From 1a632cbd174f62ad2884d4af1e7244e4ec5d757f Mon Sep 17 00:00:00 2001
From: DanMcInerney <danhmcinerney@gmail.com>
Date: Fri, 25 Jul 2014 06:28:24 -0400
Subject: [PATCH] lots of cleanup

---
 .gitignore                     |   2 +-
 formatted_vulns                | 772 +++++++++++++++++++++++++++++++++
 xsscrapy/pipelines.py          |  28 +-
 xsscrapy/settings.py           |   2 +-
 xsscrapy/spiders/xss_spider.py | 181 +++++---
 5 files changed, 911 insertions(+), 74 deletions(-)
 create mode 100644 formatted_vulns

diff --git a/.gitignore b/.gitignore
index 6d62fec..75c86bb 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
 *.pyc
-vulnerable-urls.txt
+*.txt
diff --git a/formatted_vulns b/formatted_vulns
new file mode 100644
index 0000000..35cb5cb
--- /dev/null
+++ b/formatted_vulns
@@ -0,0 +1,772 @@
+
+URL: http://danmcinerney.org/tests/form.html
+Unfiltered: "()=<>
+Type: form
+Injection point: form field names: message, link, email
+
+URL: http://danmcinerney.org/tests/form.html
+Unfiltered: JaVAscRIPT:prompt(99)
+Type: form
+Injection point: form field names: message, link, email
+
+URL: http://danmcinerney.org/tests/form.html
+Unfiltered: JaVAscRIPT:prompt(99)
+Type: form
+Injection point: form field names: message, link, email
+
+URL: http://danmcinerney.org/tests/form.html
+Unfiltered: "()=<>
+Type: form
+Injection point: form field names: message, link, email
+
+URL: http://danmcinerney.org/tests/form.html
+Unfiltered: "()=<>
+Type: form
+Injection point: form field names: message, link, email
+
+URL: http://danmcinerney.org/tests/form.html
+Unfiltered: JaVAscRIPT:prompt(99)
+Type: form
+Injection point: form field names: message, link, email
+
+URL: http://danmcinerney.org/tests/form.html
+Unfiltered: "()=<>
+Type: form
+Injection point: form field names: message, link, email
+
+URL: http://danmcinerney.org/tests/form.html
+Unfiltered: JaVAscRIPT:prompt(99)
+Type: form
+Injection point: form field names: message, link, email
+
+URL: http://danmcinerney.org/tests/form.html
+Unfiltered: JaVAscRIPT:prompt(99)
+Type: form
+Injection point: form field names: message, link, email
+
+URL: http://danmcinerney.org/tests/form.html
+Unfiltered: "()=<>
+Type: form
+Injection point: form field names: message, link, email
+
+URL: http://danmcinerney.org/tests/form.html
+Unfiltered: JaVAscRIPT:prompt(99)
+Type: form
+Injection point: form field names: message, link, email
+
+URL: http://danmcinerney.org/tests/form.html
+Unfiltered: "()=<>
+Type: form
+Injection point: form field names: message, link, email
+
+URL: http://danmcinerney.org/tests/form.html
+Unfiltered: "()=<>
+Type: form
+Injection point: form field names: message, link, email
+
+URL: http://danmcinerney.org/tests/form.html
+Unfiltered: JaVAscRIPT:prompt(99)
+Type: form
+Injection point: form field names: message, link, email
+
+URL: http://danmcinerney.org/tests/form.html
+Unfiltered: "()=<>
+Type: form
+Injection point: form field names: message, link, email
+
+URL: http://danmcinerney.org/tests/form.html
+Unfiltered: JaVAscRIPT:prompt(99)
+Type: form
+Injection point: form field names: message, link, email
+
+URL: http://danmcinerney.org/tests/form.html
+Unfiltered: JaVAscRIPT:prompt(99)
+Type: form
+Injection point: form field names: message, link, email
+
+URL: http://danmcinerney.org/tests/form.html
+Unfiltered: "()=<>
+Type: form
+Injection point: form field names: message, link, email
+
+URL: http://danmcinerney.org/tests/form.html
+Unfiltered: "()=<>
+Type: form
+Injection point: form field names: message, link, email
+Line: Your unfiltered email address is: 9zqjx"()=<>9zqjx<br>
+
+URL: http://danmcinerney.org/tests/form.html
+Unfiltered: JaVAscRIPT:prompt(99)
+Type: form
+Injection point: form field names: message, link, email
+Line: Your filtered email address is: 9zqjxJaVAscRIPT:prompt(99)9zqjx<br>
+Line: Your unfiltered email address is: 9zqjxJaVAscRIPT:prompt(99)9zqjx<br>
+Line: Your message: 9zqjxJaVAscRIPT:prompt(99)9zqjx<br>
+Line: Your htmlspecialchars() link: <a href=9zqjxJaVAscRIPT:prompt(99)9zqjx>Your Link</a><br>
+
+URL: https://de.wikipedia.org/wiki/GM_Uzbekistan
+Unfiltered: ">
+
+URL: https://www.concrete5.org/community/forums/
+Unfiltered: "()=<>
+Payload: "()=<>
+Type: form
+Injection point: form field names: sort, answerFilter, posterUser, poster, forum[], submit_search, forumSelectAll, search_keywords
+Line:                         <input placeholder="Search Forums" type='search' name="search_keywords" value="9zqjx"()=<>9zqjx" />
+
+URL: https://www.yahoo.com/
+Unfiltered: "
+Payload: '"(){}[];
+Type: form
+Injection point: form field names: p
+Line: <html lang="en-US"><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><script>(function(){var h=document.documentElement;h.className+=" js";(new Image()).src='http://l.yimg.com/p...
+
+URL: https://www.yahoo.com/
+Unfiltered: "
+Payload: '&quot;(){}[];
+Type: form
+Injection point: form field names: p
+Line: <html lang="en-US"><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><script>(function(){var h=document.documentElement;h.className+=" js";(new Image()).src='http://l.yimg.com/p...
+
+URL: https://edit.yahoo.com/registration?fs=RxTga76HafDEdyU6w.A78TIseZVOpUEtgTRXYEOrNfB29Oukm8zvXzO51tz7Lvm88D0yiE7A
+Unfiltered: h()=
+Payload: h()=<>
+Type: url
+Injection point: fs
+Line: 		  <style>#yucs{margin:0 auto;width:100% !important}#yucs .yucs-avatar{height:22px;width:22px}#yucs #yucs-profile_text .yuhead-name-greeting{display:none}#yucs #yucs-profile_text .yuhead-name{top:0;m...
+
+URL: https://www.yahoo.com/
+Unfiltered: "
+Payload: '&quot;(){}[];
+Type: form
+Injection point: form field names: p
+Line: <html lang="en-US"><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><script>(function(){var h=document.documentElement;h.className+=" js";(new Image()).src='http://l.yimg.com/p...
+
+URL: https://www.yahoo.com/
+Unfiltered: "
+Payload: '"(){}[];
+Type: form
+Injection point: form field names: p
+Line: <html lang="en-US"><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><script>(function(){var h=document.documentElement;h.className+=" js";(new Image()).src='http://l.yimg.com/p...
+
+URL: http://www.ebay.com/itm/Dell-Venue-8-Pro-32GB-WiFi-Tablet-8-Display-Black-Windows-8-1-1-YEAR-WARRANTY-/141352616054
+Unfiltered: h()=
+Payload: h()=&lt;&gt;
+Type: form
+Injection point: form field names: quantity
+Line: 					<div class="CentralArea" id="CentralArea"><div class="sd-el"><table border="0" cellpadding="0" cellspacing="0" width="100%"><tr><td valign="top"><div><div><div id="mainCnt" class="sd-bc"><div cla...
+
+URL: http://www.ebay.com/itm/Dell-Venue-8-Pro-32GB-WiFi-Tablet-8-Display-Black-Windows-8-1-1-YEAR-WARRANTY-/141352616054
+Unfiltered: h
+Payload: h%28%29%3D%3C%3E
+Type: form
+Injection point: form field names: quantity
+Line: 					<div class="CentralArea" id="CentralArea"><div class="sd-el"><table border="0" cellpadding="0" cellspacing="0" width="100%"><tr><td valign="top"><div><div><div id="mainCnt" class="sd-bc"><div cla...
+
+URL: http://www.ebay.com/itm/5V-2A-High-Power-AC-Adapter-Home-Wall-Charger-for-HP-TouchPad-9-7-Wi-Fi-Tablet-/301033634375
+Unfiltered: h
+Payload: h%28%29%3D%3C%3E
+Type: form
+Injection point: form field names: quantity
+Line: 					<div class="CentralArea" id="CentralArea"><div class="sd-el"><table border="0" cellpadding="0" cellspacing="0" width="100%"><tr><td valign="top"><div><div><div id="mainCnt" class="sd-bc"><div cla...
+
+URL: http://www.ebay.com/gsr/i.html?_nkw=Razer+Edge+Pro&rt=nc
+Unfiltered: h
+Payload: h%28%29%3D%3C%3E
+Type: url
+Injection point: rt
+Line: <div class="eb:share guideShare" data-title="eBay Guides" data-tweet="" data-share="Share this guide:" data-imageUrl="http://i.ebayimg.com/00/s/ODBYODA=/z/T5AAAOxyYANTXsPr/$_106.JPG?set_id=2" data-spid="2054852" data-url="http://www.ebay.com/gsr/i.html?_nkw=Razer+Edge+Pro&rt=9zqjxh%28%29%3D9zqjx" data-style="simple" data-destinations="facebook,twitter,email,pinterest" data-language="en_US_MAIN"></div>
+
+URL: http://www.ebay.com/gsr/i.html?_nkw=Razer+Edge+Pro&rt=nc
+Unfiltered: h()=
+Payload: h%28%29%3D%3C%3E
+Type: url
+Injection point: _nkw
+Line: <title> Search results for 9zqjxh()= 9zqjx buying guides</title>
+Line: 						<meta name="description" content="Need more information before making a buying decision? Get the answers you need from buying guides on eBay for 9zqjxh()= 9zqjx"/>
+Line: 						<meta name="keywords" content="9zqjxh()= 9zqjx"/>
+Line: <!--[if lt IE 9]> <link rel="stylesheet" type="text/css" href="http://ir.ebaystatic.com/header/css/glb.ielt9?combo=90&ds=3&rvr=1.0.0&factor=AC3,GHCOLL&siteid=0&app=RAPTOR&h=100668"><![endif]--> <div c...
+Line: 					 <span class="count">0</span> guides found for <b/> 9zqjxh()=  9zqjx</div>	
+
+URL: http://www.ebay.com/sch/i.html?_nkw=+Lenovo+IdeaTab+A1000
+Unfiltered: '"(){};
+Payload: '"(){}[];
+Type: url
+Injection point: _nkw
+Line: 			<span class="relSrc"><a class="refineSrc" href="javascript:;">Refine your search</a> for <b>9zqjx'" () {}  ;9zqjx</b></span></div>
+Line: 								<span class="nllclt"><b>0</b> results found for <b>9zqjx'" () {}  ;9zqjx</b></span>
+Line: 						<div id="followMessage" style="display:none"><p  class="dContent"><span>Follow <strong>9zqjx'" () {}  ;9zqjx</strong> to get e-mail alerts and updates on your eBay Feed.</span></p></div>
+Line: <div id="unfollowMessage" style="display:none"><p  class="dContent"><span>Unfollow <strong>9zqjx'" () {}  ;9zqjx</strong> to stop getting updates on your eBay Feed.</span></p></div>
+Line: 	<div id="followingMessage" style="display:none"><p  class='dContent'>Yay! You're now following <strong>9zqjx'" () {}  ;9zqjx</strong> in your <a href="http://www.ebay.com">eBay Feed</a>.<span id="email_msg"><br><br><br><a id="fs_email"><input class="fs_lnk" type="checkbox" id="fsEmail" /><label class="fs_lnk fs_lbl" for="fsEmail">Email me new items that match this interest</label></a></span></p></div>
+
+URL: http://www.ebay.com/itm/151362874924
+Unfiltered: h
+Payload: h%28%29%3D%3C%3E
+Type: form
+Injection point: form field names: maxbid
+Line: 					<div class="CentralArea" id="CentralArea"><div class="sd-el"><table border="0" cellpadding="0" cellspacing="0" width="100%"><tr><td valign="top"><div><div><div id="mainCnt" class="sd-bc"><div cla...
+
+URL: http://www.ebay.com/itm/151362868295
+Unfiltered: h
+Payload: h%28%29%3D%3C%3E
+Type: form
+Injection point: form field names: maxbid
+Line: 					<div class="CentralArea" id="CentralArea"><div class="sd-el"><table border="0" cellpadding="0" cellspacing="0" width="100%"><tr><td valign="top"><div><div><div id="mainCnt" class="sd-bc"><div cla...
+
+URL: http://www.ebay.com/gsr/i.html?_allcats=176973%7C171485%7C176974%7C162&_nkw=huawei+mediapad+10+fhd&_rg=1
+Unfiltered: h
+Payload: h%28%29%3D%3C%3E
+Type: url
+Injection point: _rg
+Line: <div class="eb:share guideShare" data-title="eBay Guides" data-tweet="" data-share="Share this guide:" data-imageUrl="http://i.ebayimg.com/00/s/ODBYODA=/z/T5AAAOxyYANTXsPr/$_106.JPG?set_id=2" data-spid="2054852" data-url="http://www.ebay.com/gsr/i.html?_allcats=176973|171485|176974|162&_nkw=huawei+mediapad+10+fhd&_rg=9zqjxh%28%29%3D9zqjx" data-style="simple" data-destinations="facebook,twitter,email,pinterest" data-language="en_US_MAIN"></div>
+
+URL: http://stores.ebay.com/EarlyBirdSavings/_i.html?_fsub=4781382018
+Unfiltered: h
+Payload: h%28%29%3D%3C%3E
+Type: url
+Injection point: _fsub
+Line: //--></script><script type="text/javascript">window.jsRel = {type:'jgr',ver:'0',mrcowl:false}</script><link rel="alternate" type="application/rss+xml" title="eBay Store" href="http://www.ebay.com/sch/...
+Line:                     				<table width="100%" cellspacing="0" cellpadding="0"><tbody><tr><td colspan="3" rowspan="1" height="15"><img width="1" height="15" src="http://pics.ebaystatic.com/aw/pics/s.gif"...
+Line: 				                    							</td></tr><tr><td align="left" colspan="1" rowspan="1" valign="top" id="CentralArea"><div class="v4stabl">View:    <b>All Items</b> | <a href="/earlybirdsavings/_i.html?...
+Line:                     <div class="stBadge"><img src="http://q.ebaystatic.com/aw/pics/s.gif" width="760px" alt=" " height="1"><table border="0" cellpadding="0" cellspacing="0" width="100%" class="stBadge...
+Line: <div id="ajxThrobber_v4-0" class="ajax-throbber"><div class="ajax-mask"></div><img xrc="http://p.ebaystatic.com/aw/pics/globalAssets/imgLoading_30x30.gif"></div><div id="PreviewLayer" class="olp-mn"><...
+Line: _r.put('opv4-31jsid',new vjo.darwin.comp.overlaypanel.harrow.OverlayPanelWithHArrow({"yof":12,"styles":["ov-ptr ov-pls","ov-ptr ov-pls","ov-ptr ov-prs","ov-ptr ov-prs"],"OS":{"value":2,"id":2,"name":"...
+Line: _r.put('21PreviewLayer',$o17(0,false,-30,400,"21PreviewLayer","PreviewLayerjsid","PreviewLayer")); _r.put('24',new vjo.darwin.domain.finding.component.previewlayer.link.PreviewLayer({"dsOverlay":false...
+
+URL: http://stores.ebay.com/earlybirdsavings/_i.html?_sasi=1
+Unfiltered: h
+Payload: h%28%29%3D%3C%3E
+Type: url
+Injection point: _sasi
+Line: //--></script><script type="text/javascript">window.jsRel = {type:'jgr',ver:'0',mrcowl:false}</script><link rel="alternate" type="application/rss+xml" title="eBay Store" href="http://www.ebay.com/sch/...
+Line:                     				<table width="100%" cellspacing="0" cellpadding="0"><tbody><tr><td colspan="3" rowspan="1" height="15"><img width="1" height="15" src="http://pics.ebaystatic.com/aw/pics/s.gif"...
+Line: 				                    							</td></tr><tr><td align="left" colspan="1" rowspan="1" valign="top" id="CentralArea"><div class="v4stabl">View:    <b>All Items</b> | <a href="/earlybirdsavings/_i.html?...
+Line:                     <div class="stBadge"><img src="http://q.ebaystatic.com/aw/pics/s.gif" width="760px" alt=" " height="1"><table border="0" cellpadding="0" cellspacing="0" width="100%" class="stBadge...
+Line: <div id="ajxThrobber_v4-0" class="ajax-throbber"><div class="ajax-mask"></div><img xrc="http://p.ebaystatic.com/aw/pics/globalAssets/imgLoading_30x30.gif"></div><div id="PreviewLayer" class="olp-mn"><...
+Line: _r.put('opv4-31jsid',new vjo.darwin.comp.overlaypanel.harrow.OverlayPanelWithHArrow({"yof":12,"styles":["ov-ptr ov-pls","ov-ptr ov-pls","ov-ptr ov-prs","ov-ptr ov-prs"],"OS":{"value":2,"id":2,"name":"...
+Line: _r.put('21PreviewLayer',$o18(0,false,-30,400,"21PreviewLayer","PreviewLayerjsid","PreviewLayer")); _r.put('24',new vjo.darwin.domain.finding.component.previewlayer.link.PreviewLayer({"dsOverlay":false...
+
+URL: http://stores.ebay.com/earlybirdsavings/_i.html?_sasi=1
+Unfiltered: h
+Payload: h()=<>
+Type: url
+Injection point: _sasi
+Line: //--></script><script type="text/javascript">window.jsRel = {type:'jgr',ver:'0',mrcowl:false}</script><link rel="alternate" type="application/rss+xml" title="eBay Store" href="http://www.ebay.com/sch/...
+Line:                     				<table width="100%" cellspacing="0" cellpadding="0"><tbody><tr><td colspan="3" rowspan="1" height="15"><img width="1" height="15" src="http://pics.ebaystatic.com/aw/pics/s.gif"...
+Line: 				                    							</td></tr><tr><td align="left" colspan="1" rowspan="1" valign="top" id="CentralArea"><div class="v4stabl">View:    <b>All Items</b> | <a href="/earlybirdsavings/_i.html?...
+Line:                     <div class="stBadge"><img src="http://q.ebaystatic.com/aw/pics/s.gif" width="760px" alt=" " height="1"><table border="0" cellpadding="0" cellspacing="0" width="100%" class="stBadge...
+Line: <div id="ajxThrobber_v4-0" class="ajax-throbber"><div class="ajax-mask"></div><img xrc="http://p.ebaystatic.com/aw/pics/globalAssets/imgLoading_30x30.gif"></div><div id="PreviewLayer" class="olp-mn"><...
+Line: _r.put('opv4-31jsid',new vjo.darwin.comp.overlaypanel.harrow.OverlayPanelWithHArrow({"yof":12,"styles":["ov-ptr ov-pls","ov-ptr ov-pls","ov-ptr ov-prs","ov-ptr ov-prs"],"OS":{"value":2,"id":2,"name":"...
+Line: _r.put('21PreviewLayer',$o12(0,false,-30,400,"21PreviewLayer","PreviewLayerjsid","PreviewLayer")); _r.put('24',new vjo.darwin.domain.finding.component.previewlayer.link.PreviewLayer({"dsOverlay":false...
+
+URL: http://stores.ebay.com/earlybirdsavings/Motors-/_i.html?_dmd=2&_fsub=8705005018&_sid=152659078&_sop=10&_trksid=p4634.c0.m322
+Unfiltered: h
+Payload: h%28%29%3D%3C%3E
+Type: url
+Injection point: _sop
+Line: //--></script><script type="text/javascript">window.jsRel = {type:'jgr',ver:'0',mrcowl:false}</script><link rel="alternate" type="application/rss+xml" title="eBay Store" href="http://www.ebay.com/sch/...
+Line:                     				<table width="100%" cellspacing="0" cellpadding="0"><tbody><tr><td colspan="3" rowspan="1" height="15"><img width="1" height="15" src="http://pics.ebaystatic.com/aw/pics/s.gif"...
+Line: 				                    							</td></tr><tr><td align="left" colspan="1" rowspan="1" valign="top" id="CentralArea"><div class="v4stabl">View:    <b>All Items</b> | <a href="/earlybirdsavings/Motors-/...
+Line:                     <div class="stBadge"><img src="http://q.ebaystatic.com/aw/pics/s.gif" width="760px" alt=" " height="1"><table border="0" cellpadding="0" cellspacing="0" width="100%" class="stBadge...
+Line: <div id="ajxThrobber_v4-0" class="ajax-throbber"><div class="ajax-mask"></div><img xrc="http://p.ebaystatic.com/aw/pics/globalAssets/imgLoading_30x30.gif"></div><div id="v4-13" class="olp-mn ml-pm"><t...
+Line: _r.put('opv4-25jsid',new vjo.darwin.comp.overlaypanel.harrow.OverlayPanelWithHArrow({"yof":12,"styles":["ov-ptr ov-pls","ov-ptr ov-pls","ov-ptr ov-prs","ov-ptr ov-prs"],"OS":{"value":2,"id":2,"name":"...
+
+URL: http://www.ebay.com/gsr/i.html?_nkw=+cutlery&rt=nc
+Unfiltered: h()=
+Payload: h()=<>
+Type: url
+Injection point: rt
+Line: <div class="eb:share guideShare" data-title="eBay Guides" data-tweet="" data-share="Share this guide:" data-imageUrl="http://i.ebayimg.com/00/s/ODBYODA=/z/T5AAAOxyYANTXsPr/$_106.JPG?set_id=2" data-spid="2054852" data-url="http://www.ebay.com/gsr/i.html?_nkw=+cutlery&rt=9zqjxh()=9zqjx" data-style="simple" data-destinations="facebook,twitter,email,pinterest" data-language="en_US_MAIN"></div>
+
+URL: http://www.ebay.com/gsr/i.html?_nkw=+blades&rt=nc
+Unfiltered: h()=
+Payload: h()=<>
+Type: url
+Injection point: _nkw
+Line: <title> Search results for 9zqjxh()= 9zqjx buying guides</title>
+Line: 						<meta name="description" content="Need more information before making a buying decision? Get the answers you need from buying guides on eBay for 9zqjxh()= 9zqjx"/>
+Line: 						<meta name="keywords" content="9zqjxh()= 9zqjx"/>
+Line: <!--[if lt IE 9]> <link rel="stylesheet" type="text/css" href="http://ir.ebaystatic.com/header/css/glb.ielt9?combo=90&ds=3&rvr=1.0.0&factor=AC3,GHCOLL&siteid=0&app=RAPTOR&h=100668"><![endif]--> <div c...
+Line: 					 <span class="count">0</span> guides found for <b/> 9zqjxh()=  9zqjx</div>	
+
+URL: http://www.ebay.com/itm/Uncanny-X-men-503-CGC-Graded-9-8-Previews-Sketch-Edition-Fraction-Brubaker-Land-/380957411109
+Unfiltered: '"(){};
+Payload: '"(){}[];
+Type: form
+Injection point: form field names: _nkw, submit
+Line: 				                    							</td></tr><tr><td align="left" colspan="1" rowspan="1" valign="top" id="CentralArea"><div class="v4stabl">View:    <b>All Items</b></div><div><table cellpadding="0" cell...
+
+URL: http://www.ebay.com/sch/i.html?LH_Complete=1&LH_Sold=1&_nkw=minifig+lots&rt=nc
+Unfiltered: "()=
+Payload: %22%28%29%3D%3C%3E
+Type: url
+Injection point: _nkw
+Line: 			<span class="relSrc"><a class="refineSrc" href="javascript:;">Refine your search</a> for <b>9zqjx" () =  9zqjx</b></span></div>
+Line: 								<b>0</b> results found for <b>9zqjx" () =  9zqjx</b></h1>
+Line: 						<div id="followMessage" style="display:none"><p  class="dContent"><span>Follow <strong>9zqjx" () =  9zqjx</strong> to get e-mail alerts and updates on your eBay Feed.</span></p></div>
+Line: <div id="unfollowMessage" style="display:none"><p  class="dContent"><span>Unfollow <strong>9zqjx" () =  9zqjx</strong> to stop getting updates on your eBay Feed.</span></p></div>
+Line: 	<div id="followingMessage" style="display:none"><p  class='dContent'>Yay! You're now following <strong>9zqjx" () =  9zqjx</strong> in your <a href="http://www.ebay.com">eBay Feed</a>.<span id="email_msg"><br><br><br><a id="fs_email"><input class="fs_lnk" type="checkbox" id="fsEmail" /><label class="fs_lnk fs_lbl" for="fsEmail">Email me new items that match this interest</label></a></span></p></div>
+Line: 	raptor.require("search.layers.FollowSearchLink").bindToLink({config:'{}', emailDefault:false, linkSelector:"e1-35", trksid: "p2045573.m2651", srchName: "9zqjx\" () =  9zqjx", saveUrl:"http://www.ebay...
+
+URL: http://elportal.att.net/
+Unfiltered: "()=<>
+Payload: "()=<>
+Type: form
+Injection point: form field names: memberID
+Line: <meta name='DCSext.wtMemberID' content='9zqjx"()=<>9zqjx'  /> 
+
+URL: http://elportal.att.net/
+Unfiltered: '"(){}[];
+Payload: '"(){}[];
+Type: form
+Injection point: form field names: memberID
+Line: <meta name='DCSext.wtMemberID' content='9zqjx'"(){}[];9zqjx'  /> 
+
+URL: http://www.att.net/products1
+Unfiltered: '"(){}[];
+Payload: '&quot;(){}[];
+Type: form
+Injection point: form field names: source, memberID, wtExtndSource
+Line: <meta name='DCSext.wtMemberID' content='9zqjx'"(){}[];9zqjx'  /> 
+
+URL: http://www.att.net/products1
+Unfiltered: '"(){}[];
+Payload: '"(){}[];
+Type: form
+Injection point: form field names: source, memberID, wtExtndSource
+Line: <meta name='DCSext.wtMemberID' content='9zqjx'"(){}[];9zqjx'  /> 
+
+URL: http://www.att.net/webdirectory
+Unfiltered: '"(){}[];
+Payload: '"(){}[];
+Type: form
+Injection point: form field names: source, memberID, wtExtndSource
+Line: <meta name='DCSext.wtMemberID' content='9zqjx'"(){}[];9zqjx'  /> 
+
+URL: http://www.att.net/addons
+Unfiltered: '"(){}[];
+Payload: '"(){}[];
+Type: form
+Injection point: form field names: source, memberID, wtExtndSource
+Line: <meta name='DCSext.wtMemberID' content='9zqjx'"(){}[];9zqjx'  /> 
+
+URL: http://www.att.net/products1
+Unfiltered: "()=<>
+Payload: "()=<>
+Type: form
+Injection point: form field names: source, memberID, wtExtndSource
+Line: <meta name='DCSext.wtMemberID' content='9zqjx"()=<>9zqjx'  /> 
+
+URL: http://www.att.net/addons
+Unfiltered: "()=<>
+Payload: "()=<>
+Type: form
+Injection point: form field names: source, memberID, wtExtndSource
+Line: <meta name='DCSext.wtMemberID' content='9zqjx"()=<>9zqjx'  /> 
+
+URL: http://www.att.net/products1
+Unfiltered: '"(){}[];
+Payload: '"(){}[];
+Type: form
+Injection point: form field names: source, memberID, wtExtndSource
+Line: <meta name='DCSext.wtMemberID' content='9zqjx'"(){}[];9zqjx'  /> 
+
+URL: http://elportal.att.net/
+Unfiltered: '"(){}[];
+Payload: '"(){}[];
+Type: form
+Injection point: form field names: memberID
+Line: <meta name='DCSext.wtMemberID' content='9zqjx'"(){}[];9zqjx'  /> 
+
+URL: http://www.att.net/addons
+Unfiltered: '"(){}[];
+Payload: '"(){}[];
+Type: form
+Injection point: form field names: source, memberID, wtExtndSource
+Line: <meta name='DCSext.wtMemberID' content='9zqjx'"(){}[];9zqjx'  /> 
+
+URL: http://www.att.net/webdirectory
+Unfiltered: '"(){}[];
+Payload: '"(){}[];
+Type: form
+Injection point: form field names: source, memberID, wtExtndSource
+Line: <meta name='DCSext.wtMemberID' content='9zqjx'"(){}[];9zqjx'  /> 
+
+URL: http://danmcinerney.org/headers.php
+Unfiltered: ()=<>
+Payload: ()=<>
+Type: header
+Injection point: User-Agent
+Line: User-Agent: 9zqjx()=<>9zqjx <br />
+
+URL: http://danmcinerney.org/headers.php
+Unfiltered: ()=<>
+Payload: ()=<>
+Type: header
+Injection point: Referer
+Line: Referer: 9zqjx()=<>9zqjx <br />
+
+URL: http://danmcinerney.org/tests/form.html
+Unfiltered: JaVAscRIPT:prompt(99)
+Payload: JaVAscRIPT:prompt(99)
+Type: form
+Injection point: form field names: message, link, email
+Line: Your filtered email address is: 9zqjxJaVAscRIPT:prompt(99)9zqjx<br>
+Line: Your unfiltered email address is: 9zqjxJaVAscRIPT:prompt(99)9zqjx<br>
+Line: Your message: 9zqjxJaVAscRIPT:prompt(99)9zqjx<br>
+Line: Your htmlspecialchars() link: <a href=9zqjxJaVAscRIPT:prompt(99)9zqjx>Your Link</a><br>
+
+URL: http://danmcinerney.org/tests/form.html
+Unfiltered: "()=<>
+Payload: "()=<>
+Type: form
+Injection point: form field names: message, link, email
+Line: Your unfiltered email address is: 9zqjx"()=<>9zqjx<br>
+
+URL: https://musopen.org/
+Unfiltered: "
+Payload: '"(){}[];
+Type: form
+Injection point: form field names: q
+Line: <p class="correction"><span>Did you mean: <a href="?q=9zqjx+9zqjx">9zqjx 9zqjx</a></span></p>
+
+URL: https://musopen.org/
+Unfiltered: "
+Payload: '&quot;(){}[];
+Type: form
+Injection point: form field names: q
+Line: <p class="correction"><span>Did you mean: <a href="?q=9zqjx+quot+9zqjx">9zqjx quot 9zqjx</a></span></p>
+
+URL: http://musopen.tumblr.com
+Unfiltered: JaVAscRIPT:prompt(99)
+Payload: JaVAscRIPT:prompt(99)
+Type: form
+Injection point: form field names: q
+Line:      <title>Musopen News | Search results for: 9zqjxJaVAscRIPT:prompt(99)9zqjx</title>	
+Line:               <input type="text" id="txtSearch" name="q" value="9zqjxJaVAscRIPT:prompt(99)9zqjx" />
+Line:                  <h2>Search results for <a href="9zqjxJaVAscRIPT%3Aprompt%2899%299zqjx">9zqjxJaVAscRIPT:prompt(99)9zqjx</a></h2>
+Line:                        <p>I’m sorry, but we couldn't find anything matching "<b>9zqjxJaVAscRIPT:prompt(99)9zqjx</b>". Suggestions:</p>
+
+URL: http://oar.yuku.com/topic/15516
+Unfiltered: "()=<>
+Payload: "()=<>
+Type: form
+Injection point: form field names: q, submit
+Line: 				<input name="q" type="text" id="search-input" class="text" value="9zqjx"()=<>9zqjx">
+Line: 			<h2>Search Results For: 9zqjx"()=<>9zqjx</h2>
+
+URL: http://oar.yuku.com/reply/485104/Rockville-LP-songs-played-on-summer-tour
+Unfiltered: "()=<>
+Payload: "()=<>
+Type: form
+Injection point: form field names: vno, login, password
+Line:                     <h1 class="mgr-logo-link"><a href="http://yuku.com">Yuku free message boards</a></h1><form action="" class="login-form" method="post"><div><input type="hidden" name="vno" value="r_abbf260948d17100ddce6b91405f1999"><input name="login" type="text" class="mgr-text" value="9zqjx"()=<>9zqjx"><label>Password:</label><input name="password" type="password" title="enter your password" class="mgr-text sliver-login-password">  
+
+URL: http://skindesignsalon.yuku.com/login/loginnow/Login-to-Yuku.html
+Unfiltered: "()=<>
+Payload: "()=<>
+Type: form
+Injection point: form field names: vno, login, password
+Line:   <div class="ka-field ka-text-field ka-login"><label for="ka-login_username">Username:</label><span class="ka-input-wrapper ka-text ka-hvr"><input id="ka-login_username" class="ka-text ka-hvr" type="text" name="login" value="9zqjx"()=<>9zqjx" tabindex="1"></span></div>  <script type="text/javascript">
+
+URL: http://skindesignsalon.yuku.com/portal
+Unfiltered: "()=
+Payload: "()=<>
+Type: form
+Injection point: form field names: site-url, site-name
+Line:     <form id="createcommunity" class="ka-create-communtiy-not-logged-in" action="http://www.yuku.com/portal/createcommunity" method="post"><div class="ka-fieldset"><div class="ka-field ka-text-field k...
+
+URL: http://oar.yuku.com/invite/sendpage/?emaillist=&url=http%3A%2F%2Foar.yuku.com%2Ftopic%2F15522
+Unfiltered: "()=<>
+Payload: "()=<>
+Type: form
+Injection point: form field names: vno, login, password
+Line:                     <h1 class="mgr-logo-link"><a href="http://yuku.com">Yuku free message boards</a></h1><form action="" class="login-form" method="post"><div><input type="hidden" name="vno" value="r_511c8191f7eac8b948195219422661de"><input name="login" type="text" class="mgr-text" value="9zqjx"()=<>9zqjx"><label>Password:</label><input name="password" type="password" title="enter your password" class="mgr-text sliver-login-password">  
+
+URL: http://oar.yuku.com/topic/15522
+Unfiltered: "()=<>
+Payload: "()=<>
+Type: form
+Injection point: form field names: q, submit
+Line: 				<input name="q" type="text" id="search-input" class="text" value="9zqjx"()=<>9zqjx">
+Line: 			<h2>Search Results For: 9zqjx"()=<>9zqjx</h2>
+
+URL: http://oar.yuku.com/topic/15516
+Unfiltered: "()=<>
+Payload: "()=<>
+Type: form
+Injection point: form field names: vno, login, password
+Line:                     <h1 class="mgr-logo-link"><a href="http://yuku.com">Yuku free message boards</a></h1><form action="" class="login-form" method="post"><div><input type="hidden" name="vno" value="r_65d617984d7ee33273c98d14b7faf7a8"><input name="login" type="text" class="mgr-text" value="9zqjx"()=<>9zqjx"><label>Password:</label><input name="password" type="password" title="enter your password" class="mgr-text sliver-login-password">  
+
+URL: http://oar.yuku.com/topic/15522
+Unfiltered: "()=<>
+Payload: "()=<>
+Type: form
+Injection point: form field names: vno, login, password
+Line:                     <h1 class="mgr-logo-link"><a href="http://yuku.com">Yuku free message boards</a></h1><form action="" class="login-form" method="post"><div><input type="hidden" name="vno" value="r_0082fb43c290dfbbf4793b7a0d5a59ec"><input name="login" type="text" class="mgr-text" value="9zqjx"()=<>9zqjx"><label>Password:</label><input name="password" type="password" title="enter your password" class="mgr-text sliver-login-password">  
+
+URL: http://pommielvrjen.u.yuku.com/
+Unfiltered: "()=<>
+Payload: "()=<>
+Type: form
+Injection point: form field names: vno, login, password
+Line:                     <h1 class="mgr-logo-link"><a href="http://yuku.com">Yuku free message boards</a></h1><form action="" class="login-form" method="post"><div><input type="hidden" name="vno" value="r_ed0bd06c5bc0cd02e4d7896c9cf64793"><input name="login" type="text" class="mgr-text" value="9zqjx"()=<>9zqjx"><label>Password:</label><input name="password" type="password" title="enter your password" class="mgr-text sliver-login-password">  
+
+URL: http://pommielvrjen.u.yuku.com/gallery/ls
+Unfiltered: "()=<>
+Payload: "()=<>
+Type: form
+Injection point: form field names: vno, login, password
+Line:                     <h1 class="mgr-logo-link"><a href="http://yuku.com">Yuku free message boards</a></h1><form action="" class="login-form" method="post"><div><input type="hidden" name="vno" value="r_1529e5f4a9fdd556c0ffa2ccb4a1f407"><input name="login" type="text" class="mgr-text" value="9zqjx"()=<>9zqjx"><label>Password:</label><input name="password" type="password" title="enter your password" class="mgr-text sliver-login-password">  
+
+URL: http://pommielvrjen.u.yuku.com/portal
+Unfiltered: "()=
+Payload: "()=<>
+Type: form
+Injection point: form field names: site-url, site-name
+Line:     <form id="createcommunity" class="ka-create-communtiy-not-logged-in" action="http://www.yuku.com/portal/createcommunity" method="post"><div class="ka-fieldset"><div class="ka-field ka-text-field k...
+
+URL: http://puddinskittles.u.yuku.com/
+Unfiltered: "()=<>
+Payload: "()=<>
+Type: form
+Injection point: form field names: vno, login, password
+Line:                     <h1 class="mgr-logo-link"><a href="http://yuku.com">Yuku free message boards</a></h1><form action="" class="login-form" method="post"><div><input type="hidden" name="vno" value="r_221cfb41bc03f1fd0aa07a3e7c565e7a"><input name="login" type="text" class="mgr-text" value="9zqjx"()=<>9zqjx"><label>Password:</label><input name="password" type="password" title="enter your password" class="mgr-text sliver-login-password">  
+
+URL: http://pommielvrjen.u.yuku.com/comment/view/id/220693
+Unfiltered: "()=<>
+Payload: "()=<>
+Type: form
+Injection point: form field names: vno, login, password
+Line:                     <h1 class="mgr-logo-link"><a href="http://yuku.com">Yuku free message boards</a></h1><form action="" class="login-form" method="post"><div><input type="hidden" name="vno" value="r_7b3714174bc1c41046e57bd0a44bdc70"><input name="login" type="text" class="mgr-text" value="9zqjx"()=<>9zqjx"><label>Password:</label><input name="password" type="password" title="enter your password" class="mgr-text sliver-login-password">  
+
+URL: http://worktruckjobs.com/display-job/23/Demo-Job.html?page=1&searchId=1406272459.2538
+Unfiltered: "()=<>
+Payload: "()=<>
+Type: url
+Injection point: searchId
+Line: 							<a href="http://worktruckjobs.com/display-job-map/?listing_id=23&amp;searchId=9zqjx"()=<>9zqjx&amp;view=map" onclick="popUpWindowIframe('http://worktruckjobs.com/display-job-map/?listing_id=23&amp;searchId=9zqjx"()=<>9zqjx&amp;view=map&amp;lightbox=1', 810, 710, 'Map'); return false;">Map View</a>
+Line: 								<a href="http://worktruckjobs.com/display-job/23/Demo-Job.html?action=search&amp;searchId=9zqjx"()=<>9zqjx&amp;page=1#listing_23">Back to Results</a>
+Line: 								<a href="http://worktruckjobs.com/find-jobs/?searchId=9zqjx"()=<>9zqjx">Modify Search</a>
+
+URL: http://worktruckjobs.com/display-job/23/Demo-Job.html?page=1&searchId=1406272459.2538
+Unfiltered: '"(){}[];
+Payload: %27%22%28%29%7B%7D%5B%5D%3B
+Type: url
+Injection point: searchId
+Line: 							<a href="http://worktruckjobs.com/display-job-map/?listing_id=23&amp;searchId=9zqjx'"(){}[];9zqjx&amp;view=map" onclick="popUpWindowIframe('http://worktruckjobs.com/display-job-map/?listing_id=23&amp;searchId=9zqjx'"(){}[];9zqjx&amp;view=map&amp;lightbox=1', 810, 710, 'Map'); return false;">Map View</a>
+Line: 								<a href="http://worktruckjobs.com/display-job/23/Demo-Job.html?action=search&amp;searchId=9zqjx'"(){}[];9zqjx&amp;page=1#listing_23">Back to Results</a>
+Line: 								<a href="http://worktruckjobs.com/find-jobs/?searchId=9zqjx'"(){}[];9zqjx">Modify Search</a>
+
+URL: http://worktruckjobs.com/display-job/23/Demo-Job.html?page=1&searchId=1406272459.2538
+Unfiltered: "()=<>
+Payload: "()=<>
+Type: url
+Injection point: page
+Line: 								<a href="http://worktruckjobs.com/display-job/23/Demo-Job.html?action=search&amp;searchId=1406272459.2538&amp;page=9zqjx"()=<>9zqjx#listing_23">Back to Results</a>
+
+URL: http://worktruckjobs.com/display-job/23/Demo-Job.html?page=1&searchId=1406272459.2538
+Unfiltered: '"(){}[];
+Payload: '"(){}[];
+Type: url
+Injection point: searchId
+Line: 							<a href="http://worktruckjobs.com/display-job-map/?listing_id=23&amp;searchId=9zqjx'"(){}[];9zqjx&amp;view=map" onclick="popUpWindowIframe('http://worktruckjobs.com/display-job-map/?listing_id=23&amp;searchId=9zqjx'"(){}[];9zqjx&amp;view=map&amp;lightbox=1', 810, 710, 'Map'); return false;">Map View</a>
+Line: 								<a href="http://worktruckjobs.com/display-job/23/Demo-Job.html?action=search&amp;searchId=9zqjx'"(){}[];9zqjx&amp;page=1#listing_23">Back to Results</a>
+Line: 								<a href="http://worktruckjobs.com/find-jobs/?searchId=9zqjx'"(){}[];9zqjx">Modify Search</a>
+
+URL: http://worktruckjobs.com/display-job/23/Demo-Job.html?page=1&searchId=1406272459.2538
+Unfiltered: '"(){}[];
+Payload: %27%22%28%29%7B%7D%5B%5D%3B
+Type: url
+Injection point: page
+Line: 								<a href="http://worktruckjobs.com/display-job/23/Demo-Job.html?action=search&amp;searchId=1406272459.2538&amp;page=9zqjx'"(){}[];9zqjx#listing_23">Back to Results</a>
+
+URL: http://help.yandex.com/mail/
+Unfiltered: "()=
+Payload: "()=<>
+Type: form
+Injection point: form field names: text
+Line:       <title>Search results for "9zqjx"()=&lt;&gt;9zqjx" — Yandex.Help</title>
+Line:                   <span class="b-form-input__box"><input value='9zqjx"()=&lt;&gt;9zqjx' class="b-form-input__input" id="search" name="text" maxlength="400" tabindex="1"><span class="b-form-input__clear b-form-input__clear_visibility_visible"></span></span>
+Line:           <div class="b-serp"><div class="b-page-title b-page-title_type_shifted"><h1 class="b-page-title__title">Search results for "9zqjx"()=&lt;&gt;9zqjx"</h1></div><div class="b-static-text">
+
+URL: http://help.yandex.com/webmaster/controlling-robot/robots-txt.xml
+Unfiltered: "()=
+Payload: "()=<>
+Type: form
+Injection point: form field names: text
+Line:       <title>Search results for "9zqjx"()=&lt;&gt;9zqjx" — Yandex.Help</title>
+Line:                   <span class="b-form-input__box"><input value='9zqjx"()=&lt;&gt;9zqjx' class="b-form-input__input" id="search" name="text" maxlength="400" tabindex="1"><span class="b-form-input__clear b-form-input__clear_visibility_visible"></span></span>
+Line:           <div class="b-serp"><div class="b-page-title b-page-title_type_shifted"><h1 class="b-page-title__title">Search results for "9zqjx"()=&lt;&gt;9zqjx"</h1></div><div class="b-static-text">
+
+URL: http://help.yandex.com/webmaster/controlling-robot/robots-txt.xml
+Unfiltered: '"(){}[];
+Payload: '"(){}[];
+Type: form
+Injection point: form field names: text
+Line:       <title>Search results for "9zqjx'"(){}[];9zqjx" — Yandex.Help</title>
+Line:           <div class="b-serp"><div class="b-page-title b-page-title_type_shifted"><h1 class="b-page-title__title">Search results for "9zqjx'"(){}[];9zqjx"</h1></div><div class="b-static-text">
+
+URL: https://helpx.adobe.com/jp/creative-cloud-enterprise.html
+Unfiltered: ";
+Payload: %27%22%28%29%7B%7D%5B%5D%3B
+Type: form
+Injection point: form field names: area, q, y, lr, hl, searchterm, x, lbl
+
+URL: http://kadira.com/blog.php?CA=Abril+2006&DAT=April+2006
+Unfiltered: "()=<>
+Payload: %22%28%29%3D%3C%3E
+Type: url
+Injection point: CA
+Line: <title>El Blog. Entradas - 9zqjx"()=<>9zqjx</title>
+Line: <meta name="description" content="Blog ergonómico de Kadira, entradas realizadas en 9zqjx"()=<>9zqjx." />
+Line: <h1>9zqjx"()=<>9zqjx - El blog de ergonomía</h1>
+
+URL: http://kadira.com/blog.php?CA=Abril+2014&DAT=April+2014
+Unfiltered: "()=<>
+Payload: "()=<>
+Type: url
+Injection point: CA
+Line: <title>El Blog. Entradas - 9zqjx"()=<>9zqjx</title>
+Line: <meta name="description" content="Blog ergonómico de Kadira, entradas realizadas en 9zqjx"()=<>9zqjx." />
+Line: <h1>9zqjx"()=<>9zqjx - El blog de ergonomía</h1>
+
+URL: http://kadira.com/blog.php?CAT=Ergonom%C3%ADa&IDcat=10&pageNum_Recordset1=0&totalRows_Recordset1=13
+Unfiltered: "()=<>
+Payload: %22%28%29%3D%3C%3E
+Type: url
+Injection point: CAT
+Line: <title>El Blog. Entradas - 9zqjx"()=<>9zqjx</title>
+Line: <meta name="description" content="Blog ergonómico de Kadira, entradas específicas en 9zqjx"()=<>9zqjx." />
+Line: <h1>9zqjx"()=<>9zqjx - El blog de ergonomía</h1>
+
+URL: http://kadira.com/blog.php?CAT=Ergonom%C3%ADa&IDcat=10&pageNum_Recordset1=0&totalRows_Recordset1=13
+Unfiltered: "()=<>
+Payload: "()=<>
+Type: url
+Injection point: CAT
+Line: <title>El Blog. Entradas - 9zqjx"()=<>9zqjx</title>
+Line: <meta name="description" content="Blog ergonómico de Kadira, entradas específicas en 9zqjx"()=<>9zqjx." />
+Line: <h1>9zqjx"()=<>9zqjx - El blog de ergonomía</h1>
+
+URL: https://google-gruyere.appspot.com/855589874918/snippets.gtl?uid=brie
+Unfiltered: '"(){}[];
+Payload: %27%22%28%29%7B%7D%5B%5D%3B
+Type: url
+Injection point: uid
+Line: 9zqjx'"(){}[];9zqjx
+Line: onclick='_refreshSnippets("855589874918", "9zqjx'"(){}[];9zqjx")'
+Line: 9zqjx'"(){}[];9zqjx
+
+URL: https://google-gruyere.appspot.com/855589874918/snippets.gtl?uid=brie
+Unfiltered: '()=<>
+Payload: '()=<>
+Type: url
+Injection point: uid
+Line: 9zqjx'()=<>9zqjx
+Line: onclick='_refreshSnippets("855589874918", "9zqjx'()=<>9zqjx")'
+Line: 9zqjx'()=<>9zqjx
+
+URL: http://kadira.com/blog.php?CAT=Ergonom%C3%ADa&IDcat=10&pageNum_Recordset1=1&totalRows_Recordset1=13
+Unfiltered: "()=<>
+Payload: %22%28%29%3D%3C%3E
+Type: url
+Injection point: CAT
+Line: <title>El Blog. Entradas - 9zqjx"()=<>9zqjx</title>
+Line: <meta name="description" content="Blog ergonómico de Kadira, entradas específicas en 9zqjx"()=<>9zqjx." />
+Line: <h1>9zqjx"()=<>9zqjx - El blog de ergonomía</h1>
+
+URL: http://kadira.com/blog.php?CAT=Ergonom%C3%ADa&IDcat=10&pageNum_Recordset1=1&totalRows_Recordset1=13
+Unfiltered: "()=<>
+Payload: "()=<>
+Type: url
+Injection point: CAT
+Line: <title>El Blog. Entradas - 9zqjx"()=<>9zqjx</title>
+Line: <meta name="description" content="Blog ergonómico de Kadira, entradas específicas en 9zqjx"()=<>9zqjx." />
+Line: <h1>9zqjx"()=<>9zqjx - El blog de ergonomía</h1>
+
+URL: http://kadira.com/blog.php?CA=Noviembre+2007&DAT=November+2007
+Unfiltered: "()=<>
+Payload: %22%28%29%3D%3C%3E
+Type: url
+Injection point: CA
+Line: <title>El Blog. Entradas - 9zqjx"()=<>9zqjx</title>
+Line: <meta name="description" content="Blog ergonómico de Kadira, entradas realizadas en 9zqjx"()=<>9zqjx." />
+Line: <h1>9zqjx"()=<>9zqjx - El blog de ergonomía</h1>
+
+URL: http://kadira.com/blog.php?CA=Mayo+2012&DAT=May+2012
+Unfiltered: "()=<>
+Payload: "()=<>
+Type: url
+Injection point: CA
+Line: <title>El Blog. Entradas - 9zqjx"()=<>9zqjx</title>
+Line: <meta name="description" content="Blog ergonómico de Kadira, entradas realizadas en 9zqjx"()=<>9zqjx." />
+Line: <h1>9zqjx"()=<>9zqjx - El blog de ergonomía</h1>
+
+URL: http://kadira.com/blog.php?CAT=Ergonom%C3%ADa&IDcat=10&pageNum_Recordset1=1&totalRows_Recordset1=13
+Unfiltered: "()=<>
+Payload: %22%28%29%3D%3C%3E
+Type: url
+Injection point: CAT
+Line: <title>El Blog. Entradas - 9zqjx"()=<>9zqjx</title>
+Line: <meta name="description" content="Blog ergonómico de Kadira, entradas específicas en 9zqjx"()=<>9zqjx." />
+Line: <h1>9zqjx"()=<>9zqjx - El blog de ergonomía</h1>
+
+URL: http://kadira.com/blog.php?CAT=Ergonom%C3%ADa&IDcat=10&pageNum_Recordset1=1&totalRows_Recordset1=13
+Unfiltered: "()=<>
+Payload: "()=<>
+Type: url
+Injection point: CAT
+Line: <title>El Blog. Entradas - 9zqjx"()=<>9zqjx</title>
+Line: <meta name="description" content="Blog ergonómico de Kadira, entradas específicas en 9zqjx"()=<>9zqjx." />
+Line: <h1>9zqjx"()=<>9zqjx - El blog de ergonomía</h1>
+
+URL: http://kadira.com/blog.php?CAT=Ergonom%C3%ADa&IDcat=10
+Unfiltered: "()=<>
+Payload: %22%28%29%3D%3C%3E
+Type: url
+Injection point: CAT
+Line: <title>El Blog. Entradas - 9zqjx"()=<>9zqjx</title>
+Line: <meta name="description" content="Blog ergonómico de Kadira, entradas específicas en 9zqjx"()=<>9zqjx." />
+Line: <h1>9zqjx"()=<>9zqjx - El blog de ergonomía</h1>
+
+URL: http://kadira.com/blog.php?CAT=Ergonom%C3%ADa&IDcat=10
+Unfiltered: "()=<>
+Payload: "()=<>
+Type: url
+Injection point: CAT
+Line: <title>El Blog. Entradas - 9zqjx"()=<>9zqjx</title>
+Line: <meta name="description" content="Blog ergonómico de Kadira, entradas específicas en 9zqjx"()=<>9zqjx." />
+Line: <h1>9zqjx"()=<>9zqjx - El blog de ergonomía</h1>
+
+URL: http://danmcinerney.org/headers.php
+Unfiltered: ()=<>
+Payload: ()=<>
+Type: header
+Injection point: Referer
+Line: Referer: 9zqjx()=<>9zqjx <br />
+
+URL: http://danmcinerney.org/headers.php
+Unfiltered: ()=<>
+Payload: ()=<>
+Type: header
+Injection point: User-Agent
+Line: User-Agent: 9zqjx()=<>9zqjx <br />
+
+URL: http://www.kadira.com/blog.php?CAT=Ergonom%C3%ADa&IDcat=10
+Unfiltered: "()=<>
+Payload: %22%28%29%3D%3C%3E
+Type: url
+Injection point: CAT
+Line: <title>El Blog. Entradas - 9zqjx"()=<>9zqjx</title>
+Line: <meta name="description" content="Blog ergonómico de Kadira, entradas específicas en 9zqjx"()=<>9zqjx." />
+Line: <h1>9zqjx"()=<>9zqjx - El blog de ergonomía</h1>
+
+URL: http://www.kadira.com/blog.php?CAT=Ergonom%C3%ADa&IDcat=10
+Unfiltered: "()=<>
+Payload: "()=<>
+Type: url
+Injection point: CAT
+Line: <title>El Blog. Entradas - 9zqjx"()=<>9zqjx</title>
+Line: <meta name="description" content="Blog ergonómico de Kadira, entradas específicas en 9zqjx"()=<>9zqjx." />
+Line: <h1>9zqjx"()=<>9zqjx - El blog de ergonomía</h1>
diff --git a/xsscrapy/pipelines.py b/xsscrapy/pipelines.py
index a1a6f6c..3800128 100644
--- a/xsscrapy/pipelines.py
+++ b/xsscrapy/pipelines.py
@@ -27,16 +27,34 @@ class XSS_pipeline(object):
                     # If the injection param, the url up until the injected param and the payload
                     # are all the same as a previous item, then don't bother creating the item
 
-                    # Match injection points
+                    # Match tags where injection point was found
                     if item['inj_point'] == i['inj_point']:
 
-                        # Match the URL up until the injected param
-                        injected_var = item['inj_point']+'='
-                        if item['url'].split(injected_var, 1)[0] == i['url'].split(injected_var, 1)[0]:
+                        # Match the URL up until the params
+                        if item['url'].split('?', 1)[0] == i['url'].split('?', 1)[0]:
 
                             # Match the payload
                             if item['xss_payload'] == i['xss_payload']:
-                                raise DropItem('Duplicate item found: %s' % item['url'])
+
+                                # Match the unfiltered characters
+                                if item['unfiltered'] == i['unfiltered']:
+
+                                    raise DropItem('Duplicate item found: %s' % item['url'])
+
 
             self.url_param_xss_items.append(item)
+
+        self.write_to_file(item)
+
         return item
+
+    def write_to_file(self, item):
+        with open('formatted_vulns.txt', 'a+') as f:
+            f.write('\n')
+            f.write('URL: '+item['url']+'\n')
+            f.write('Unfiltered: '+item['unfiltered']+'\n')
+            f.write('Payload: '+item['xss_payload']+'\n')
+            f.write('Type: '+item['xss_type']+'\n')
+            f.write('Injection point: '+item['inj_point']+'\n')
+            for line in item['line']:
+                f.write('Line: '+line[1]+'\n')
diff --git a/xsscrapy/settings.py b/xsscrapy/settings.py
index 23c96a8..9225de2 100644
--- a/xsscrapy/settings.py
+++ b/xsscrapy/settings.py
@@ -28,7 +28,7 @@ ITEM_PIPELINES = {'xsscrapy.pipelines.XSS_pipeline':100} # Look into what the 10
 
 FEED_FORMAT = 'csv'
 FEED_URI = 'vulnerable-urls.txt'
-#COOKIES_DEBUG = True
+COOKIES_DEBUG = True
 
 # Test for injection via headers
 #DEFAULT_REQUEST_HEADERS = {'Referer': '9zqjx', 'User-Agent':'9zqjx'}
diff --git a/xsscrapy/spiders/xss_spider.py b/xsscrapy/spiders/xss_spider.py
index 523d718..cf52301 100644
--- a/xsscrapy/spiders/xss_spider.py
+++ b/xsscrapy/spiders/xss_spider.py
@@ -1,3 +1,5 @@
+# -- coding: utf-8 --
+
 from scrapy.contrib.linkextractors.sgml import SgmlLinkExtractor
 from scrapy.contrib.spiders import CrawlSpider, Rule
 from scrapy.selector import Selector
@@ -24,7 +26,7 @@ import requests
 #
 #w3lib.url.safe_url_string = new_safe_url_string
 
-#from IPython import embed
+from IPython import embed
 
 __author__ = 'Dan McInerney danhmcinerney@gmail.com'
 
@@ -34,7 +36,8 @@ cookie
 data control?
 
 TO DO
--add DOM detection (pretty easy, just use those regexs from google domwikixss)
+-add DOM detection or static js analysis (check retire.js project)
+-the variable payload starts as the encoded payload and is eventually unescaped but not everuwhere?
 -cleanup xss_chars_finder(self, response)
 -prevent Requests from being URL encoded (line 57 of __init__ in Requests class)
 
@@ -58,6 +61,8 @@ class XSSspider(CrawlSpider):
         self.redir_pld = 'JaVAscRIPT:prompt(99)'
         #attr_pld = generated once injection points are found (requires checking if single or double quotes ends html attribute values)
         self.form_requests_made = set()
+        self.header_requests_made = set()
+        self.url_requests_made = set()
 
         self.login_user = kwargs.get('user')
         self.login_pass = kwargs.get('pw')
@@ -68,6 +73,7 @@ class XSSspider(CrawlSpider):
         base_url = u.scheme+'://'+u.hostname
         robots_url = base_url+'/robots.txt'
         robot_req = [Request(robots_url, callback=self.robot_parser, meta={'base_url':base_url})]
+
         reqs = self.parse_resp(response)
         reqs += robot_req
         return reqs
@@ -129,6 +135,9 @@ class XSSspider(CrawlSpider):
         payload = self.test_str
         payloads = [payload]
 
+        # Get any cookies (logic of this still needs working out)
+        #cookies = response.headers.getlist('Set-Cookie')
+
         # Edit a few select headers with injection string and resend request
         headers = ['Referer', 'User-Agent']
         header_reqs = self.make_header_reqs(orig_url, payloads, headers, quote_enclosure, None)
@@ -266,6 +275,12 @@ class XSSspider(CrawlSpider):
                 for params in modded_params[payload]:
                     joinedParams = urllib.urlencode(params, doseq=1) # doseq maps the params back together
                     newURL = urllib.unquote(protocol+hostname+path+'?'+joinedParams)
+
+                    # Prevent URL dupes since we have dont_filter set to True for payloaded urls
+                    if set(newURL).issubset(self.url_requests_made):
+                        continue
+                    self.url_requests_made.add(newURL)
+
                     for p in params:
                         if p[1] == payload:
                             changed_value = p[0]
@@ -273,8 +288,6 @@ class XSSspider(CrawlSpider):
 
         if len(payloaded_urls) > 0:
             return payloaded_urls
-        else:
-            return
 
     def getURLparams(self, url):
         ''' Parse out the URL parameters '''
@@ -374,11 +387,11 @@ class XSSspider(CrawlSpider):
     def xss_str_generator(self, injections, quote_enclosure, inj_type):
         ''' This is where the injection points are analyzed and specific payloads are created '''
 
+        event_attrs = self.event_attributes()
         attr_pld = quote_enclosure+self.tag_pld
         payloads = []
 
         for i in injections:
-           # print i
             line, tag, attr, attr_val = self.parse_injections(i)
 
             if attr:
@@ -386,6 +399,10 @@ class XSSspider(CrawlSpider):
                 if attr == 'href' and attr_val == self.test_str:
                     if self.redir_pld not in payloads:
                         payloads.append(self.redir_pld)
+                # Test for javacsript running attributes
+                if attr in event_attrs:
+                    if self.js_pld not in payloads:
+                        payloads.append(self.js_pld)
 
                 # Test for normal attribute-based XSS (needs either ' or " to be unescaped depending on which char the value is wrapped in
                 if attr_pld not in payloads:
@@ -405,11 +422,18 @@ class XSSspider(CrawlSpider):
         if self.tag_pld in payloads and attr_pld in payloads:
             payloads.remove(self.tag_pld)
 
+        for p in payloads:
+            if 'h' in payloads:
+                print '***PAYLOADS:', p
+
         if inj_type == 'url':
             payloads.append(urllib.quote_plus(payloads[0]))
 
         payloads = self.delim_payloads(payloads)
         if len(payloads) > 0:
+            for p in payloads:
+                if 'h' in payloads:
+                    print '***PAYLOADS:', p
             return payloads
         else:
             return
@@ -430,7 +454,6 @@ class XSSspider(CrawlSpider):
         # namely: meta tag with content attr, a tag with href attribute (onmouseover payload), option tag any attr (onmouseover payload)
 
         item = vuln()
-        event_attrs = self.event_attributes()
         xss_type = response.meta['type']
         orig_url = response.meta['orig_url']
         injections = response.meta['injections']
@@ -440,9 +463,11 @@ class XSSspider(CrawlSpider):
         body = response.body
         # Regex: ( ) mean group 1 is within the parens, . means any char, {1,25} means match any char 1 to 25 times
         chars_between_delims = '%s(.{1,25})%s' % (self.test_str, self.test_str) # self.js_pld is 21 chars, so added a little extra space
-        orig_payload = response.meta['payload'].strip(self.test_str) # xss char payload
-        payload = self.unescape_payload(orig_payload)
         inj_num = len(injections)
+        mismatch = False
+
+        orig_payload = response.meta['payload'].strip(self.test_str) # xss char payload
+        escaped_payload = self.unescape_payload(orig_payload)
 
         break_tag_chars = set(['>', '<',])
         break_attr_chars = set([quote_enclosure])
@@ -451,61 +476,53 @@ class XSSspider(CrawlSpider):
         matches = re.findall(chars_between_delims, body)
         if matches:
             xss_num = len(matches)
-        else:
-            xss_num = 0
-        if xss_num > 0:
+
             if xss_num != inj_num:
-                item['xss_type'] = 'Error '+str(xss_type)
-                item['inj_point'] = 'Error '+str(inj_point)
-                item['xss_payload'] = 'Error '+str(orig_payload)
-                item['url'] = 'Error '+str(orig_url)
+                mismatch = True
                 err = ('Mismatch between harmless injection count and payloaded injection count: %d vs %d' % (inj_num, xss_num))
                 item['error'] = err
 
-
-            unfiltered_chars = self.get_unfiltered_chars(matches, payload)
-            if unfiltered_chars:
-                for idx, i in enumerate(injections):
-                    line, tag, attr, attr_val = self.parse_injections(i)
-
+            for idx, match in enumerate(matches):
+                unfiltered_chars = self.get_unfiltered_chars(match, escaped_payload)
+                if unfiltered_chars:
                     try:
-                        c = unfiltered_chars[idx] # c = set of characters found at injection point
+                        line, tag, attr, attr_val = self.parse_injections(injections[idx])
                     except IndexError:
                         # Mismatch in num of test injections and num of payloads found
                         # I feel like I could put a break instead of a continue here but I am so fearful of false negatives
-                        continue
+                        break
 
-                    joined_chars = ''.join(c)
-                    chars = set(c)
-                    line = self.get_inj_line(body, joined_chars, item)
+                    joined_chars = ''.join(unfiltered_chars)
+                    chars = set(joined_chars)
+                    line_html = self.get_inj_line(body, match, item)
 
                     ###### XSS RULES ########
                     # Redirect
-                    if self.redir_pld.lower() == payload.lower(): #redir
-                        if 'javascript:prompt(99)' == joined_chars.lower():
-                            return self.make_item(joined_chars, xss_type, orig_payload, tag, orig_url, inj_point, line, item)
+                    if 'javascript:prompt(99)' == joined_chars.lower(): # redir
+                        return self.make_item(joined_chars, xss_type, orig_payload, tag, orig_url, inj_point, line_html, item)
 
                     # JS breakout
-                    if self.js_pld == payload: #js chars
+                    if self.js_pld == escaped_payload: #js chars
                         if break_js_chars.issubset(chars):
-                            if '\\' not in chars:
-                                return self.make_item(joined_chars, xss_type, orig_payload, tag, orig_url, inj_point, line, item)
+                            return self.make_item(joined_chars, xss_type, orig_payload, tag, orig_url, inj_point, line_html, item)
 
                     # Attribute breakout
                     if attr:
-                        if quote_enclosure in payload:
+                        # Must pass a string search for the test+unesc_payload+test in at least one line of html and cannot be a mismatch
+                        #if line_html and mismatch == False:
+                        if quote_enclosure in escaped_payload:
                             if break_attr_chars.issubset(chars):
-                                return self.make_item(joined_chars, xss_type, orig_payload, tag, orig_url, inj_point, line, item)
+                                return self.make_item(joined_chars, xss_type, orig_payload, tag, orig_url, inj_point, line_html, item)
 
                     # Tag breakout
                     else:
-                        if '<' and '>' in payload:
+                        if '<' and '>' in escaped_payload:
                             if break_tag_chars.issubset(chars):
-                                return self.make_item(joined_chars, xss_type, orig_payload, tag, orig_url, inj_point, line, item)
+                                return self.make_item(joined_chars, xss_type, orig_payload, tag, orig_url, inj_point, line_html, item)
 
         # Check the entire body for exact match
-        if payload in body:
-            #item['line'] = self.get_inj_line(body, payload, item)
+        if escaped_payload in body:
+            item['line'] = self.get_inj_line(body, escaped_payload, item)
             item['xss_payload'] = orig_payload
             item['unfiltered'] = payload
             item['inj_point'] = inj_point
@@ -517,8 +534,12 @@ class XSSspider(CrawlSpider):
         lines = []
         html_lines = body.splitlines()
         for idx, line in enumerate(html_lines):
+            line = line.strip()
             if payload in line:
-                lines += (idx, line)
+                if len(line) > 500:
+                    line = line[:200]+'...'
+                num_txt = (idx, line)
+                lines.append(num_txt)
 
         if len(lines) > 0:
             return lines
@@ -526,7 +547,7 @@ class XSSspider(CrawlSpider):
     def make_item(self, joined_chars, xss_type, orig_payload, tag, orig_url, inj_point, line, item):
         ''' Create the vulnerable item '''
 
-        #item['line'] = line
+        item['line'] = line
         item['xss_type'] = xss_type
         item['xss_payload'] = orig_payload
         item['unfiltered'] = joined_chars
@@ -546,23 +567,23 @@ class XSSspider(CrawlSpider):
 
         return line, tag, attr, attr_val
 
-    def get_unfiltered_chars(self, matches, payload):
+    def get_unfiltered_chars(self, match, escaped_payload):
         ''' Check for the special chars and append them to a master list of tuples, one tuple per injection point '''
         unfiltered_chars = []
-        found_chars = []
 
-        for m in matches:
-            for c in payload:
-                if c in m:
-                    found_chars.append(c)
-            if len(found_chars) > 0:
-                unfiltered_chars.append(found_chars)
-                found_chars = []
+        # Make sure js payloads remove escaped ' and "
+        #if escaped_payload == self.js_pld:
+        escaped_chars = re.findall(r'\\(.)', match)
+        for escaped_char in escaped_chars:
+            if escaped_char not in ['x', 'u']: # x and u for hex and unicode \x43, \u0022
+                match = match.replace(escaped_char, '')
+
+        for c in escaped_payload:
+            if c in match:
+                unfiltered_chars.append(c)
 
         if len(unfiltered_chars) > 0:
             return unfiltered_chars
-        else:
-            return
 
     def unescape_payload(self, payload):
         ''' Unescape the various payload encodings (html and url encodings)'''
@@ -572,6 +593,7 @@ class XSSspider(CrawlSpider):
                 payload = urllib.unquote_plus(payload)
         # only html-encoded payloads will have & in them
         payload = HTMLParser.HTMLParser().unescape(payload)
+
         return payload
 
     def parse_attr_xpath(self, xpath):
@@ -646,28 +668,37 @@ class XSSspider(CrawlSpider):
         return event_attributes
 
     def make_url_reqs(self, orig_url, payloaded_urls, quote_enclosure, injections):
+        ''' Make the URL requests and filter out dupes '''
+
         reqs = [Request(url[0],
                         meta={'type':'url',
                               'inj_point':url[1],
                               'orig_url':orig_url,
                               'payload':url[2],
-                              'quote':quote_enclosure},
-                        dont_filter = True)
+                              'quote':quote_enclosure})
                         for url in payloaded_urls] # Meta is the payload
 
-        reqs = self.add_callback(injections, reqs)
+        for url in payloaded_urls:
+            if url[2] == self.test_str:
+                break
+            print 'payload:', url[2]
 
-        if len(reqs) > 0:
-            for r in reqs:
-                # Make sure we're only showing payloaded URLs, not tester URLs
-                if r.callback == self.xss_chars_finder:
-                    self.log('Sending payloaded URL: '+r.url)
-                else:
-                    break
+        reqs = self.add_callback(injections, reqs)
+        reqs = self.add_dupe_filter(reqs)
+        if reqs:
             return reqs
 
-        else:
-            return
+    def add_dupe_filter(self, reqs):
+        for r in reqs:
+            # Make sure we're only showing payloaded URLs, not tester URLs
+            if r.callback == self.xss_chars_finder:
+                # Don't filter payloaded ones, but do filter reqs with the payload == self.test_str
+                r.dont_filter = True
+                self.log('Sending payloaded URL: '+r.url)
+            else:
+                break
+
+        return reqs
 
     def make_header_reqs(self, url, payloads, headers, quote_enclosure, injections):
         ''' Generate header requests '''
@@ -682,6 +713,7 @@ class XSSspider(CrawlSpider):
                         dont_filter=True)
                 for header in headers for payload in payloads]
 
+        reqs = self.remove_header_dupes(reqs)
         reqs = self.add_callback(injections, reqs)
 
         if len(reqs) > 0:
@@ -696,6 +728,25 @@ class XSSspider(CrawlSpider):
         else:
             return
 
+    def remove_header_dupes(self, reqs):
+        ''' Put all header requests made into a tuple of (url, header, payload) and
+        compare new header requests to this master set to prevent dupes '''
+        new_reqs =[]
+        for r in reqs:
+            for h in r.headers:
+                header = h # Referer or User-Agent
+                break
+            payload = r.headers[header]
+            u_h_p = (r.url, header, payload)
+            if set(u_h_p).issubset(self.header_requests_made):
+                continue
+            else:
+                self.header_requests_made.add(u_h_p)
+                new_reqs.append(r)
+
+        if len(reqs) > 0:
+            return new_reqs
+
     def add_callback(self, injections, reqs):
         ''' Add the callback to the requests depending on if it's a test req or payloaded req '''
 
@@ -795,7 +846,3 @@ class XSSspider(CrawlSpider):
             return reqs
         else:
             return
-
-############################################################################################
-            #if not p == self.redir_pld:
-            #    payload_list.append(self.test_str+urllib.quote_plus(p)+self.test_str)