script><script>alert(123)</script>",
+ "< / script >< script >alert(123)< / script >",
+ " onfocus=JaVaSCript:alert(123) autofocus",
+ "\" onfocus=JaVaSCript:alert(123) autofocus",
+ "' onfocus=JaVaSCript:alert(123) autofocus",
+ "<script>alert(123)</script>",
+ "<sc<script>ript>alert(123)</sc</script>ript>",
+ "--><script>alert(123)</script>",
+ "\";alert(123);t=\"",
+ "';alert(123);t='",
+ "JavaSCript:alert(123)",
+ ";alert(123);",
+ "src=JaVaSCript:prompt(132)",
+ "\"><script>alert(123);</script x=\"",
+ "'><script>alert(123);</script x='",
+ "><script>alert(123);</script x=",
+ "\" autofocus onkeyup=\"javascript:alert(123)",
+ "' autofocus onkeyup='javascript:alert(123)",
+ "<script\\x20type=\"text/javascript\">javascript:alert(1);</script>",
+ "<script\\x3Etype=\"text/javascript\">javascript:alert(1);</script>",
+ "<script\\x0Dtype=\"text/javascript\">javascript:alert(1);</script>",
+ "<script\\x09type=\"text/javascript\">javascript:alert(1);</script>",
+ "<script\\x0Ctype=\"text/javascript\">javascript:alert(1);</script>",
+ "<script\\x2Ftype=\"text/javascript\">javascript:alert(1);</script>",
+ "<script\\x0Atype=\"text/javascript\">javascript:alert(1);</script>",
+ "'`\"><\\x3Cscript>javascript:alert(1)</script>",
+ "'`\"><\\x00script>javascript:alert(1)</script>",
+ "ABC<div style=\"x\\x3Aexpression(javascript:alert(1)\">DEF",
+ "ABC<div style=\"x:expression\\x5C(javascript:alert(1)\">DEF",
+ "ABC<div style=\"x:expression\\x00(javascript:alert(1)\">DEF",
+ "ABC<div style=\"x:exp\\x00ression(javascript:alert(1)\">DEF",
+ "ABC<div style=\"x:exp\\x5Cression(javascript:alert(1)\">DEF",
+ "ABC<div style=\"x:\\x0Aexpression(javascript:alert(1)\">DEF",
+ "ABC<div style=\"x:\\x09expression(javascript:alert(1)\">DEF",
+ "ABC<div style=\"x:\\xE3\\x80\\x80expression(javascript:alert(1)\">DEF",
+ "ABC<div style=\"x:\\xE2\\x80\\x84expression(javascript:alert(1)\">DEF",
+ "ABC<div style=\"x:\\xC2\\xA0expression(javascript:alert(1)\">DEF",
+ "ABC<div style=\"x:\\xE2\\x80\\x80expression(javascript:alert(1)\">DEF",
+ "ABC<div style=\"x:\\xE2\\x80\\x8Aexpression(javascript:alert(1)\">DEF",
+ "ABC<div style=\"x:\\x0Dexpression(javascript:alert(1)\">DEF",
+ "ABC<div style=\"x:\\x0Cexpression(javascript:alert(1)\">DEF",
+ "ABC<div style=\"x:\\xE2\\x80\\x87expression(javascript:alert(1)\">DEF",
+ "ABC<div style=\"x:\\xEF\\xBB\\xBFexpression(javascript:alert(1)\">DEF",
+ "ABC<div style=\"x:\\x20expression(javascript:alert(1)\">DEF",
+ "ABC<div style=\"x:\\xE2\\x80\\x88expression(javascript:alert(1)\">DEF",
+ "ABC<div style=\"x:\\x00expression(javascript:alert(1)\">DEF",
+ "ABC<div style=\"x:\\xE2\\x80\\x8Bexpression(javascript:alert(1)\">DEF",
+ "ABC<div style=\"x:\\xE2\\x80\\x86expression(javascript:alert(1)\">DEF",
+ "ABC<div style=\"x:\\xE2\\x80\\x85expression(javascript:alert(1)\">DEF",
+ "ABC<div style=\"x:\\xE2\\x80\\x82expression(javascript:alert(1)\">DEF",
+ "ABC<div style=\"x:\\x0Bexpression(javascript:alert(1)\">DEF",
+ "ABC<div style=\"x:\\xE2\\x80\\x81expression(javascript:alert(1)\">DEF",
+ "ABC<div style=\"x:\\xE2\\x80\\x83expression(javascript:alert(1)\">DEF",
+ "ABC<div style=\"x:\\xE2\\x80\\x89expression(javascript:alert(1)\">DEF",
+ "<a href=\"\\x0Bjavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
+ "<a href=\"\\x0Fjavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
+ "<a href=\"\\xC2\\xA0javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
+ "<a href=\"\\x05javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
+ "<a href=\"\\xE1\\xA0\\x8Ejavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
+ "<a href=\"\\x18javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
+ "<a href=\"\\x11javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
+ "<a href=\"\\xE2\\x80\\x88javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
+ "<a href=\"\\xE2\\x80\\x89javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
+ "<a href=\"\\xE2\\x80\\x80javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
+ "<a href=\"\\x17javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
+ "<a href=\"\\x03javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
+ "<a href=\"\\x0Ejavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
+ "<a href=\"\\x1Ajavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
+ "<a href=\"\\x00javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
+ "<a href=\"\\x10javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
+ "<a href=\"\\xE2\\x80\\x82javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
+ "<a href=\"\\x20javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
+ "<a href=\"\\x13javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
+ "<a href=\"\\x09javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
+ "<a href=\"\\xE2\\x80\\x8Ajavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
+ "<a href=\"\\x14javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
+ "<a href=\"\\x19javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
+ "<a href=\"\\xE2\\x80\\xAFjavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
+ "<a href=\"\\x1Fjavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
+ "<a href=\"\\xE2\\x80\\x81javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
+ "<a href=\"\\x1Djavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
+ "<a href=\"\\xE2\\x80\\x87javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
+ "<a href=\"\\x07javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
+ "<a href=\"\\xE1\\x9A\\x80javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
+ "<a href=\"\\xE2\\x80\\x83javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
+ "<a href=\"\\x04javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
+ "<a href=\"\\x01javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
+ "<a href=\"\\x08javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
+ "<a href=\"\\xE2\\x80\\x84javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
+ "<a href=\"\\xE2\\x80\\x86javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
+ "<a href=\"\\xE3\\x80\\x80javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
+ "<a href=\"\\x12javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
+ "<a href=\"\\x0Djavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
+ "<a href=\"\\x0Ajavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
+ "<a href=\"\\x0Cjavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
+ "<a href=\"\\x15javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
+ "<a href=\"\\xE2\\x80\\xA8javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
+ "<a href=\"\\x16javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
+ "<a href=\"\\x02javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
+ "<a href=\"\\x1Bjavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
+ "<a href=\"\\x06javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
+ "<a href=\"\\xE2\\x80\\xA9javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
+ "<a href=\"\\xE2\\x80\\x85javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
+ "<a href=\"\\x1Ejavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
+ "<a href=\"\\xE2\\x81\\x9Fjavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
+ "<a href=\"\\x1Cjavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
+ "<a href=\"javascript\\x00:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
+ "<a href=\"javascript\\x3A:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
+ "<a href=\"javascript\\x09:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
+ "<a href=\"javascript\\x0D:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
+ "<a href=\"javascript\\x0A:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
+ "`\"'><img src=xxx:x \\x0Aonerror=javascript:alert(1)>",
+ "`\"'><img src=xxx:x \\x22onerror=javascript:alert(1)>",
+ "`\"'><img src=xxx:x \\x0Bonerror=javascript:alert(1)>",
+ "`\"'><img src=xxx:x \\x0Donerror=javascript:alert(1)>",
+ "`\"'><img src=xxx:x \\x2Fonerror=javascript:alert(1)>",
+ "`\"'><img src=xxx:x \\x09onerror=javascript:alert(1)>",
+ "`\"'><img src=xxx:x \\x0Conerror=javascript:alert(1)>",
+ "`\"'><img src=xxx:x \\x00onerror=javascript:alert(1)>",
+ "`\"'><img src=xxx:x \\x27onerror=javascript:alert(1)>",
+ "`\"'><img src=xxx:x \\x20onerror=javascript:alert(1)>",
+ "\"`'><script>\\x3Bjavascript:alert(1)</script>",
+ "\"`'><script>\\x0Djavascript:alert(1)</script>",
+ "\"`'><script>\\xEF\\xBB\\xBFjavascript:alert(1)</script>",
+ "\"`'><script>\\xE2\\x80\\x81javascript:alert(1)</script>",
+ "\"`'><script>\\xE2\\x80\\x84javascript:alert(1)</script>",
+ "\"`'><script>\\xE3\\x80\\x80javascript:alert(1)</script>",
+ "\"`'><script>\\x09javascript:alert(1)</script>",
+ "\"`'><script>\\xE2\\x80\\x89javascript:alert(1)</script>",
+ "\"`'><script>\\xE2\\x80\\x85javascript:alert(1)</script>",
+ "\"`'><script>\\xE2\\x80\\x88javascript:alert(1)</script>",
+ "\"`'><script>\\x00javascript:alert(1)</script>",
+ "\"`'><script>\\xE2\\x80\\xA8javascript:alert(1)</script>",
+ "\"`'><script>\\xE2\\x80\\x8Ajavascript:alert(1)</script>",
+ "\"`'><script>\\xE1\\x9A\\x80javascript:alert(1)</script>",
+ "\"`'><script>\\x0Cjavascript:alert(1)</script>",
+ "\"`'><script>\\x2Bjavascript:alert(1)</script>",
+ "\"`'><script>\\xF0\\x90\\x96\\x9Ajavascript:alert(1)</script>",
+ "\"`'><script>-javascript:alert(1)</script>",
+ "\"`'><script>\\x0Ajavascript:alert(1)</script>",
+ "\"`'><script>\\xE2\\x80\\xAFjavascript:alert(1)</script>",
+ "\"`'><script>\\x7Ejavascript:alert(1)</script>",
+ "\"`'><script>\\xE2\\x80\\x87javascript:alert(1)</script>",
+ "\"`'><script>\\xE2\\x81\\x9Fjavascript:alert(1)</script>",
+ "\"`'><script>\\xE2\\x80\\xA9javascript:alert(1)</script>",
+ "\"`'><script>\\xC2\\x85javascript:alert(1)</script>",
+ "\"`'><script>\\xEF\\xBF\\xAEjavascript:alert(1)</script>",
+ "\"`'><script>\\xE2\\x80\\x83javascript:alert(1)</script>",
+ "\"`'><script>\\xE2\\x80\\x8Bjavascript:alert(1)</script>",
+ "\"`'><script>\\xEF\\xBF\\xBEjavascript:alert(1)</script>",
+ "\"`'><script>\\xE2\\x80\\x80javascript:alert(1)</script>",
+ "\"`'><script>\\x21javascript:alert(1)</script>",
+ "\"`'><script>\\xE2\\x80\\x82javascript:alert(1)</script>",
+ "\"`'><script>\\xE2\\x80\\x86javascript:alert(1)</script>",
+ "\"`'><script>\\xE1\\xA0\\x8Ejavascript:alert(1)</script>",
+ "\"`'><script>\\x0Bjavascript:alert(1)</script>",
+ "\"`'><script>\\x20javascript:alert(1)</script>",
+ "\"`'><script>\\xC2\\xA0javascript:alert(1)</script>",
+ "<img \\x00src=x onerror=\"alert(1)\">",
+ "<img \\x47src=x onerror=\"javascript:alert(1)\">",
+ "<img \\x11src=x onerror=\"javascript:alert(1)\">",
+ "<img \\x12src=x onerror=\"javascript:alert(1)\">",
+ "<img\\x47src=x onerror=\"javascript:alert(1)\">",
+ "<img\\x10src=x onerror=\"javascript:alert(1)\">",
+ "<img\\x13src=x onerror=\"javascript:alert(1)\">",
+ "<img\\x32src=x onerror=\"javascript:alert(1)\">",
+ "<img\\x47src=x onerror=\"javascript:alert(1)\">",
+ "<img\\x11src=x onerror=\"javascript:alert(1)\">",
+ "<img \\x47src=x onerror=\"javascript:alert(1)\">",
+ "<img \\x34src=x onerror=\"javascript:alert(1)\">",
+ "<img \\x39src=x onerror=\"javascript:alert(1)\">",
+ "<img \\x00src=x onerror=\"javascript:alert(1)\">",
+ "<img src\\x09=x onerror=\"javascript:alert(1)\">",
+ "<img src\\x10=x onerror=\"javascript:alert(1)\">",
+ "<img src\\x13=x onerror=\"javascript:alert(1)\">",
+ "<img src\\x32=x onerror=\"javascript:alert(1)\">",
+ "<img src\\x12=x onerror=\"javascript:alert(1)\">",
+ "<img src\\x11=x onerror=\"javascript:alert(1)\">",
+ "<img src\\x00=x onerror=\"javascript:alert(1)\">",
+ "<img src\\x47=x onerror=\"javascript:alert(1)\">",
+ "<img src=x\\x09onerror=\"javascript:alert(1)\">",
+ "<img src=x\\x10onerror=\"javascript:alert(1)\">",
+ "<img src=x\\x11onerror=\"javascript:alert(1)\">",
+ "<img src=x\\x12onerror=\"javascript:alert(1)\">",
+ "<img src=x\\x13onerror=\"javascript:alert(1)\">",
+ "<img[a][b][c]src[d]=x[e]onerror=[f]\"alert(1)\">",
+ "<img src=x onerror=\\x09\"javascript:alert(1)\">",
+ "<img src=x onerror=\\x10\"javascript:alert(1)\">",
+ "<img src=x onerror=\\x11\"javascript:alert(1)\">",
+ "<img src=x onerror=\\x12\"javascript:alert(1)\">",
+ "<img src=x onerror=\\x32\"javascript:alert(1)\">",
+ "<img src=x onerror=\\x00\"javascript:alert(1)\">",
+ "<a href=java����������script:javascript:alert(1)>XXX</a>",
+ "<img src=\"x` `<script>javascript:alert(1)</script>\"` `>",
+ "<img src onerror /\" '\"= alt=javascript:alert(1)//\">",
+ "<title onpropertychange=javascript:alert(1)>",
+ "<a href=http://foo.bar/#x=`y></a><img alt=\"`><img src=x:x onerror=javascript:alert(1)></a>\">",
+ "<!--[if]><script>javascript:alert(1)</script -->",
+ "<!--[if<img src=x onerror=javascript:alert(1)//]> -->",
+ "<script src=\"/\\%(jscript)s\"></script>",
+ "<script src=\"\\\\%(jscript)s\"></script>",
+ "<IMG \"\"\"><SCRIPT>alert(\"XSS\")</SCRIPT>\">",
+ "<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>",
+ "<IMG SRC=# onmouseover=\"alert('xxs')\">",
+ "<IMG SRC= onmouseover=\"alert('xxs')\">",
+ "<IMG onmouseover=\"alert('xxs')\">",
+ "<IMG SRC=javascript:alert('XSS')>",
+ "<IMG SRC=javascript:alert('XSS')>",
+ "<IMG SRC=javascript:alert('XSS')>",
+ "<IMG SRC=\"jav ascript:alert('XSS');\">",
+ "<IMG SRC=\"jav ascript:alert('XSS');\">",
+ "<IMG SRC=\"jav
ascript:alert('XSS');\">",
+ "<IMG SRC=\"jav
ascript:alert('XSS');\">",
+ "perl -e 'print \"<IMG SRC=java\\0script:alert(\\\"XSS\\\")>\";' > out",
+ "<IMG SRC=\" � javascript:alert('XSS');\">",
+ "<SCRIPT/XSS SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>",
+ "<BODY onload!#$%&()*~+-_.,:;?@[/|\\]^`=alert(\"XSS\")>",
+ "<SCRIPT/SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>",
+ "<<SCRIPT>alert(\"XSS\");//<</SCRIPT>",
+ "<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >",
+ "<SCRIPT SRC=//ha.ckers.org/.j>",
+ "<IMG SRC=\"javascript:alert('XSS')\"",
+ "<iframe src=http://ha.ckers.org/scriptlet.html <",
+ "\\\";alert('XSS');//",
+ "<u oncopy=alert()> Copy me</u>",
+ "<i onwheel=alert(1)> Scroll over me </i>",
+ "<plaintext>",
+ "http://a/%%30%30",
+ "</textarea><script>alert(123)</script>"
+ ],
+ "sql_injection": [
+ "1;DROP TABLE users",
+ "1'; DROP TABLE users-- 1",
+ "' OR 1=1 -- 1",
+ "' OR '1'='1",
+ "'; EXEC sp_MSForEachTable 'DROP TABLE ?'; --",
+ " ",
+ "%",
+ "_"
+ ],
+ "server_code_injection": [
+ "-",
+ "--",
+ "--version",
+ "--help",
+ "$USER",
+ "/dev/null; touch /tmp/blns.fail ; echo",
+ "`touch /tmp/blns.fail`",
+ "$(touch /tmp/blns.fail)",
+ "@{[system \"touch /tmp/blns.fail\"]}"
+ ],
+ "ruby_command_injection": [
+ "eval(\"puts 'hello world'\")",
+ "System(\"ls -al /\")",
+ "`ls -al /`",
+ "Kernel.exec(\"ls -al /\")",
+ "Kernel.exit(1)",
+ "%x('ls -al /')"
+ ],
+ "xxe_injection": [
+ "<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?><!DOCTYPE foo [ <!ELEMENT foo ANY ><!ENTITY xxe SYSTEM \"file:///etc/passwd\" >]><foo>&xxe;</foo>"
+ ],
+ "unwanted_interpolation": [
+ "$HOME",
+ "$ENV{'HOME'}",
+ "%d",
+ "%s%s%s%s%s",
+ "{0}",
+ "%*.*s",
+ "%@",
+ "%n",
+ "File:///"
+ ],
+ "file_inclusion": [
+ "../../../../../../../../../../../etc/passwd%00",
+ "../../../../../../../../../../../etc/hosts"
+ ],
+ "known_cve": [
+ "() { 0; }; touch /tmp/blns.shellshock1.fail;",
+ "() { _; } >_[$($())] { touch /tmp/blns.shellshock2.fail; }",
+ "<<< %s(un='%s') = %u",
+ "+++ATH0"
+ ],
+ "win_special_filenames": [
+ "CON",
+ "PRN",
+ "AUX",
+ "CLOCK$",
+ "NUL",
+ "A:",
+ "ZZ:",
+ "COM1",
+ "LPT1",
+ "LPT2",
+ "LPT3",
+ "COM2",
+ "COM3",
+ "COM4"
+ ],
+ "irc_strings": [
+ "DCC SEND STARTKEYLOGGER 0 0 0"
+ ],
+ "scunthorpe_problem": [
+ "Scunthorpe General Hospital",
+ "Penistone Community Church",
+ "Lightwater Country Park",
+ "Jimmy Clitheroe",
+ "Horniman Museum",
+ "shitake mushrooms",
+ "RomansInSussex.co.uk",
+ "http://www.cum.qc.ca/",
+ "Craig Cockburn, Software Specialist",
+ "Linda Callahan",
+ "Dr. Herman I. Libshitz",
+ "magna cum laude",
+ "Super Bowl XXX",
+ "medieval erection of parapets",
+ "evaluate",
+ "mocha",
+ "expression",
+ "Arsenal canal",
+ "classic",
+ "Tyson Gay",
+ "Dick Van Dyke",
+ "basement"
+ ],
+ "human_injection": [
+ "If you're reading this, you've been in a coma for almost 20 years now. We're trying a new technique. We don't know where this message will end up in your dream, but we hope it works. Please wake up, we miss you."
+ ],
+ "terminal_escape_codes": [
+ "Roses are \u001b[0;31mred\u001b[0m, violets are \u001b[0;34mblue. Hope you enjoy terminal hue",
+ "But now...\u001b[20Cfor my greatest trick...\u001b[8m",
+ "The quic\b\b\b\b\b\bk brown fo\u0007\u0007\u0007\u0007\u0007\u0007\u0007\u0007\u0007\u0007\u0007x... [Beeeep]"
+ ],
+ "ios_vulnerabilities": [
+ "Powerلُلُصّبُلُلصّبُررً ॣ ॣh ॣ ॣ冗",
+ "🏳0🌈️",
+ "జ్ఞా"
+ ],
+ "persian_special_chars": [
+ "گچپژ"
+ ],
+ "jinja_injection": [
+ "{% print 'x' * 64 * 1024**3 %}",
+ "{{ \"\".__class__.__mro__[2].__subclasses__()[40](\"/etc/passwd\").read() }}"
+ ]
+}
diff --git a/extension/blns/src/test/kotlin/io/github/serpro69/kfaker/blns/BlnsTest.kt b/extension/blns/src/test/kotlin/io/github/serpro69/kfaker/blns/BlnsTest.kt
new file mode 100644
index 000000000..9686d8176
--- /dev/null
+++ b/extension/blns/src/test/kotlin/io/github/serpro69/kfaker/blns/BlnsTest.kt
@@ -0,0 +1,46 @@
+package io.github.serpro69.kfaker.blns
+
+import io.kotest.core.spec.style.DescribeSpec
+import io.kotest.matchers.collections.shouldBeIn
+import io.kotest.matchers.collections.shouldContainAll
+import io.kotest.matchers.collections.shouldHaveSize
+
+class BlnsTest : DescribeSpec({
+
+ assertSoftly = true
+
+ describe("blns strings") {
+ val blns = Blns()
+
+ it("should get strings for a category") {
+ blns.get(Category.EMOJI) shouldHaveSize 11
+ }
+
+ it("should get strings for several categories") {
+ blns.get(Category.EMOJI, Category.KAOMOJI).flatMap { it.value } shouldHaveSize 23
+ }
+
+ it("should contain all strings") {
+ blns.all shouldHaveSize 515
+ }
+
+ it("should contain all base64-encoded strings") {
+ blns.allBase64 shouldHaveSize 676
+ }
+
+ it("should return a random string") {
+ blns.random() shouldBeIn blns.all
+ blns.random(base64 = true) shouldBeIn blns.allBase64
+ }
+
+ it("should return a random sub-list of strings") {
+ blns.sublist(10) shouldHaveSize 10
+ blns.sublist(10, base64 = true) shouldHaveSize 10
+ blns.all shouldContainAll blns.sublist(10)
+ blns.all shouldContainAll blns.sublist(1..9)
+ blns.allBase64 shouldContainAll blns.sublist(10, base64 = true)
+ blns.allBase64 shouldContainAll blns.sublist(1..9, base64 = true)
+ }
+ }
+})
+
diff --git a/settings.gradle.kts b/settings.gradle.kts
index d6388d836..eeb9aa84c 100644
--- a/settings.gradle.kts
+++ b/settings.gradle.kts
@@ -21,6 +21,7 @@ include(
val extensions =
listOf(
+ "blns",
"kotest-property",
)
extensions.forEach { include(":extension:$it") }