Jump to content

CSS and risks


gunnahafta
 Share

Recommended Posts

Im curious if\how adding some entries to a style tage could be used as an exploit. For example if I could intercept a webpage or an HTML email with some settings in the style section could i force the browser\email client to include some external bad code? Make it download a piece of malicious java script etc.

Link to comment
Share on other sites

I think there was once a vulnerability where the browser would execute Javascript in the background image url, but that was years ago and most likely it's been patched up.

 

As far as I know there is no security vulnerability in CSS. If you include user content inside a style tag be sure that you don't allow them to write HTML because they could close the style tag and open a script tag. Always escape < and > with < and > when displaying user generated content on the page.

Link to comment
Share on other sites

The only security issue i have ever heard of was related to the pseudo class of visited: where when using background image change for visited link for example, this could be used to identify users history of where they had been, but browsers now prevent this by preventing specific styling of visited link and only showing default browser or a set specific allowed styling by developer of the visited link itself and any elements based around that visited link.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...