1Parsing test_escape.cs 2escape: not used 3UrlArg: Secret Password~!@#$%^&*()+=-_|\[]{}:";'<>,.? 4BlahJs: quote ' backslash \ semicolon ; end tag </script> 5Title: </title><script>alert(1)</script> 6 7 8escape: none 9UrlArg: Secret Password~!@#$%^&*()+=-_|\[]{}:";'<>,.? 10BlahJs: quote ' backslash \ semicolon ; end tag </script> 11Title: </title><script>alert(1)</script> 12 13 14 15escape: html 16UrlArg: Secret Password~!@#$%^&*()+=-_|\[]{}:";'<>,.? 17BlahJs: quote ' backslash \ semicolon ; end tag </script> 18Title: </title><script>alert(1)</script> 19 20 21 22escape: js 23UrlArg: Secret Password~!@#$%^\x26*()+=-_|\x5C[]{}:\x22\x3B\x27\x3C\x3E,.? 24BlahJs: quote \x27 backslash \x5C semicolon \x3B end tag \x3C\x2Fscript\x3E 25Title: \x3C\x2Ftitle\x3E\x3Cscript\x3Ealert(1)\x3C\x2Fscript\x3E 26 27 28 29escape: url 30UrlArg: Secret+Password%7E!%40%23%24%25%5E%26*()%2B%3D-_%7C%5C%5B%5D%7B%7D%3A%22%3B%27%3C%3E%2C.%3F 31BlahJs: quote+%27+backslash+%5C+semicolon+%3B+end+tag+%3C%2Fscript%3E 32Title: %3C%2Ftitle%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E 33 34 35 36Nested escaping: html 37The internal calls should take precedence 38url -> UrlArg: Secret+Password%7E!%40%23%24%25%5E%26*()%2B%3D-_%7C%5C%5B%5D%7B%7D%3A%22%3B%27%3C%3E%2C.%3F 39js -> BlahJs: quote \x27 backslash \x5C semicolon \x3B end tag \x3C\x2Fscript\x3E 40html -> Title: </title><script>alert(1)</script> 41 42 43Defining the macro echo_all inside of a "html" escape. 44 45 46Calling echo_all() macro: 47 48not used: </title><script>alert(1)</script>quote ' backslash \ semicolon ; end tag </script> 49none: </title><script>alert(1)</script>quote ' backslash \ semicolon ; end tag </script> 50url: %3C%2Ftitle%3E%3Cscript%3Ealert(1)%3C%2Fscript%3Equote+%27+backslash+%5C+semicolon+%3B+end+tag+%3C%2Fscript%3E 51js: \x3C\x2Ftitle\x3E\x3Cscript\x3Ealert(1)\x3C\x2Fscript\x3Equote \x27 backslash \x5C semicolon \x3B end tag \x3C\x2Fscript\x3E 52html: </title><script>alert(1)</script>quote ' backslash \ semicolon ; end tag </script> 53 54 55 56Calling echo_all() macro from within "html": 57 58not used: </title><script>alert(1)</script>quote ' backslash \ semicolon ; end tag </script> 59none: </title><script>alert(1)</script>quote ' backslash \ semicolon ; end tag </script> 60url: %3C%2Ftitle%3E%3Cscript%3Ealert(1)%3C%2Fscript%3Equote+%27+backslash+%5C+semicolon+%3B+end+tag+%3C%2Fscript%3E 61js: \x3C\x2Ftitle\x3E\x3Cscript\x3Ealert(1)\x3C\x2Fscript\x3Equote \x27 backslash \x5C semicolon \x3B end tag \x3C\x2Fscript\x3E 62html: </title><script>alert(1)</script>quote ' backslash \ semicolon ; end tag </script> 63 64 65 66 67Calling echo_all() macro from within "js": 68 69not used: \x3C\x2Ftitle\x3E\x3Cscript\x3Ealert(1)\x3C\x2Fscript\x3Equote \x27 backslash \x5C semicolon \x3B end tag \x3C\x2Fscript\x3E 70none: </title><script>alert(1)</script>quote ' backslash \ semicolon ; end tag </script> 71url: %3C%2Ftitle%3E%3Cscript%3Ealert(1)%3C%2Fscript%3Equote+%27+backslash+%5C+semicolon+%3B+end+tag+%3C%2Fscript%3E 72js: \x3C\x2Ftitle\x3E\x3Cscript\x3Ealert(1)\x3C\x2Fscript\x3Equote \x27 backslash \x5C semicolon \x3B end tag \x3C\x2Fscript\x3E 73html: </title><script>alert(1)</script>quote ' backslash \ semicolon ; end tag </script> 74 75 76 77 78Calling echo_all() macro from within "url": 79 80not used: %3C%2Ftitle%3E%3Cscript%3Ealert(1)%3C%2Fscript%3Equote+%27+backslash+%5C+semicolon+%3B+end+tag+%3C%2Fscript%3E 81none: </title><script>alert(1)</script>quote ' backslash \ semicolon ; end tag </script> 82url: %3C%2Ftitle%3E%3Cscript%3Ealert(1)%3C%2Fscript%3Equote+%27+backslash+%5C+semicolon+%3B+end+tag+%3C%2Fscript%3E 83js: \x3C\x2Ftitle\x3E\x3Cscript\x3Ealert(1)\x3C\x2Fscript\x3Equote \x27 backslash \x5C semicolon \x3B end tag \x3C\x2Fscript\x3E 84html: </title><script>alert(1)</script>quote ' backslash \ semicolon ; end tag </script> 85 86 87