Parsing test_escape.cs
escape: not used
UrlArg: Secret Password~!@#$%^&*()+=-_|\[]{}:";'<>,.?
BlahJs: quote ' backslash \ semicolon ; end tag </script>
Title: </title><script>alert(1)</script>
escape: none
UrlArg: Secret Password~!@#$%^&*()+=-_|\[]{}:";'<>,.?
BlahJs: quote ' backslash \ semicolon ; end tag </script>
Title: </title><script>alert(1)</script>
escape: html
UrlArg: Secret Password~!@#$%^&*()+=-_|\[]{}:";'<>,.?
BlahJs: quote ' backslash \ semicolon ; end tag </script>
Title: </title><script>alert(1)</script>
escape: js
UrlArg: Secret Password~!@#$%^\x26*()+=-_|\x5C[]{}:\x22\x3B\x27\x3C\x3E,.?
BlahJs: quote \x27 backslash \x5C semicolon \x3B end tag \x3C\x2Fscript\x3E
Title: \x3C\x2Ftitle\x3E\x3Cscript\x3Ealert(1)\x3C\x2Fscript\x3E
escape: url
UrlArg: Secret+Password%7E!%40%23%24%25%5E%26*()%2B%3D-_%7C%5C%5B%5D%7B%7D%3A%22%3B%27%3C%3E%2C.%3F
BlahJs: quote+%27+backslash+%5C+semicolon+%3B+end+tag+%3C%2Fscript%3E
Title: %3C%2Ftitle%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E
Nested escaping: html
The internal calls should take precedence
url -> UrlArg: Secret+Password%7E!%40%23%24%25%5E%26*()%2B%3D-_%7C%5C%5B%5D%7B%7D%3A%22%3B%27%3C%3E%2C.%3F
js -> BlahJs: quote \x27 backslash \x5C semicolon \x3B end tag \x3C\x2Fscript\x3E
html -> Title: </title><script>alert(1)</script>
Defining the macro echo_all inside of a "html" escape.
Calling echo_all() macro:
not used: </title><script>alert(1)</script>quote ' backslash \ semicolon ; end tag </script>
none: </title><script>alert(1)</script>quote ' backslash \ semicolon ; end tag </script>
url: %3C%2Ftitle%3E%3Cscript%3Ealert(1)%3C%2Fscript%3Equote+%27+backslash+%5C+semicolon+%3B+end+tag+%3C%2Fscript%3E
js: \x3C\x2Ftitle\x3E\x3Cscript\x3Ealert(1)\x3C\x2Fscript\x3Equote \x27 backslash \x5C semicolon \x3B end tag \x3C\x2Fscript\x3E
html: </title><script>alert(1)</script>quote ' backslash \ semicolon ; end tag </script>
Calling echo_all() macro from within "html":
not used: </title><script>alert(1)</script>quote ' backslash \ semicolon ; end tag </script>
none: </title><script>alert(1)</script>quote ' backslash \ semicolon ; end tag </script>
url: %3C%2Ftitle%3E%3Cscript%3Ealert(1)%3C%2Fscript%3Equote+%27+backslash+%5C+semicolon+%3B+end+tag+%3C%2Fscript%3E
js: \x3C\x2Ftitle\x3E\x3Cscript\x3Ealert(1)\x3C\x2Fscript\x3Equote \x27 backslash \x5C semicolon \x3B end tag \x3C\x2Fscript\x3E
html: </title><script>alert(1)</script>quote ' backslash \ semicolon ; end tag </script>
Calling echo_all() macro from within "js":
not used: \x3C\x2Ftitle\x3E\x3Cscript\x3Ealert(1)\x3C\x2Fscript\x3Equote \x27 backslash \x5C semicolon \x3B end tag \x3C\x2Fscript\x3E
none: </title><script>alert(1)</script>quote ' backslash \ semicolon ; end tag </script>
url: %3C%2Ftitle%3E%3Cscript%3Ealert(1)%3C%2Fscript%3Equote+%27+backslash+%5C+semicolon+%3B+end+tag+%3C%2Fscript%3E
js: \x3C\x2Ftitle\x3E\x3Cscript\x3Ealert(1)\x3C\x2Fscript\x3Equote \x27 backslash \x5C semicolon \x3B end tag \x3C\x2Fscript\x3E
html: </title><script>alert(1)</script>quote ' backslash \ semicolon ; end tag </script>
Calling echo_all() macro from within "url":
not used: %3C%2Ftitle%3E%3Cscript%3Ealert(1)%3C%2Fscript%3Equote+%27+backslash+%5C+semicolon+%3B+end+tag+%3C%2Fscript%3E
none: </title><script>alert(1)</script>quote ' backslash \ semicolon ; end tag </script>
url: %3C%2Ftitle%3E%3Cscript%3Ealert(1)%3C%2Fscript%3Equote+%27+backslash+%5C+semicolon+%3B+end+tag+%3C%2Fscript%3E
js: \x3C\x2Ftitle\x3E\x3Cscript\x3Ealert(1)\x3C\x2Fscript\x3Equote \x27 backslash \x5C semicolon \x3B end tag \x3C\x2Fscript\x3E
html: </title><script>alert(1)</script>quote ' backslash \ semicolon ; end tag </script>