| <style></style> |
| <script> |
| |
| function jsfuzzer() { |
| var variableElement = document.getElementById("variableElement"); //HTMLUnknownElement |
| var templateElement = document.getElementById("templateElement"); //HTMLTemplateElement |
| var htmlFormElement = document.getElementById("htmlFormElement"); //HTMLFormElement |
| var createdVarElement = document.createElement("var"); //HTMLUnknownElement |
| document.all[7].appendChild(htmlBaseTag); |
| var createdTBodyElement = document.createElement("tbody"); |
| createdTBodyElement.insertRow(); |
| document.all[20].appendChild(createdTBodyElement); |
| document.all[13].appendChild(htmlLiElement); |
| |
| // For some reason past here, not appending via modulo fails to induce a crash? |
| document.all[52 % document.all.length].appendChild(createdVarElement); |
| document.adoptNode(htmlDescriptionTag); |
| htmlFormElement.reset(); |
| document.all[90 % document.all.length].appendChild(variableElement); |
| document.all[85 % document.all.length].appendChild(templateElement); |
| htmlFormElement.reset(); |
| } |
| |
| function eventhandler2() { |
| var htmlLiElement = document.getElementById("htmlLiElement"); //HTMLLIElement |
| var htmlContentTag = document.getElementById("htmlContentTag"); //HTMLContentElement |
| var htmlAreaTag = document.getElementById("htmlAreaTag"); //HTMLAreaElement |
| var htmlUnknownElement = document.getElementById("htmlUnknownElement"); //HTMLUnknownElement |
| var htmlParagraphElement = document.createElement("p"); //HTMLParagraphElement |
| var var00016 = window.getSelection(); |
| var00016.selectAllChildren(templateElement); |
| document.all[51 % document.all.length].appendChild(htmlParagraphElement); |
| var var00036 = document.createElement("a");; |
| var var00039 = htmlLiElement.outerHTML; |
| |
| var caretRange = document.caretRangeFromPoint(); |
| caretRange.insertNode(templateElement); |
| var var00192 = var00016.extentNode; |
| var00016.selectAllChildren(var00192); |
| var00016.deleteFromDocument(); |
| htmlLiElement.innerHTML = var00039; |
| document.all[82 % document.all.length].appendChild(htmlContentTag); |
| document.all[99 % document.all.length].appendChild(htmlUnknownElement); |
| document.all[36 % document.all.length].appendChild(var00036); |
| document.all[50 % document.all.length].appendChild(htmlAreaTag); |
| } |
| </script> |
| <body onload=jsfuzzer()> |
| <hr> |
| <ul> |
| <li> |
| <dl> |
| <dd id="htmlDescriptionTag"><dt declare="declare"</dt> |
| <li id="htmlLiElement"></li> |
| </ul> |
| <var id="variableElement"> |
| <image><ol></ol> |
| </var> |
| <template id="templateElement"> |
| </template> |
| <input> |
| <content id="htmlContentTag"></content> |
| <map> |
| <area id="htmlAreaTag" role="group" </area> |
| <area id="htmlvar00017"</area> |
| <form id="htmlFormElement" onreset="eventhandler2()"> |
| <fieldset> |
| <textarea></textarea> |
| <label></label> |
| <h4></h4> |
| <link></p> |
| <base id="htmlBaseTag"> |
| <div></div> |
| <noscript></noscript> |
| <basefont id="htmlUnknownElement"></basefont> |
| </fieldset> |
| </form> |
| </map> |
| </body> |
