更新

package.json

@@ -76,6 +76,7 @@
     "nightwatch": "^0.9.9",
     "opn": "^4.0.2",
     "ora": "^0.3.0",
+    "raw-loader": "^0.5.1",
     "selenium-server": "^3.0.1",
     "shelljs": "^0.7.5",
     "sinon": "^1.17.6",

src/data/exam/6.remove right tag.js

@@ -0,0 +1,4 @@
+function render (input) {
+  input = input.replace(/auto|on.*=|>/ig, '_')
+  return `<input value=1 ${input} type="text">`
+}

src/data/exam/8.style.js

@@ -0,0 +1,8 @@
+function render (src) {
+  src = src.replace(/<\/style>/g, '/* \u574F\u4EBA */')
+  return `
+    <style>
+      ${src}
+    </style>
+  `
+}

src/data/exam/index.js

@@ -13,7 +13,9 @@ export default {
     "0x0A",
     "0x0B",
     "0x0C",
-    "0x0D"
+    "0x0C",
+    "0x0E",
+    "0x0F"
   ],
   "data": {
     "0x00": {
@@ -34,41 +36,45 @@ export default {
     },
     "0x04": {
       "beCode": "function render (input) {\n  const stripBracketsRe = /[()`]/g\n  input = input.replace(stripBracketsRe, '')\n  return input\n}",
-      "title": "strip brackets"
+      "title": "strip brackets 2"
     },
     "0x05": {
       "beCode": "function render (input) {\n  input = input.replace(/-->/g, '😂')\n  return '<!--' + input + '-->'\n}",
       "title": "comment"
     },
     "0x06": {
-      "beCode": "function render (input) {\n  const stripTagsRe = /<\\/?[^>]+>/gi\n\n  input = input.replace(stripTagsRe, '')\n  return `<article>${input}</article>`\n}",
-      "title": "strip tag"
+      "beCode": "function render (input) {\n  input =  input.replace(/auto|on.*=|>/ig, '_')\n  return `<input value=1 ${input} type=\"text\">`\n}",
+      "title": "remove right tag"
     },
     "0x07": {
-      "beCode": "function render (input) {\n  let domainRe = /^https?:\\/\\/www\\.segmentfault\\.com/\n  if (domainRe.test(input)) {\n    return `<script src=\"${input}\"></script>`\n  }\n  return 'Invalid URL'\n}",
-      "title": "url 1"
+      "beCode": "function render (input) {\n  const stripTagsRe = /<\\/?[^>]+>/gi\n\n  input = input.replace(stripTagsRe, '')\n  return `<article>${input}</article>`\n}",
+      "title": "strip tag"
     },
     "0x08": {
-      "beCode": "function render (input) {\n  function escapeHtml(s) {\n    return s.replace(/&/g, '&amp;')\n            .replace(/'/g, '&#39;')\n            .replace(/\"/g, '&quot;')\n            .replace(/</g, '&lt;')\n            .replace(/>/g, '&gt;')\n  }\n\n  let domainRe = /^https?:\\/\\/www\\.segmentfault\\.com/\n  if (domainRe.test(input)) {\n    return `<script src=\"${escapeHtml(input)}\"></script>`\n  }\n  return 'Invalid URL'\n}",
-      "title": "url 2"
+      "beCode": "function render (src) {\n  src = src.replace(/<\\/style>/g, '/* \\u574F\\u4EBA */')\n  return `\n    <style>\n      ${src}\n    </style>\n  `\n}",
+      "title": "style"
     },
     "0x09": {
-      "beCode": "function render (input) {\n  input = input.replace(/[\\n</\"']/g, '')\n  return `\n    <script>\n          // alert('${input}')\n    </script>\n  `\n}",
-      "title": "line-break"
+      "beCode": "function render (input) {\n  let domainRe = /^https?:\\/\\/www\\.segmentfault\\.com/\n  if (domainRe.test(input)) {\n    return `<script src=\"${input}\"></script>`\n  }\n  return 'Invalid URL'\n}",
+      "title": "url 1"
     },
     "0x0A": {
-      "beCode": "function render (input) {\n  input = input.toUpperCase()\n  return `<h1>${input}</h1>`\n}",
-      "title": "a0"
+      "beCode": "function render (input) {\n  function escapeHtml(s) {\n    return s.replace(/&/g, '&amp;')\n            .replace(/'/g, '&#39;')\n            .replace(/\"/g, '&quot;')\n            .replace(/</g, '&lt;')\n            .replace(/>/g, '&gt;')\n  }\n\n  let domainRe = /^https?:\\/\\/www\\.segmentfault\\.com/\n  if (domainRe.test(input)) {\n    return `<script src=\"${escapeHtml(input)}\"></script>`\n  }\n  return 'Invalid URL'\n}",
+      "title": "url 2"
     },
     "0x0B": {
-      "beCode": "function render (input) {\n  input = input.replace(/script/g, '')\n  input = input.toUpperCase()\n  return '<h1>' + input + '</h1>'\n}",
-      "title": "a1"
+      "beCode": "function render (input) {\n  input = input.toUpperCase()\n  return `<h1>${input}</h1>`\n}",
+      "title": "uppercase"
     },
     "0x0C": {
+      "beCode": "function render (input) {\n  input = input.replace(/[\\n</\"']/g, '')\n  return `\n    <script>\n          // alert('${input}')\n    </script>\n  `\n}",
+      "title": "line-break"
+    },
+    "0x0E": {
       "beCode": "function render (input) {\n  input = input.replace(/<([a-zA-Z])/g, '<_$1')\n  input = input.toUpperCase()\n  return '<h1>' + input + '</h1>'\n}",
       "title": "a2"
     },
-    "0x0D": {
+    "0x0F": {
       "beCode": "function render (input) {\n  function escapeHtml(s) {\n    return s.replace(/&/g, '&amp;')\n            .replace(/'/g, '&#39;')\n            .replace(/\"/g, '&quot;')\n            .replace(/</g, '&lt;')\n            .replace(/>/g, '&gt;')\n  }\n  return `<a href=\"\" onclick=\"alert('${escapeHtml(input)}')\"></a>`\n}",
       "title": "html"
     }

src/lib/util.js

@@ -30,7 +30,7 @@ ls.set('xssV', LOCAL_V)
 export const clone = d => (JSON.parse(JSON.stringify(d)))
 
 export const escapeJS = (jsStr) => {
-  return String(jsStr).trim()
+  return String(jsStr)
     .replace(/'/g, "\\'")
     .replace(/"/g, '\\"')
     .replace(/`/g, '\\`')

yarn.lock

@@ -15,13 +15,19 @@ accepts@~1.3.3:
     mime-types "~2.1.11"
     negotiator "0.6.1"
 
-acorn-jsx@^3.0.0:
+acorn-jsx@^3.0.0, acorn-jsx@^3.0.1:
   version "3.0.1"
   resolved "http://registry.npm.taobao.org/acorn-jsx/download/acorn-jsx-3.0.1.tgz#afdf9488fb1ecefc8348f6fb22f464e32a58b36b"
   dependencies:
     acorn "^3.0.4"
 
-acorn@^3.0.0, acorn@^3.0.4:
+acorn-object-spread@^1.0.0:
+  version "1.0.0"
+  resolved "http://registry.npm.taobao.org/acorn-object-spread/download/acorn-object-spread-1.0.0.tgz#48ead0f4a8eb16995a17a0db9ffc6acaada4ba68"
+  dependencies:
+    acorn "^3.1.0"
+
+acorn@^3.0.0, acorn@^3.0.4, acorn@^3.1.0, acorn@^3.3.0:
   version "3.3.0"
   resolved "http://registry.npm.taobao.org/acorn/download/acorn-3.3.0.tgz#45e37fb39e8da3f25baee3ff5369e2bb5f22017a"
 
@@ -693,6 +699,14 @@ babel-plugin-transform-strict-mode@^6.22.0:
     babel-runtime "^6.22.0"
     babel-types "^6.22.0"
 
+babel-polyfill@^6.23.0:
+  version "6.23.0"
+  resolved "http://registry.npm.taobao.org/babel-polyfill/download/babel-polyfill-6.23.0.tgz#8364ca62df8eafb830499f699177466c3b03499d"
+  dependencies:
+    babel-runtime "^6.22.0"
+    core-js "^2.4.0"
+    regenerator-runtime "^0.10.0"
+
 babel-preset-es2015@^6.18.0:
   version "6.22.0"
   resolved "http://registry.npm.taobao.org/babel-preset-es2015/download/babel-preset-es2015-6.22.0.tgz#af5a98ecb35eb8af764ad8a5a05eb36dc4386835"
@@ -881,6 +895,18 @@ browserslist@^1.0.1, browserslist@^1.5.2, browserslist@^1.7.6:
     caniuse-db "^1.0.30000631"
     electron-to-chromium "^1.2.5"
 
+buble@^0.15.2:
+  version "0.15.2"
+  resolved "http://registry.npm.taobao.org/buble/download/buble-0.15.2.tgz#547fc47483f8e5e8176d82aa5ebccb183b02d613"
+  dependencies:
+    acorn "^3.3.0"
+    acorn-jsx "^3.0.1"
+    acorn-object-spread "^1.0.0"
+    chalk "^1.1.3"
+    magic-string "^0.14.0"
+    minimist "^1.2.0"
+    os-homedir "^1.0.1"
+
 buffer-shims@^1.0.0:
   version "1.0.0"
   resolved "http://registry.npm.taobao.org/buffer-shims/download/buffer-shims-1.0.0.tgz#9978ce317388c649ad8793028c3477ef044a8b51"
@@ -3016,6 +3042,10 @@ lodash.memoize@^4.1.0:
   version "4.1.2"
   resolved "http://registry.npm.taobao.org/lodash.memoize/download/lodash.memoize-4.1.2.tgz#bcc6c49a42a2840ed997f323eada5ecd182e0bfe"
 
+lodash.merge@^4.6.0:
+  version "4.6.0"
+  resolved "http://registry.npm.taobao.org/lodash.merge/download/lodash.merge-4.6.0.tgz#69884ba144ac33fe699737a6086deffadd0f89c5"
+
 lodash.mergewith@^4.0.0, lodash.mergewith@^4.6.0:
   version "4.6.0"
   resolved "http://registry.npm.taobao.org/lodash.mergewith/download/lodash.mergewith-4.6.0.tgz#150cf0a16791f5903b8891eab154609274bdea55"
@@ -3093,6 +3123,12 @@ macaddress@^0.2.8:
   version "0.2.8"
   resolved "http://registry.npm.taobao.org/macaddress/download/macaddress-0.2.8.tgz#5904dc537c39ec6dbefeae902327135fa8511f12"
 
+magic-string@^0.14.0:
+  version "0.14.0"
+  resolved "http://registry.npm.taobao.org/magic-string/download/magic-string-0.14.0.tgz#57224aef1701caeed273b17a39a956e72b172462"
+  dependencies:
+    vlq "^0.2.1"
+
 manage-path@2.0.0:
   version "2.0.0"
   resolved "http://registry.npm.taobao.org/manage-path/download/manage-path-2.0.0.tgz#f4cf8457b926eeee2a83b173501414bc76eb9597"
@@ -3524,7 +3560,7 @@ os-browserify@^0.2.0:
   version "0.2.1"
   resolved "http://registry.npm.taobao.org/os-browserify/download/os-browserify-0.2.1.tgz#63fc4ccee5d2d7763d26bbf8601078e6c2e0044f"
 
-os-homedir@^1.0.0:
+os-homedir@^1.0.0, os-homedir@^1.0.1:
   version "1.0.2"
   resolved "http://registry.npm.taobao.org/os-homedir/download/os-homedir-1.0.2.tgz#ffbc4988336e0e833de0c168c7ef152121aa7fb3"
 
@@ -4000,6 +4036,10 @@ range-parser@^1.0.3, range-parser@~1.2.0:
   version "1.2.0"
   resolved "http://registry.npm.taobao.org/range-parser/download/range-parser-1.2.0.tgz#f49be6b487894ddc40dcc94a322f611092e00d5e"
 
+raw-loader@^0.5.1:
+  version "0.5.1"
+  resolved "http://registry.npm.taobao.org/raw-loader/download/raw-loader-0.5.1.tgz#0c3d0beaed8a01c966d9787bf778281252a979aa"
+
 rc@~1.1.6:
   version "1.1.7"
   resolved "http://registry.npm.taobao.org/rc/download/rc-1.1.7.tgz#c5ea564bb07aff9fd3a5b32e906c1d3a65940fea"
@@ -4878,6 +4918,10 @@ verror@1.3.6:
   dependencies:
     extsprintf "1.0.2"
 
+vlq@^0.2.1:
+  version "0.2.1"
+  resolved "http://registry.npm.taobao.org/vlq/download/vlq-0.2.1.tgz#14439d711891e682535467f8587c5630e4222a6c"
+
 vm-browserify@0.0.4:
   version "0.0.4"
   resolved "http://registry.npm.taobao.org/vm-browserify/download/vm-browserify-0.0.4.tgz#5d7ea45bbef9e4a6ff65f95438e0a87c357d5a73"