From fb55aa39701df8a28bea106ea7df199c3cb3af1b Mon Sep 17 00:00:00 2001
From: David Kerkeslager <kerkeslager@gmail.com>
Date: Sat, 10 Sep 2016 12:07:55 -0400
Subject: [PATCH] Some examples of bad sanitizers

---
 bad_sanitizers/bad_sanitizers.py          | 19 +++++++++++++++++++
 bad_sanitizers/breaking_bad_sanitizers.py | 19 +++++++++++++++++++
 2 files changed, 38 insertions(+)
 create mode 100644 bad_sanitizers/bad_sanitizers.py
 create mode 100644 bad_sanitizers/breaking_bad_sanitizers.py

diff --git a/bad_sanitizers/bad_sanitizers.py b/bad_sanitizers/bad_sanitizers.py
new file mode 100644
index 0000000..1297dd1
--- /dev/null
+++ b/bad_sanitizers/bad_sanitizers.py
@@ -0,0 +1,19 @@
+import re
+import urllib.parse
+
+def sanitizer_1(source):
+    items_were_deleted = True
+
+    while items_were_deleted:
+        start_length = len(source)
+
+        source = ''.join(re.split(r'<\s*split\s*>', source))
+        source = source[:50]
+        source = ''.join(source.split('"'))
+
+        items_were_deleted = len(source) < start_length
+
+        source = urllib.parse.unquote(source)
+
+    return source
+        
diff --git a/bad_sanitizers/breaking_bad_sanitizers.py b/bad_sanitizers/breaking_bad_sanitizers.py
new file mode 100644
index 0000000..f850c0f
--- /dev/null
+++ b/bad_sanitizers/breaking_bad_sanitizers.py
@@ -0,0 +1,19 @@
+import unittest
+import urllib.parse
+
+import bad_sanitizers
+
+class TestBreakingStrings(unittest.TestCase):
+    def test_breaking_string_for_bad_sanitizer_1(self):
+        desired_result = '"><script>alert("foo")</script>'
+
+        breaking_string = '%22>%3Cscript>alert(%22foo%22)</script>'
+
+        print(breaking_string)
+
+        self.assertEqual(
+            bad_sanitizers.sanitizer_1(breaking_string),
+            desired_result,
+        )
+
+unittest.main()
-- 
2.20.1