Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Possible Duplicate:
Cross Site Scripting in CSS Stylesheets
I’m considering allowing users to create their own CSS through linked stylesheets (NOT embedded style tags). Can an XSS attack be performed from a stylesheet?
Thanks
In Internet Explorer, Firefox and other browsers you can embed JavaScript in CSS by specifying a
javascript:URL in aurl()CSS statement.Even if you manage to filter these out, an attacker can still completely redesign the page (including all of its textual content) with advanced CSS. Therefore, it becomes extremely easy to trick users to execute stupid actions, which is what XSS is about. For example, you could make the
Delete Accountbutton fill the entire window and change its text to “Click here to win 1000$”.You can white-list a select few properties (
text-*,font-*,color,background(only colors and gradients, no URLs or other fancy stuff)), but you’ll have to reject anything that does not match these restrictions.