info/big-list-of-naughty-strings
1
0
Fork 0
mirror of https://github.com/minimaxir/big-list-of-naughty-strings.git synced 2025-09-25 05:12:14 +02:00
Code Issues Releases Wiki Activity

Finish README

Browse Source
This commit is contained in:
Max Woolf
2015-08-09 21:52:42 -07:00
parent 12fd0e7707
commit 3807c125fb
1 changed files with 16 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
README.md
View File

@@ -1,12 +1,22 @@
# Big List of Naughty Strings
The Big List of Naughty Strings is a list of strings which have a high probability of causing issues when used as user-input data. This is intended for use in helping both automated and manual QA testing, for whenever your QA engineer [walks into a bar](http://www.sempf.net/post/On-Testing1.aspx).
The Big List of Naughty Strings is an evolving list of strings which have a high probability of causing issues when used as user-input data. This is intended for use in helping both automated and manual QA testing; useful for whenever your QA engineer [walks into a bar](http://www.sempf.net/post/On-Testing1.aspx).
The list consisted of newline-delimited strings and comments which preceded with `#`. The comments divide the strings into sections for easy manual reading.
## Why Test Naughty Strings?
## Why test naughty strings?
Even multi-billion dollar companies with infinite automated testing can't find every bad input. For example, look at what happens when you try to Tweet a zero-width space (U+200B):
Even multi-billion dollar companies with huge amounts of automated testing can't find every bad input. For example, look at what happens when you try to Tweet a [zero-width space](https://en.wikipedia.org/wiki/Zero-width_space) (U+200B) on Twitter:
![](http://i.imgur.com/HyDg2eV.gif)
Although this is not a malicious error, an "internal server error" for unexpected input may be a symptom for deeper string-validation issues, wh
Although this is not a malicious error, and typical users aren't Tweeting weird unicode, an "internal server error" for unexpected input is never a positive experience for the user, and may in fact be a symptom of deeper string-validation issues. The Big List of Naughty Strings is intended to help reveal such issues.
## Usage
`blns.txt` consists of newline-delimited strings and comments which preceded with `#`. The comments divide the strings into sections for easy manual reading and copy/pasting into input forms. For those who want to access the strings programmically, a `blns.json` file is provided containing an array with all the comments striped out. (the `scripts` folder contains a Python script used to generate the `blns.json`)
## Contributions
Feel free to send a pull request to add more strings, or additional sections. However, please do not send pull requests with very-long strings (255+ characters), as that makes the list much more difficult to view.
## Disclaimer
The Big List of Naughty Strings is intended to be used *for software you own and manage*. Some of the Naughty Strings can indicate security vulnerabilies, and as a result using such strings with third-party software may be a crime. The maintainer is not responsible for any negative actions that result from the use of the list.