Last update: December 11th 2007

Description
The purpose of the WASC Script Mapping Project is to come up with an exhaustive list of vectors to cause a script to be executed within a web page without the use of <script> tags. This data can be useful when testing poorly implemented Cross-site Scripting blacklist filters, for those wishing to build an html white list system, as well as other uses.

Originally this project was scoped to check the W3C tags and event attribute combinations to identify which events can be fired in a given tag. After community discussion we extended the project to test for and map the different ways script can be executed by a browser without the use of the script tag. This will be identified via a combination of custom automated test suites and manual review when applicable.

To make the data more manageable we will be publishing our results in different phases.

Releases
For each release, we need verification. If you think one result is not accurate or just wrong, you can review the associated test case and send back your comments.

Phases
HTML/XHTML event attributes
* W3C Event Handlers: Firefox2, IE7, Safari3 (Nov. 26, 2007)(Download) & Test Cases (Download)
* Internet Explorer specifics
* Gecko specifics
* KHTML/WebKit specifics

Script engine calls
* JavaScript (ex, href="javscript:alert('foo')")
* VBScript

Cascading Style Sheets
* W3C (ref 1,2,3)
* Gecko
* WebKit

The list of script execution vectors is still being scoped, and we are open to suggestions. If you would like to be involved with the project, please contact Romain Gaucher