Some examples of bad sanitizers

diff --git a/bad_sanitizers/bad_sanitizers.py b/bad_sanitizers/bad_sanitizers.py
new file mode 100644 (file)
index 0000000..1297dd1
--- /dev/null
+++ b/bad_sanitizers/bad_sanitizers.py
@@ -0,0 +1,19 @@
+import re
+import urllib.parse
+
+def sanitizer_1(source):
+    items_were_deleted = True
+
+    while items_were_deleted:
+        start_length = len(source)
+
+        source = ''.join(re.split(r'<\s*split\s*>', source))
+        source = source[:50]
+        source = ''.join(source.split('"'))
+
+        items_were_deleted = len(source) < start_length
+
+        source = urllib.parse.unquote(source)
+
+    return source
+        

diff --git a/bad_sanitizers/breaking_bad_sanitizers.py b/bad_sanitizers/breaking_bad_sanitizers.py
new file mode 100644 (file)
index 0000000..f850c0f
--- /dev/null
+++ b/bad_sanitizers/breaking_bad_sanitizers.py
@@ -0,0 +1,19 @@
+import unittest
+import urllib.parse
+
+import bad_sanitizers
+
+class TestBreakingStrings(unittest.TestCase):
+    def test_breaking_string_for_bad_sanitizer_1(self):
+        desired_result = '"><script>alert("foo")</script>'
+
+        breaking_string = '%22>%3Cscript>alert(%22foo%22)</script>'
+
+        print(breaking_string)
+
+        self.assertEqual(
+            bad_sanitizers.sanitizer_1(breaking_string),
+            desired_result,
+        )
+
+unittest.main()