Ok, it's time to get out your baseball bats and try to break open this piñata. This is a little testing ground to see if you can generate a YSOD by breaking the XHTML well-formedness of my hacked WordPress install.

Leave a comment to try and break the site. I'll periodically remove comments here, so try as often as you want with as many dirty tricks as you can (nothing malicious please, just demonstrative). I have a feeling this is opening a can of, well, you know...

The scores so far:

§449 · By · April 6, 2008 ·


22 Comments to “XHTML Piñata”

  1. Sam Ruby says:

    Comment: <!– foo -- bar –>

  2. Sam, that should now work, see WP trac above.

  3. Here is my test, just being goofy here…

    >$%^#%!@#$@$&*&%(%&!#$>a///\\\\\/////\\\\\

  4. James says:

    < nbsp; & &amp //

    <script >

    document.writeln(‘hello world!<br/<\n’);

    </script >

    Human testing the test page! blah 🙂

  5. James says:

    document.writeln(‘hello world!\n’);

  6. Test Guy says:

    <a 7a=”foo”>bar</a>

    and

    <7a>foo</7a>

    both are prevented from breaking the page, unless you are logged in, that is. (In case this is what Jacques tried here: http://blog.codedread.com/xhtml-pinata/#comment-12531

  7. Tester Guy says:

    How about this: <a invalid;name=”foo”>bar</a>

    bar

  8. Testing Guy says:

    How about this: <a invalid#name=”foo”>bar</a>

    bar

  9. Testing Guy says:

    Another invalid comment: <!– test —>

  10. Testing Guy says:

    <a href=”foo”>Open link…

    Open link…

  11. Haruka says:

    document.writeln(’hello world!<br/<\n’);

    document.writeln(’hello world!<br/<\n’);

    <a><strong>

    &lt;p>paragraph

    <!—<<–>

    Waves

  12. Nice one, Haruka! I’ll do some investigation on this – I’m pretty sure it’s an open WP bug (they should be closing your <a> and <strong> tags before inserting the closing </p> tag).

  13. Haruka says:

    Well, not going to break anything this time 🙂 About this comment escaping and all… wouldn’t it be easier to validate comments against some simple schema (say RelaxNG) and if something is wrong just use htmlspecialchars() or similar on the whole string? That’s all or nothing though… (preview helps with this).

  14. Stephen says:

    <a href=”<!--foo”>bar</a>

  15. &#60;!&#8211; foo -&#45; bar &#8211;&#62;

  16. Script and CData attempt

    // note the unescaped less than…
    for(var i = 0; i < 5; i++){
    alert("hi!");
    }

  17. Sp.Shut says:

    />
    <p fooo\=\"b” > blah

  18. Sp.Shut says:

    Ok, i’ve done it!
    Let’s try once again