Ideone.com

fork download

copy

<?php
 
class HTMLUtils {
 
    public static function cleanHtmlUserInput($html) {
 
        $allowedTags = '<b><strong><i><em><u><strike><a><br><br/><p><div><img><span><ol><li><ul>';
        $allowedAttributes = array(
            '*'   => array('id', 'class', 'style'),
            'img' => array('src', 'alt'),
            'a'   => array('href')
        );            
 
        $html = strip_tags($html, $allowedTags);
 
        $html = HTMLUtils::removeAttributes($html, $allowedAttributes);
 
        return trim($html);
 
    }
 
    const STATE_WAIT_FOR_TAG = 0;
    const STATE_STARTING_TAG = 1;
    const STATE_COLLECT_TAG_NAME = 2;
    const STATE_SPACE_INSIDE_TAG = 3;
    const STATE_COLLECT_ATTR_NAME = 4;
    const STATE_ATTR_EQUAL_SIGN = 5;
    const STATE_COLLECT_ATTR_VALUE = 6;
    const STATE_WAIT_FOR_TAG_END = 7;
    const STATE_ENDING_TAG = 8;
    const STATE_WAIT_FOR_CDATA_END = 9;
 
 
    public static function removeAttributes($html, array $allowedAttributes = array()) {
 
        if (empty($allowedAttributes)) {
 
            // тег звездочка - для разрешения набора аттрибутов всем тегам
            // теги и атрибуты обязаны быть в нижнем регистре
            $allowedAttributes = array(
            //  '*'   => array('id', 'class', 'style'),
                'img' => array('src', 'alt'),
                'a'   => array('href')
            );            
 
        }
 
        $specialSymbols = array('<', '>', '=');
        $spaceSymbols = array(' ', "\n", "\r", "\t", "\v", "\f", '/'); // браузерные движки трактуют слэш так же, как пробел
 
        $currentTag = '';
        $currentAttribute = '';
        $currentAttrValue = '';
        $attrStartPosition = 0;
        $attrValueBorderSymbol = '';
 
        $states = array();
 
        // первая вложенность - состояние, оставшееся или установленное в предыдущей итерации
        // вторая вложенность - текущий спецсимвол, s - space, 0 - любой другой символ
        // если в таблице состояний нет такого условия - условие сохраняется с предыдущей итерации
 
        $states[self::STATE_WAIT_FOR_TAG]     ['<'] = self::STATE_STARTING_TAG;
 
        $states[self::STATE_WAIT_FOR_TAG_END] ['>'] = self::STATE_ENDING_TAG;
 
        $states[self::STATE_COLLECT_TAG_NAME] ['s'] = self::STATE_SPACE_INSIDE_TAG;
        $states[self::STATE_COLLECT_TAG_NAME] ['>'] = self::STATE_ENDING_TAG;
 
        $states[self::STATE_SPACE_INSIDE_TAG] ['>'] = self::STATE_ENDING_TAG;
        $states[self::STATE_SPACE_INSIDE_TAG] [0]   = self::STATE_COLLECT_ATTR_NAME;
        $states[self::STATE_SPACE_INSIDE_TAG] ['<'] = self::STATE_COLLECT_ATTR_NAME;
        $states[self::STATE_SPACE_INSIDE_TAG] ['='] = self::STATE_COLLECT_ATTR_NAME;
 
        $states[self::STATE_COLLECT_ATTR_NAME]['>'] = self::STATE_ENDING_TAG;
        $states[self::STATE_COLLECT_ATTR_NAME]['s'] = self::STATE_SPACE_INSIDE_TAG;
        $states[self::STATE_COLLECT_ATTR_NAME]['='] = self::STATE_ATTR_EQUAL_SIGN;
 
 
        // главный цикл
 
        for ($i = 0, $state = self::STATE_WAIT_FOR_TAG; $i < strlen($html); $i++) {
 
            // приведение текущих переменных к корректным индексам массивов
            // 0 - "не имеет значения", "без разницы"
 
            $specialSymbol = in_array($html[$i], $specialSymbols) ? $html[$i] : (in_array($html[$i], $spaceSymbols) ? 's' : 0);            
 
            $state = (isset($states[$state][$specialSymbol])) ? $states[$state][$specialSymbol] : $state;
 
 
            switch ($state) {
 
                case self::STATE_WAIT_FOR_TAG:
                case self::STATE_WAIT_FOR_TAG_END:
                    break;
 
 
                case self::STATE_STARTING_TAG:
 
                    // не проверяем CDATA
                    if (substr($html, $i + 1, 8) === '![CDATA[') {
 
                        $state = self::STATE_WAIT_FOR_CDATA_END;
                        $i = $i + 8;   
 
                    }
 
                    // не проверяем управляющие конструкции (!doctype, !element, ?xml) и закрывающие теги
                    // через <?xml-* команды можно вставить инъекцию, но браузеры их не понимают
                    elseif (isset($html[$i + 1]) && ($html[$i + 1] === '!' || $html[$i + 1] === '?' || $html[$i + 1] === '/')) {
 
                        $state = self::STATE_WAIT_FOR_TAG_END;
                        $i++;
 
                    }
 
                    // если после < идет пробел - это не считается тегом
                    elseif (isset($html[$i + 1]) && in_array($html[$i + 1], $spaceSymbols)) {
 
                        $state = self::STATE_WAIT_FOR_TAG;
 
                    }
 
                    // тег обыкновенный                    
                    else {
 
                        $state = self::STATE_COLLECT_TAG_NAME;
 
                    }
 
                    break;
 
 
                case self::STATE_COLLECT_TAG_NAME:
 
                    $currentTag .= $html[$i];
 
                    break;
 
 
                case self::STATE_SPACE_INSIDE_TAG:
 
                    if (!empty($currentAttribute)) {
 
                        // Вариант завершения атрибута № 1: атрибут кончился, а тег еще нет
 
                        self::_deleteAttribute($html, $i, $currentTag, $currentAttribute, $currentAttrValue, $attrStartPosition, $allowedAttributes);
 
                    }
 
                    break;
 
 
                case self::STATE_COLLECT_ATTR_NAME:
 
                    if (empty($currentAttribute)) {
 
                        // Если мы здесь "впервые", то запоминаем позицию начала атрибута
 
                        $attrStartPosition = $i;
 
                    }                    
 
                    $currentAttribute .= $html[$i];
 
                    break;
 
 
                case self::STATE_ATTR_EQUAL_SIGN:
 
                    if (isset($html[$i + 1]) && in_array($html[$i + 1], $spaceSymbols)) {
 
                        $state = self::STATE_SPACE_INSIDE_TAG;
 
                    } else {
 
                        if (isset($html[$i + 1]) && in_array($html[$i + 1], array('"', "'"))) {
 
                            $attrValueBorderSymbol = $html[$i + 1];
                            $i++;
 
                        } else {
 
                            $attrValueBorderSymbol = '';
 
                        }
 
                        $state = self::STATE_COLLECT_ATTR_VALUE;
 
                    }
 
 
                    break;
 
 
                case self::STATE_COLLECT_ATTR_VALUE:
 
                    if ($html[$i] === $attrValueBorderSymbol) {
 
                        // если нет пробела между атрибутами (attr="value"attr="value"), надо вставить                        
                        if (isset($html[$i + 1]) && !in_array($html[$i + 1], $spaceSymbols) && $html[$i + 1] !== '>') {
 
                            $html = substr($html, 0, $i + 1) . ' ' . substr($html, $i + 1);
 
                        }
 
                        $state = self::STATE_SPACE_INSIDE_TAG;
 
                    } elseif (empty($attrValueBorderSymbol) && isset($html[$i + 1]) && in_array($html[$i + 1], $spaceSymbols) && $html[$i + 1] !== '/') {
 
                        $state = self::STATE_SPACE_INSIDE_TAG;
 
                    } elseif (empty($attrValueBorderSymbol) && isset($html[$i + 1]) && $html[$i + 1] === '>') {
 
                        // Если у нас конец тега - уходим туда на след. итерации
                        // Атрибут будет удален там
 
                        $state = self::STATE_ENDING_TAG;
 
                    }
 
                    // если не кавычка, добавить символ к значению атрибута                    
                    if ($html[$i] !== $attrValueBorderSymbol) {                        
 
                        $currentAttrValue .= $html[$i];
 
                    }
 
                    break;
 
 
                case self::STATE_ENDING_TAG:
 
                    if (!empty($currentAttribute)) {
 
                        // Вариант завершения атрибута № 2: самый прозаический. У нас кончился тег.
 
                        self::_deleteAttribute($html, $i, $currentTag, $currentAttribute, $currentAttrValue, $attrStartPosition, $allowedAttributes);
 
                    }
 
                    $currentTag = '';
 
                    $state = self::STATE_WAIT_FOR_TAG;
 
                    break;
 
 
                case self::STATE_WAIT_FOR_CDATA_END:
 
                    if (substr($html, $i, 3) === ']]>') {
 
                        $state = self::STATE_WAIT_FOR_TAG;
                        $i = $i + 2;
 
                    }
 
                    break;
 
 
                default:
                    throw new Exception('Unexpected state on step ' . $i);
 
 
            }
 
        }
 
        // Если цикл закончился, а мы не снаружи всех html-тегов, то просто сносим последний тег
 
        if ($state !== self::STATE_WAIT_FOR_TAG) {
 
            // для CDATA особый случай            
            if ($state === self::STATE_WAIT_FOR_CDATA_END) {
 
                $html = substr($html, 0, strrpos($html, '<![CDATA['));
 
            } else {
 
                $html = substr($html, 0, strrpos($html, '<'));
 
            }
 
        }
 
        return $html;
 
    }
 
    // this is removeAttribute helper
    private static function _deleteAttribute(&$html, &$i, &$currentTag, &$currentAttribute, &$currentAttrValue, &$attrStartPosition, &$allowedAttributes) {
 
        // $i здесь всегда на символе после атрибута
        // $attrStartPosition - 1 для того, чтобы так же удалить пробел перед атрибутом
        // перед атрибутом всегда гарантированно есть минимум один пробел
 
        $currentTag = strtolower($currentTag);
        $currentAttribute = strtolower($currentAttribute);
        $currentAttrValue = strtolower($currentAttrValue);
 
        // если атрибута нет в allowedAttributes или значение атрибута является подозрительным
        if (
            (!((isset($allowedAttributes['*']) && in_array($currentAttribute, $allowedAttributes['*'])) || (isset($allowedAttributes[$currentTag]) && in_array($currentAttribute, $allowedAttributes[$currentTag]))))
            || (substr($currentAttrValue, 0, 11) === 'javascript:')
           ) 
        {
 
            $html = substr($html, 0, $attrStartPosition - 1) . substr($html, $i);
 
            $i = $attrStartPosition - 1;
 
        }
 
        $currentAttribute = '';
        $currentAttrValue = '';
 
    }
 
 
 
}
 
$test = <<<EOL
<img src="alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";
alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>">
';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";
alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
'';!--"<XSS>=&{()}
<img src="'';!--"<XSS>=&{()}">
<SCRIPT SRC=http://x...content-available-to-author-only...s.rocks/xss.js></SCRIPT>
<IMG SRC="javascript:alert('XSS');">
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=JaVaScRiPt:alert('XSS')>
<IMG SRC=javascript:alert("XSS")>
<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>
<a onmouseover="alert(document.cookie)">xxs link</a> 
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
<IMG SRC=# onmouseover="alert('xxs')">
<IMG SRC= onmouseover="alert('xxs')">
<IMG onmouseover="alert('xxs')">
<IMG SRC=/ onerror="alert(String.fromCharCode(88,83,83))"></img>
<img src=x onerror="&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041">
<IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;
&#39;&#88;&#83;&#83;&#39;&#41;>
<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&
#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>
<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>
<IMG SRC="jav	ascript:alert('XSS');">
<IMG SRC="jav&#x09;ascript:alert('XSS');">
<IMG SRC="jav&#x0A;ascript:alert('XSS');">
<IMG SRC="jav&#x0D;ascript:alert('XSS');">
<IMG SRC="jav&#x00;ascript:alert('XSS');">
<IMG SRC=" &#14;  javascript:alert('XSS');">
<SCRIPT/XSS SRC="http://x...content-available-to-author-only...s.rocks/xss.js"></SCRIPT>
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
<SCRIPT/SRC="http://x...content-available-to-author-only...s.rocks/xss.js"></SCRIPT>
<<SCRIPT>alert("XSS");//<</SCRIPT>
<SCRIPT SRC=http://x...content-available-to-author-only...s.rocks/xss.js?< B >
<SCRIPT SRC=//xss.rocks/.j>
<IMG SRC="javascript:alert('XSS')"
EOL;
 
echo HTMLUtils::cleanHtmlUserInput($test);

PD9waHAKCmNsYXNzIEhUTUxVdGlscyB7CiAgICAKICAgIHB1YmxpYyBzdGF0aWMgZnVuY3Rpb24gY2xlYW5IdG1sVXNlcklucHV0KCRodG1sKSB7CiAgICAgICAgCiAgICAgICAgJGFsbG93ZWRUYWdzID0gJzxiPjxzdHJvbmc+PGk+PGVtPjx1PjxzdHJpa2U+PGE+PGJyPjxici8+PHA+PGRpdj48aW1nPjxzcGFuPjxvbD48bGk+PHVsPic7CiAgICAgICAgJGFsbG93ZWRBdHRyaWJ1dGVzID0gYXJyYXkoCiAgICAgICAgICAgICcqJyAgID0+IGFycmF5KCdpZCcsICdjbGFzcycsICdzdHlsZScpLAogICAgICAgICAgICAnaW1nJyA9PiBhcnJheSgnc3JjJywgJ2FsdCcpLAogICAgICAgICAgICAnYScgICA9PiBhcnJheSgnaHJlZicpCiAgICAgICAgKTsgICAgICAgICAgICAKICAgICAgICAKICAgICAgICAkaHRtbCA9IHN0cmlwX3RhZ3MoJGh0bWwsICRhbGxvd2VkVGFncyk7CiAgICAgICAgCiAgICAgICAgJGh0bWwgPSBIVE1MVXRpbHM6OnJlbW92ZUF0dHJpYnV0ZXMoJGh0bWwsICRhbGxvd2VkQXR0cmlidXRlcyk7CiAgICAgICAgCiAgICAgICAgcmV0dXJuIHRyaW0oJGh0bWwpOwogICAgICAgIAogICAgfQogICAgCiAgICBjb25zdCBTVEFURV9XQUlUX0ZPUl9UQUcgPSAwOwogICAgY29uc3QgU1RBVEVfU1RBUlRJTkdfVEFHID0gMTsKICAgIGNvbnN0IFNUQVRFX0NPTExFQ1RfVEFHX05BTUUgPSAyOwogICAgY29uc3QgU1RBVEVfU1BBQ0VfSU5TSURFX1RBRyA9IDM7CiAgICBjb25zdCBTVEFURV9DT0xMRUNUX0FUVFJfTkFNRSA9IDQ7CiAgICBjb25zdCBTVEFURV9BVFRSX0VRVUFMX1NJR04gPSA1OwogICAgY29uc3QgU1RBVEVfQ09MTEVDVF9BVFRSX1ZBTFVFID0gNjsKICAgIGNvbnN0IFNUQVRFX1dBSVRfRk9SX1RBR19FTkQgPSA3OwogICAgY29uc3QgU1RBVEVfRU5ESU5HX1RBRyA9IDg7CiAgICBjb25zdCBTVEFURV9XQUlUX0ZPUl9DREFUQV9FTkQgPSA5OwogICAgCiAgICAKICAgIHB1YmxpYyBzdGF0aWMgZnVuY3Rpb24gcmVtb3ZlQXR0cmlidXRlcygkaHRtbCwgYXJyYXkgJGFsbG93ZWRBdHRyaWJ1dGVzID0gYXJyYXkoKSkgewogICAgICAgIAogICAgICAgIGlmIChlbXB0eSgkYWxsb3dlZEF0dHJpYnV0ZXMpKSB7CiAgICAgICAgICAgIAogICAgICAgICAgICAvLyDRgtC10LMg0LfQstC10LfQtNC+0YfQutCwIC0g0LTQu9GPINGA0LDQt9GA0LXRiNC10L3QuNGPINC90LDQsdC+0YDQsCDQsNGC0YLRgNC40LHRg9GC0L7QsiDQstGB0LXQvCDRgtC10LPQsNC8CiAgICAgICAgICAgIC8vINGC0LXQs9C4INC4INCw0YLRgNC40LHRg9GC0Ysg0L7QsdGP0LfQsNC90Ysg0LHRi9GC0Ywg0LIg0L3QuNC20L3QtdC8INGA0LXQs9C40YHRgtGA0LUKICAgICAgICAgICAgJGFsbG93ZWRBdHRyaWJ1dGVzID0gYXJyYXkoCiAgICAgICAgICAgIC8vICAnKicgICA9PiBhcnJheSgnaWQnLCAnY2xhc3MnLCAnc3R5bGUnKSwKICAgICAgICAgICAgICAgICdpbWcnID0+IGFycmF5KCdzcmMnLCAnYWx0JyksCiAgICAgICAgICAgICAgICAnYScgICA9PiBhcnJheSgnaHJlZicpCiAgICAgICAgICAgICk7ICAgICAgICAgICAgCiAgICAgICAgICAgIAogICAgICAgIH0KICAgICAgICAKICAgICAgICAkc3BlY2lhbFN5bWJvbHMgPSBhcnJheSgnPCcsICc+JywgJz0nKTsKICAgICAgICAkc3BhY2VTeW1ib2xzID0gYXJyYXkoJyAnLCAiXG4iLCAiXHIiLCAiXHQiLCAiXHYiLCAiXGYiLCAnLycpOyAvLyDQsdGA0LDRg9C30LXRgNC90YvQtSDQtNCy0LjQttC60Lgg0YLRgNCw0LrRgtGD0Y7RgiDRgdC70Y3RiCDRgtCw0Log0LbQtSwg0LrQsNC6INC/0YDQvtCx0LXQuwogICAgICAgIAogICAgICAgICRjdXJyZW50VGFnID0gJyc7CiAgICAgICAgJGN1cnJlbnRBdHRyaWJ1dGUgPSAnJzsKICAgICAgICAkY3VycmVudEF0dHJWYWx1ZSA9ICcnOwogICAgICAgICRhdHRyU3RhcnRQb3NpdGlvbiA9IDA7CiAgICAgICAgJGF0dHJWYWx1ZUJvcmRlclN5bWJvbCA9ICcnOwogICAgICAgICAgICAgICAgCiAgICAgICAgJHN0YXRlcyA9IGFycmF5KCk7CiAgICAgICAgCiAgICAgICAgLy8g0L/QtdGA0LLQsNGPINCy0LvQvtC20LXQvdC90L7RgdGC0YwgLSDRgdC+0YHRgtC+0Y/QvdC40LUsINC+0YHRgtCw0LLRiNC10LXRgdGPINC40LvQuCDRg9GB0YLQsNC90L7QstC70LXQvdC90L7QtSDQsiDQv9GA0LXQtNGL0LTRg9GJ0LXQuSDQuNGC0LXRgNCw0YbQuNC4CiAgICAgICAgLy8g0LLRgtC+0YDQsNGPINCy0LvQvtC20LXQvdC90L7RgdGC0YwgLSDRgtC10LrRg9GJ0LjQuSDRgdC/0LXRhtGB0LjQvNCy0L7QuywgcyAtIHNwYWNlLCAwIC0g0LvRjtCx0L7QuSDQtNGA0YPQs9C+0Lkg0YHQuNC80LLQvtC7CiAgICAgICAgLy8g0LXRgdC70Lgg0LIg0YLQsNCx0LvQuNGG0LUg0YHQvtGB0YLQvtGP0L3QuNC5INC90LXRgiDRgtCw0LrQvtCz0L4g0YPRgdC70L7QstC40Y8gLSDRg9GB0LvQvtCy0LjQtSDRgdC+0YXRgNCw0L3Rj9C10YLRgdGPINGBINC/0YDQtdC00YvQtNGD0YnQtdC5INC40YLQtdGA0LDRhtC40LgKICAgICAgICAKICAgICAgICAkc3RhdGVzW3NlbGY6OlNUQVRFX1dBSVRfRk9SX1RBR10gICAgIFsnPCddID0gc2VsZjo6U1RBVEVfU1RBUlRJTkdfVEFHOwogICAgICAgIAogICAgICAgICRzdGF0ZXNbc2VsZjo6U1RBVEVfV0FJVF9GT1JfVEFHX0VORF0gWyc+J10gPSBzZWxmOjpTVEFURV9FTkRJTkdfVEFHOwogICAgICAgIAogICAgICAgICRzdGF0ZXNbc2VsZjo6U1RBVEVfQ09MTEVDVF9UQUdfTkFNRV0gWydzJ10gPSBzZWxmOjpTVEFURV9TUEFDRV9JTlNJREVfVEFHOwogICAgICAgICRzdGF0ZXNbc2VsZjo6U1RBVEVfQ09MTEVDVF9UQUdfTkFNRV0gWyc+J10gPSBzZWxmOjpTVEFURV9FTkRJTkdfVEFHOwogICAgICAgIAogICAgICAgICRzdGF0ZXNbc2VsZjo6U1RBVEVfU1BBQ0VfSU5TSURFX1RBR10gWyc+J10gPSBzZWxmOjpTVEFURV9FTkRJTkdfVEFHOwogICAgICAgICRzdGF0ZXNbc2VsZjo6U1RBVEVfU1BBQ0VfSU5TSURFX1RBR10gWzBdICAgPSBzZWxmOjpTVEFURV9DT0xMRUNUX0FUVFJfTkFNRTsKICAgICAgICAkc3RhdGVzW3NlbGY6OlNUQVRFX1NQQUNFX0lOU0lERV9UQUddIFsnPCddID0gc2VsZjo6U1RBVEVfQ09MTEVDVF9BVFRSX05BTUU7CiAgICAgICAgJHN0YXRlc1tzZWxmOjpTVEFURV9TUEFDRV9JTlNJREVfVEFHXSBbJz0nXSA9IHNlbGY6OlNUQVRFX0NPTExFQ1RfQVRUUl9OQU1FOwogICAgICAgIAogICAgICAgICRzdGF0ZXNbc2VsZjo6U1RBVEVfQ09MTEVDVF9BVFRSX05BTUVdWyc+J10gPSBzZWxmOjpTVEFURV9FTkRJTkdfVEFHOwogICAgICAgICRzdGF0ZXNbc2VsZjo6U1RBVEVfQ09MTEVDVF9BVFRSX05BTUVdWydzJ10gPSBzZWxmOjpTVEFURV9TUEFDRV9JTlNJREVfVEFHOwogICAgICAgICRzdGF0ZXNbc2VsZjo6U1RBVEVfQ09MTEVDVF9BVFRSX05BTUVdWyc9J10gPSBzZWxmOjpTVEFURV9BVFRSX0VRVUFMX1NJR047CiAgICAgICAgCiAgICAgICAgCiAgICAgICAgLy8g0LPQu9Cw0LLQvdGL0Lkg0YbQuNC60LsKICAgICAgICAKICAgICAgICBmb3IgKCRpID0gMCwgJHN0YXRlID0gc2VsZjo6U1RBVEVfV0FJVF9GT1JfVEFHOyAkaSA8IHN0cmxlbigkaHRtbCk7ICRpKyspIHsKICAgICAgICAgICAgCiAgICAgICAgICAgIC8vINC/0YDQuNCy0LXQtNC10L3QuNC1INGC0LXQutGD0YnQuNGFINC/0LXRgNC10LzQtdC90L3Ri9GFINC6INC60L7RgNGA0LXQutGC0L3Ri9C8INC40L3QtNC10LrRgdCw0Lwg0LzQsNGB0YHQuNCy0L7QsgogICAgICAgICAgICAvLyAwIC0gItC90LUg0LjQvNC10LXRgiDQt9C90LDRh9C10L3QuNGPIiwgItCx0LXQtyDRgNCw0LfQvdC40YbRiyIKICAgICAgICAgICAgCiAgICAgICAgICAgICRzcGVjaWFsU3ltYm9sID0gaW5fYXJyYXkoJGh0bWxbJGldLCAkc3BlY2lhbFN5bWJvbHMpID8gJGh0bWxbJGldIDogKGluX2FycmF5KCRodG1sWyRpXSwgJHNwYWNlU3ltYm9scykgPyAncycgOiAwKTsgICAgICAgICAgICAKICAgICAgICAgICAgCiAgICAgICAgICAgICRzdGF0ZSA9IChpc3NldCgkc3RhdGVzWyRzdGF0ZV1bJHNwZWNpYWxTeW1ib2xdKSkgPyAkc3RhdGVzWyRzdGF0ZV1bJHNwZWNpYWxTeW1ib2xdIDogJHN0YXRlOwogICAgICAgICAgICAKICAgICAgICAgICAgCiAgICAgICAgICAgIHN3aXRjaCAoJHN0YXRlKSB7CiAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgIGNhc2Ugc2VsZjo6U1RBVEVfV0FJVF9GT1JfVEFHOgogICAgICAgICAgICAgICAgY2FzZSBzZWxmOjpTVEFURV9XQUlUX0ZPUl9UQUdfRU5EOgogICAgICAgICAgICAgICAgICAgIGJyZWFrOwogICAgICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICBjYXNlIHNlbGY6OlNUQVRFX1NUQVJUSU5HX1RBRzoKICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgICAgIC8vINC90LUg0L/RgNC+0LLQtdGA0Y/QtdC8IENEQVRBCiAgICAgICAgICAgICAgICAgICAgaWYgKHN1YnN0cigkaHRtbCwgJGkgKyAxLCA4KSA9PT0gJyFbQ0RBVEFbJykgewogICAgICAgICAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgICAgICAgICAgJHN0YXRlID0gc2VsZjo6U1RBVEVfV0FJVF9GT1JfQ0RBVEFfRU5EOwogICAgICAgICAgICAgICAgICAgICAgICAkaSA9ICRpICsgODsgICAKICAgICAgICAgICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAgICAgLy8g0L3QtSDQv9GA0L7QstC10YDRj9C10Lwg0YPQv9GA0LDQstC70Y/RjtGJ0LjQtSDQutC+0L3RgdGC0YDRg9C60YbQuNC4ICghZG9jdHlwZSwgIWVsZW1lbnQsID94bWwpINC4INC30LDQutGA0YvQstCw0Y7RidC40LUg0YLQtdCz0LgKICAgICAgICAgICAgICAgICAgICAvLyDRh9C10YDQtdC3IDw/eG1sLSog0LrQvtC80LDQvdC00Ysg0LzQvtC20L3QviDQstGB0YLQsNCy0LjRgtGMINC40L3RitC10LrRhtC40Y4sINC90L4g0LHRgNCw0YPQt9C10YDRiyDQuNGFINC90LUg0L/QvtC90LjQvNCw0Y7RggogICAgICAgICAgICAgICAgICAgIGVsc2VpZiAoaXNzZXQoJGh0bWxbJGkgKyAxXSkgJiYgKCRodG1sWyRpICsgMV0gPT09ICchJyB8fCAkaHRtbFskaSArIDFdID09PSAnPycgfHwgJGh0bWxbJGkgKyAxXSA9PT0gJy8nKSkgewogICAgICAgICAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgICAgICAgICAgJHN0YXRlID0gc2VsZjo6U1RBVEVfV0FJVF9GT1JfVEFHX0VORDsKICAgICAgICAgICAgICAgICAgICAgICAgJGkrKzsKICAgICAgICAgICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgICAgIC8vINC10YHQu9C4INC/0L7RgdC70LUgPCDQuNC00LXRgiDQv9GA0L7QsdC10LsgLSDRjdGC0L4g0L3QtSDRgdGH0LjRgtCw0LXRgtGB0Y8g0YLQtdCz0L7QvAogICAgICAgICAgICAgICAgICAgIGVsc2VpZiAoaXNzZXQoJGh0bWxbJGkgKyAxXSkgJiYgaW5fYXJyYXkoJGh0bWxbJGkgKyAxXSwgJHNwYWNlU3ltYm9scykpIHsKICAgICAgICAgICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAgICAgICAgICRzdGF0ZSA9IHNlbGY6OlNUQVRFX1dBSVRfRk9SX1RBRzsKICAgICAgICAgICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgICAgIC8vINGC0LXQsyDQvtCx0YvQutC90L7QstC10L3QvdGL0LkgICAgICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgICAgIGVsc2UgewogICAgICAgICAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgICAgICAgICAgJHN0YXRlID0gc2VsZjo6U1RBVEVfQ09MTEVDVF9UQUdfTkFNRTsKICAgICAgICAgICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAgICAgYnJlYWs7CiAgICAgICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgIGNhc2Ugc2VsZjo6U1RBVEVfQ09MTEVDVF9UQUdfTkFNRToKICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgICAgICRjdXJyZW50VGFnIC49ICRodG1sWyRpXTsKICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgICAgIGJyZWFrOwogICAgICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICBjYXNlIHNlbGY6OlNUQVRFX1NQQUNFX0lOU0lERV9UQUc6CiAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgICAgICBpZiAoIWVtcHR5KCRjdXJyZW50QXR0cmlidXRlKSkgewogICAgICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgICAgICAgICAvLyDQktCw0YDQuNCw0L3RgiDQt9Cw0LLQtdGA0YjQtdC90LjRjyDQsNGC0YDQuNCx0YPRgtCwIOKEliAxOiDQsNGC0YDQuNCx0YPRgiDQutC+0L3Rh9C40LvRgdGPLCDQsCDRgtC10LMg0LXRidC1INC90LXRggogICAgICAgICAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgICAgICAgICAgc2VsZjo6X2RlbGV0ZUF0dHJpYnV0ZSgkaHRtbCwgJGksICRjdXJyZW50VGFnLCAkY3VycmVudEF0dHJpYnV0ZSwgJGN1cnJlbnRBdHRyVmFsdWUsICRhdHRyU3RhcnRQb3NpdGlvbiwgJGFsbG93ZWRBdHRyaWJ1dGVzKTsKICAgICAgICAgICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAgICAgYnJlYWs7CiAgICAgICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgIGNhc2Ugc2VsZjo6U1RBVEVfQ09MTEVDVF9BVFRSX05BTUU6CiAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgICAgICBpZiAoZW1wdHkoJGN1cnJlbnRBdHRyaWJ1dGUpKSB7CiAgICAgICAgICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgICAgICAgICAvLyDQldGB0LvQuCDQvNGLINC30LTQtdGB0YwgItCy0L/QtdGA0LLRi9C1Iiwg0YLQviDQt9Cw0L/QvtC80LjQvdCw0LXQvCDQv9C+0LfQuNGG0LjRjiDQvdCw0YfQsNC70LAg0LDRgtGA0LjQsdGD0YLQsAoKICAgICAgICAgICAgICAgICAgICAgICAgJGF0dHJTdGFydFBvc2l0aW9uID0gJGk7CgogICAgICAgICAgICAgICAgICAgIH0gICAgICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAgICAgJGN1cnJlbnRBdHRyaWJ1dGUgLj0gJGh0bWxbJGldOwogICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAgICAgYnJlYWs7CiAgICAgICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgIGNhc2Ugc2VsZjo6U1RBVEVfQVRUUl9FUVVBTF9TSUdOOgogICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAgICAgaWYgKGlzc2V0KCRodG1sWyRpICsgMV0pICYmIGluX2FycmF5KCRodG1sWyRpICsgMV0sICRzcGFjZVN5bWJvbHMpKSB7CiAgICAgICAgICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgICAgICAgICAkc3RhdGUgPSBzZWxmOjpTVEFURV9TUEFDRV9JTlNJREVfVEFHOwogICAgICAgICAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgICAgICB9IGVsc2UgewogICAgICAgICAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgICAgICAgICAgaWYgKGlzc2V0KCRodG1sWyRpICsgMV0pICYmIGluX2FycmF5KCRodG1sWyRpICsgMV0sIGFycmF5KCciJywgIiciKSkpIHsKICAgICAgICAgICAgICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgICAgICAgICAgICAgJGF0dHJWYWx1ZUJvcmRlclN5bWJvbCA9ICRodG1sWyRpICsgMV07CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAkaSsrOwogICAgICAgICAgICAgICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAgICAgICAgIH0gZWxzZSB7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgICAgICAgICAgICAgICRhdHRyVmFsdWVCb3JkZXJTeW1ib2wgPSAnJzsKICAgICAgICAgICAgICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgICAgICAgICAkc3RhdGUgPSBzZWxmOjpTVEFURV9DT0xMRUNUX0FUVFJfVkFMVUU7CiAgICAgICAgICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAgICAgYnJlYWs7CiAgICAgICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICBjYXNlIHNlbGY6OlNUQVRFX0NPTExFQ1RfQVRUUl9WQUxVRToKICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgICAgIGlmICgkaHRtbFskaV0gPT09ICRhdHRyVmFsdWVCb3JkZXJTeW1ib2wpIHsKICAgICAgICAgICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAgICAgICAgIC8vINC10YHQu9C4INC90LXRgiDQv9GA0L7QsdC10LvQsCDQvNC10LbQtNGDINCw0YLRgNC40LHRg9GC0LDQvNC4IChhdHRyPSJ2YWx1ZSJhdHRyPSJ2YWx1ZSIpLCDQvdCw0LTQviDQstGB0YLQsNCy0LjRgtGMICAgICAgICAgICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAgICAgICAgIGlmIChpc3NldCgkaHRtbFskaSArIDFdKSAmJiAhaW5fYXJyYXkoJGh0bWxbJGkgKyAxXSwgJHNwYWNlU3ltYm9scykgJiYgJGh0bWxbJGkgKyAxXSAhPT0gJz4nKSB7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgICAgICAgICAgICAgICRodG1sID0gc3Vic3RyKCRodG1sLCAwLCAkaSArIDEpIC4gJyAnIC4gc3Vic3RyKCRodG1sLCAkaSArIDEpOwogICAgICAgICAgICAgICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAgICAgICAgICRzdGF0ZSA9IHNlbGY6OlNUQVRFX1NQQUNFX0lOU0lERV9UQUc7CiAgICAgICAgICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgICAgIH0gZWxzZWlmIChlbXB0eSgkYXR0clZhbHVlQm9yZGVyU3ltYm9sKSAmJiBpc3NldCgkaHRtbFskaSArIDFdKSAmJiBpbl9hcnJheSgkaHRtbFskaSArIDFdLCAkc3BhY2VTeW1ib2xzKSAmJiAkaHRtbFskaSArIDFdICE9PSAnLycpIHsKICAgICAgICAgICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAgICAgICAgICRzdGF0ZSA9IHNlbGY6OlNUQVRFX1NQQUNFX0lOU0lERV9UQUc7CiAgICAgICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAgICAgfSBlbHNlaWYgKGVtcHR5KCRhdHRyVmFsdWVCb3JkZXJTeW1ib2wpICYmIGlzc2V0KCRodG1sWyRpICsgMV0pICYmICRodG1sWyRpICsgMV0gPT09ICc+JykgewogICAgICAgICAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgICAgICAgICAgLy8g0JXRgdC70Lgg0YMg0L3QsNGBINC60L7QvdC10YYg0YLQtdCz0LAgLSDRg9GF0L7QtNC40Lwg0YLRg9C00LAg0L3QsCDRgdC70LXQtC4g0LjRgtC10YDQsNGG0LjQuAogICAgICAgICAgICAgICAgICAgICAgICAvLyDQkNGC0YDQuNCx0YPRgiDQsdGD0LTQtdGCINGD0LTQsNC70LXQvSDRgtCw0LwKICAgICAgICAgICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAgICAgICAgICRzdGF0ZSA9IHNlbGY6OlNUQVRFX0VORElOR19UQUc7CiAgICAgICAgICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgICAgICAvLyDQtdGB0LvQuCDQvdC1INC60LDQstGL0YfQutCwLCDQtNC+0LHQsNCy0LjRgtGMINGB0LjQvNCy0L7QuyDQuiDQt9C90LDRh9C10L3QuNGOINCw0YLRgNC40LHRg9GC0LAgICAgICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgICAgIGlmICgkaHRtbFskaV0gIT09ICRhdHRyVmFsdWVCb3JkZXJTeW1ib2wpIHsgICAgICAgICAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAgICAgICAgICRjdXJyZW50QXR0clZhbHVlIC49ICRodG1sWyRpXTsKICAgICAgICAgICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAgICAgYnJlYWs7CiAgICAgICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICBjYXNlIHNlbGY6OlNUQVRFX0VORElOR19UQUc6CiAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgICAgICBpZiAoIWVtcHR5KCRjdXJyZW50QXR0cmlidXRlKSkgewogICAgICAgICAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgICAgICAgICAgLy8g0JLQsNGA0LjQsNC90YIg0LfQsNCy0LXRgNGI0LXQvdC40Y8g0LDRgtGA0LjQsdGD0YLQsCDihJYgMjog0YHQsNC80YvQuSDQv9GA0L7Qt9Cw0LjRh9C10YHQutC40LkuINCjINC90LDRgSDQutC+0L3Rh9C40LvRgdGPINGC0LXQsy4KICAgICAgICAgICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAgICAgICAgIHNlbGY6Ol9kZWxldGVBdHRyaWJ1dGUoJGh0bWwsICRpLCAkY3VycmVudFRhZywgJGN1cnJlbnRBdHRyaWJ1dGUsICRjdXJyZW50QXR0clZhbHVlLCAkYXR0clN0YXJ0UG9zaXRpb24sICRhbGxvd2VkQXR0cmlidXRlcyk7CiAgICAgICAgICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgICAgICAkY3VycmVudFRhZyA9ICcnOwogICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAgICAgJHN0YXRlID0gc2VsZjo6U1RBVEVfV0FJVF9GT1JfVEFHOwogICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAgICAgYnJlYWs7CiAgICAgICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICBjYXNlIHNlbGY6OlNUQVRFX1dBSVRfRk9SX0NEQVRBX0VORDoKICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgICAgIGlmIChzdWJzdHIoJGh0bWwsICRpLCAzKSA9PT0gJ11dPicpIHsKICAgICAgICAgICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAgICAgICAgICRzdGF0ZSA9IHNlbGY6OlNUQVRFX1dBSVRfRk9SX1RBRzsKICAgICAgICAgICAgICAgICAgICAgICAgJGkgPSAkaSArIDI7CiAgICAgICAgICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgICAgIGJyZWFrOwogICAgICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgZGVmYXVsdDoKICAgICAgICAgICAgICAgICAgICB0aHJvdyBuZXcgRXhjZXB0aW9uKCdVbmV4cGVjdGVkIHN0YXRlIG9uIHN0ZXAgJyAuICRpKTsKICAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgIAogICAgICAgICAgICB9CiAgICAgICAgICAgIAogICAgICAgIH0KICAgICAgICAKICAgICAgICAvLyDQldGB0LvQuCDRhtC40LrQuyDQt9Cw0LrQvtC90YfQuNC70YHRjywg0LAg0LzRiyDQvdC1INGB0L3QsNGA0YPQttC4INCy0YHQtdGFIGh0bWwt0YLQtdCz0L7Qsiwg0YLQviDQv9GA0L7RgdGC0L4g0YHQvdC+0YHQuNC8INC/0L7RgdC70LXQtNC90LjQuSDRgtC10LMKICAgICAgICAKICAgICAgICBpZiAoJHN0YXRlICE9PSBzZWxmOjpTVEFURV9XQUlUX0ZPUl9UQUcpIHsKICAgICAgICAgICAgCiAgICAgICAgICAgIC8vINC00LvRjyBDREFUQSDQvtGB0L7QsdGL0Lkg0YHQu9GD0YfQsNC5ICAgICAgICAgICAgCiAgICAgICAgICAgIGlmICgkc3RhdGUgPT09IHNlbGY6OlNUQVRFX1dBSVRfRk9SX0NEQVRBX0VORCkgewogICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAkaHRtbCA9IHN1YnN0cigkaHRtbCwgMCwgc3RycnBvcygkaHRtbCwgJzwhW0NEQVRBWycpKTsKICAgICAgICAgICAgICAgIAogICAgICAgICAgICB9IGVsc2UgewogICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAkaHRtbCA9IHN1YnN0cigkaHRtbCwgMCwgc3RycnBvcygkaHRtbCwgJzwnKSk7CiAgICAgICAgICAgICAgICAKICAgICAgICAgICAgfQogICAgICAgICAgICAKICAgICAgICB9CiAgICAgICAgCiAgICAgICAgcmV0dXJuICRodG1sOwogICAgICAgIAogICAgfQogICAgCiAgICAvLyB0aGlzIGlzIHJlbW92ZUF0dHJpYnV0ZSBoZWxwZXIKICAgIHByaXZhdGUgc3RhdGljIGZ1bmN0aW9uIF9kZWxldGVBdHRyaWJ1dGUoJiRodG1sLCAmJGksICYkY3VycmVudFRhZywgJiRjdXJyZW50QXR0cmlidXRlLCAmJGN1cnJlbnRBdHRyVmFsdWUsICYkYXR0clN0YXJ0UG9zaXRpb24sICYkYWxsb3dlZEF0dHJpYnV0ZXMpIHsKICAgICAgICAKICAgICAgICAvLyAkaSDQt9C00LXRgdGMINCy0YHQtdCz0LTQsCDQvdCwINGB0LjQvNCy0L7Qu9C1INC/0L7RgdC70LUg0LDRgtGA0LjQsdGD0YLQsAogICAgICAgIC8vICRhdHRyU3RhcnRQb3NpdGlvbiAtIDEg0LTQu9GPINGC0L7Qs9C+LCDRh9GC0L7QsdGLINGC0LDQuiDQttC1INGD0LTQsNC70LjRgtGMINC/0YDQvtCx0LXQuyDQv9C10YDQtdC0INCw0YLRgNC40LHRg9GC0L7QvAogICAgICAgIC8vINC/0LXRgNC10LQg0LDRgtGA0LjQsdGD0YLQvtC8INCy0YHQtdCz0LTQsCDQs9Cw0YDQsNC90YLQuNGA0L7QstCw0L3QvdC+INC10YHRgtGMINC80LjQvdC40LzRg9C8INC+0LTQuNC9INC/0YDQvtCx0LXQuwogICAgICAgIAogICAgICAgICRjdXJyZW50VGFnID0gc3RydG9sb3dlcigkY3VycmVudFRhZyk7CiAgICAgICAgJGN1cnJlbnRBdHRyaWJ1dGUgPSBzdHJ0b2xvd2VyKCRjdXJyZW50QXR0cmlidXRlKTsKICAgICAgICAkY3VycmVudEF0dHJWYWx1ZSA9IHN0cnRvbG93ZXIoJGN1cnJlbnRBdHRyVmFsdWUpOwogICAgICAgIAogICAgICAgIC8vINC10YHQu9C4INCw0YLRgNC40LHRg9GC0LAg0L3QtdGCINCyIGFsbG93ZWRBdHRyaWJ1dGVzINC40LvQuCDQt9C90LDRh9C10L3QuNC1INCw0YLRgNC40LHRg9GC0LAg0Y/QstC70Y/QtdGC0YHRjyDQv9C+0LTQvtC30YDQuNGC0LXQu9GM0L3Ri9C8CiAgICAgICAgaWYgKAogICAgICAgICAgICAoISgoaXNzZXQoJGFsbG93ZWRBdHRyaWJ1dGVzWycqJ10pICYmIGluX2FycmF5KCRjdXJyZW50QXR0cmlidXRlLCAkYWxsb3dlZEF0dHJpYnV0ZXNbJyonXSkpIHx8IChpc3NldCgkYWxsb3dlZEF0dHJpYnV0ZXNbJGN1cnJlbnRUYWddKSAmJiBpbl9hcnJheSgkY3VycmVudEF0dHJpYnV0ZSwgJGFsbG93ZWRBdHRyaWJ1dGVzWyRjdXJyZW50VGFnXSkpKSkKICAgICAgICAgICAgfHwgKHN1YnN0cigkY3VycmVudEF0dHJWYWx1ZSwgMCwgMTEpID09PSAnamF2YXNjcmlwdDonKQogICAgICAgICAgICkgCiAgICAgICAgewogICAgICAgIAogICAgICAgICAgICAkaHRtbCA9IHN1YnN0cigkaHRtbCwgMCwgJGF0dHJTdGFydFBvc2l0aW9uIC0gMSkgLiBzdWJzdHIoJGh0bWwsICRpKTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgIAogICAgICAgICAgICAkaSA9ICRhdHRyU3RhcnRQb3NpdGlvbiAtIDE7CiAgICAgICAgCiAgICAgICAgfQogICAgICAgICAgICAgICAgICAgICAgICAgICAgCiAgICAgICAgJGN1cnJlbnRBdHRyaWJ1dGUgPSAnJzsKICAgICAgICAkY3VycmVudEF0dHJWYWx1ZSA9ICcnOwogICAgICAgIAogICAgfQogICAgCiAgICAKICAgIAp9CgokdGVzdCA9IDw8PEVPTAo8aW1nIHNyYz0iYWxlcnQoU3RyaW5nLmZyb21DaGFyQ29kZSg4OCw4Myw4MykpLy8nO2FsZXJ0KFN0cmluZy5mcm9tQ2hhckNvZGUoODgsODMsODMpKS8vIjsKYWxlcnQoU3RyaW5nLmZyb21DaGFyQ29kZSg4OCw4Myw4MykpLy8iO2FsZXJ0KFN0cmluZy5mcm9tQ2hhckNvZGUoODgsODMsODMpKS8vLS0KPjwvU0NSSVBUPiI+Jz48U0NSSVBUPmFsZXJ0KFN0cmluZy5mcm9tQ2hhckNvZGUoODgsODMsODMpKTwvU0NSSVBUPiI+Cic7YWxlcnQoU3RyaW5nLmZyb21DaGFyQ29kZSg4OCw4Myw4MykpLy8nO2FsZXJ0KFN0cmluZy5mcm9tQ2hhckNvZGUoODgsODMsODMpKS8vIjsKYWxlcnQoU3RyaW5nLmZyb21DaGFyQ29kZSg4OCw4Myw4MykpLy8iO2FsZXJ0KFN0cmluZy5mcm9tQ2hhckNvZGUoODgsODMsODMpKS8vLS0KPjwvU0NSSVBUPiI+Jz48U0NSSVBUPmFsZXJ0KFN0cmluZy5mcm9tQ2hhckNvZGUoODgsODMsODMpKTwvU0NSSVBUPgonJzshLS0iPFhTUz49JnsoKX0KPGltZyBzcmM9IicnOyEtLSI8WFNTPj0meygpfSI+CjxTQ1JJUFQgU1JDPWh0dHA6Ly94Li4uY29udGVudC1hdmFpbGFibGUtdG8tYXV0aG9yLW9ubHkuLi5zLnJvY2tzL3hzcy5qcz48L1NDUklQVD4KPElNRyBTUkM9ImphdmFzY3JpcHQ6YWxlcnQoJ1hTUycpOyI+CjxJTUcgU1JDPWphdmFzY3JpcHQ6YWxlcnQoJ1hTUycpPgo8SU1HIFNSQz1KYVZhU2NSaVB0OmFsZXJ0KCdYU1MnKT4KPElNRyBTUkM9amF2YXNjcmlwdDphbGVydCgiWFNTIik+CjxJTUcgU1JDPWBqYXZhc2NyaXB0OmFsZXJ0KCJSU25ha2Ugc2F5cywgJ1hTUyciKWA+CjxhIG9ubW91c2VvdmVyPSJhbGVydChkb2N1bWVudC5jb29raWUpIj54eHMgbGluazwvYT4gCjxJTUcgIiIiPjxTQ1JJUFQ+YWxlcnQoIlhTUyIpPC9TQ1JJUFQ+Ij4KPElNRyBTUkM9amF2YXNjcmlwdDphbGVydChTdHJpbmcuZnJvbUNoYXJDb2RlKDg4LDgzLDgzKSk+CjxJTUcgU1JDPSMgb25tb3VzZW92ZXI9ImFsZXJ0KCd4eHMnKSI+CjxJTUcgU1JDPSBvbm1vdXNlb3Zlcj0iYWxlcnQoJ3h4cycpIj4KPElNRyBvbm1vdXNlb3Zlcj0iYWxlcnQoJ3h4cycpIj4KPElNRyBTUkM9LyBvbmVycm9yPSJhbGVydChTdHJpbmcuZnJvbUNoYXJDb2RlKDg4LDgzLDgzKSkiPjwvaW1nPgo8aW1nIHNyYz14IG9uZXJyb3I9IiYjMDAwMDEwNiYjMDAwMDA5NyYjMDAwMDExOCYjMDAwMDA5NyYjMDAwMDExNSYjMDAwMDA5OSYjMDAwMDExNCYjMDAwMDEwNSYjMDAwMDExMiYjMDAwMDExNiYjMDAwMDA1OCYjMDAwMDA5NyYjMDAwMDEwOCYjMDAwMDEwMSYjMDAwMDExNCYjMDAwMDExNiYjMDAwMDA0MCYjMDAwMDAzOSYjMDAwMDA4OCYjMDAwMDA4MyYjMDAwMDA4MyYjMDAwMDAzOSYjMDAwMDA0MSI+CjxJTUcgU1JDPSYjMTA2OyYjOTc7JiMxMTg7JiM5NzsmIzExNTsmIzk5OyYjMTE0OyYjMTA1OyYjMTEyOyYjMTE2OyYjNTg7JiM5NzsmIzEwODsmIzEwMTsmIzExNDsmIzExNjsmIzQwOwomIzM5OyYjODg7JiM4MzsmIzgzOyYjMzk7JiM0MTs+CjxJTUcgU1JDPSYjMDAwMDEwNiYjMDAwMDA5NyYjMDAwMDExOCYjMDAwMDA5NyYjMDAwMDExNSYjMDAwMDA5OSYjMDAwMDExNCYjMDAwMDEwNSYjMDAwMDExMiYjMDAwMDExNiYjMDAwMDA1OCYjMDAwMDA5NyYKIzAwMDAxMDgmIzAwMDAxMDEmIzAwMDAxMTQmIzAwMDAxMTYmIzAwMDAwNDAmIzAwMDAwMzkmIzAwMDAwODgmIzAwMDAwODMmIzAwMDAwODMmIzAwMDAwMzkmIzAwMDAwNDE+CjxJTUcgU1JDPSYjeDZBJiN4NjEmI3g3NiYjeDYxJiN4NzMmI3g2MyYjeDcyJiN4NjkmI3g3MCYjeDc0JiN4M0EmI3g2MSYjeDZDJiN4NjUmI3g3MiYjeDc0JiN4MjgmI3gyNyYjeDU4JiN4NTMmI3g1MyYjeDI3JiN4Mjk+CjxJTUcgU1JDPSJqYXYJYXNjcmlwdDphbGVydCgnWFNTJyk7Ij4KPElNRyBTUkM9ImphdiYjeDA5O2FzY3JpcHQ6YWxlcnQoJ1hTUycpOyI+CjxJTUcgU1JDPSJqYXYmI3gwQTthc2NyaXB0OmFsZXJ0KCdYU1MnKTsiPgo8SU1HIFNSQz0iamF2JiN4MEQ7YXNjcmlwdDphbGVydCgnWFNTJyk7Ij4KPElNRyBTUkM9ImphdiYjeDAwO2FzY3JpcHQ6YWxlcnQoJ1hTUycpOyI+CjxJTUcgU1JDPSIgJiMxNDsgIGphdmFzY3JpcHQ6YWxlcnQoJ1hTUycpOyI+CjxTQ1JJUFQvWFNTIFNSQz0iaHR0cDovL3guLi5jb250ZW50LWF2YWlsYWJsZS10by1hdXRob3Itb25seS4uLnMucm9ja3MveHNzLmpzIj48L1NDUklQVD4KPEJPRFkgb25sb2FkISMkJSYoKSp+Ky1fLiw6Oz9AWy98XF1eYD1hbGVydCgiWFNTIik+CjxTQ1JJUFQvU1JDPSJodHRwOi8veC4uLmNvbnRlbnQtYXZhaWxhYmxlLXRvLWF1dGhvci1vbmx5Li4ucy5yb2Nrcy94c3MuanMiPjwvU0NSSVBUPgo8PFNDUklQVD5hbGVydCgiWFNTIik7Ly88PC9TQ1JJUFQ+CjxTQ1JJUFQgU1JDPWh0dHA6Ly94Li4uY29udGVudC1hdmFpbGFibGUtdG8tYXV0aG9yLW9ubHkuLi5zLnJvY2tzL3hzcy5qcz88IEIgPgo8U0NSSVBUIFNSQz0vL3hzcy5yb2Nrcy8uaj4KPElNRyBTUkM9ImphdmFzY3JpcHQ6YWxlcnQoJ1hTUycpIgpFT0w7CgplY2hvIEhUTUxVdGlsczo6Y2xlYW5IdG1sVXNlcklucHV0KCR0ZXN0KTs=

Success #stdin #stdout 0.03s 52432KB

stdin

copy

Standard input is empty

stdout

copy

<img src="alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//"//
>'>alert(String.fromCharCode(88,83,83))">
';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";
alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
>">'>alert(String.fromCharCode(88,83,83))
'';!--"=&{()}
<img src="'';!--" SRC=http://x...content-available-to-author-only...s.rocks/xss.js/SCRIPT SRC=`javascript:alert("RSnake >alert("XSS")">
<IMG>
<IMG SRC=#>
<IMG SRC=>
<IMG>
<IMG SRC=/></img>
<img src=x>
<IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;>
<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&>
<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>
<IMG SRC="jav	ascript:alert('XSS');">
<IMG SRC="jav&#x09;ascript:alert('XSS');">
<IMG SRC="jav&#x0A;ascript:alert('XSS');">
<IMG SRC="jav&#x0D;ascript:alert('XSS');">
<IMG SRC="jav&#x00;ascript:alert('XSS');">
<IMG SRC=" &#14;  javascript:alert('XSS');">

https://ideone.com/jyvubq

language:

PHP (php 7.3.5)

created:

visibility:

public

Share or Embed source code

Discover > Sphere Engine API

The brand new service which powers Ideone!

Discover > IDE Widget

Widget for compiling and running the source code in a web browser!

Discover > Sphere Engine API

Discover > IDE Widget

Choose your language