gunnahafta Posted April 21, 2016 Share Posted April 21, 2016 Im curious if\how adding some entries to a style tage could be used as an exploit. For example if I could intercept a webpage or an HTML email with some settings in the style section could i force the browser\email client to include some external bad code? Make it download a piece of malicious java script etc. Link to comment Share on other sites More sharing options...
Ingolme Posted April 21, 2016 Share Posted April 21, 2016 I think there was once a vulnerability where the browser would execute Javascript in the background image url, but that was years ago and most likely it's been patched up. As far as I know there is no security vulnerability in CSS. If you include user content inside a style tag be sure that you don't allow them to write HTML because they could close the style tag and open a script tag. Always escape < and > with < and > when displaying user generated content on the page. Link to comment Share on other sites More sharing options...
dsonesuk Posted April 21, 2016 Share Posted April 21, 2016 The only security issue i have ever heard of was related to the pseudo class of visited: where when using background image change for visited link for example, this could be used to identify users history of where they had been, but browsers now prevent this by preventing specific styling of visited link and only showing default browser or a set specific allowed styling by developer of the visited link itself and any elements based around that visited link. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now