CSS and risks

[gunnahafta]

Im curious if\how adding some entries to a style tage could be used as an exploit. For example if I could intercept a webpage or an HTML email with some settings in the style section could i force the browser\email client to include some external bad code? Make it download a piece of malicious java script etc.

[Ingolme]

I think there was once a vulnerability where the browser would execute Javascript in the background image url, but that was years ago and most likely it's been patched up.

 

As far as I know there is no security vulnerability in CSS. If you include user content inside a style tag be sure that you don't allow them to write HTML because they could close the style tag and open a script tag. Always escape < and > with < and > when displaying user generated content on the page.

[dsonesuk]

The only security issue i have ever heard of was related to the pseudo class of visited: where when using background image change for visited link for example, this could be used to identify users history of where they had been, but browsers now prevent this by preventing specific styling of visited link and only showing default browser or a set specific allowed styling by developer of the visited link itself and any elements based around that visited link.