Geek Answers Handbook

Does the file include an external CSS file in a safe place or can lead to code injection?

I am working on a site that customers will use by embedding it in an iframe on their site. I want to give them the opportunity to customize the style of the content so that they can fit into the styles of their site.

The main idea that I have is to give them the URL of the CSS file that I have to point to the page I serve them to fill in the iframe. As far as I know, this is safe, but I'm not particularly familiar with CSS (especially with newer versions), so I want to check this out.

Is there any way to create a CSS file that will allow them to enter code on my site or otherwise access things like domain cookies? Is it really safe, or do I need to come up with a different solution?

+5
source share
1 answer

No, this is not safe. expressionand -moz-binding- well-known ways to cause arbitrary script execution in some browsers via CSS. LiveJournal suffered a very common XSS attack that was triggered by JavaScript embedded in custom CSS.

If Mozilla decides to allow the execution of arbitrary JavaScript through CSS, there is no other viable solution other than what we have taken.

From Wiki Caja widget file :

Created CSS stylesheets can execute non-mock javascript in global scope in some browsers.

Background

CSS .

IE , javascript. expression http://msdn2.microsoft.com/en-us/library/ms537634.aspx

, , .... JScript Microsoft Visual Basic Scripting Edition (VBScript). http://msdn2.microsoft.com/en-us/library/ms533503.aspx

binding , http://developer.mozilla.org/en/docs/CSS:-moz-binding http://developer.mozilla.org/en/docs/XBL:XBL_1.0_Reference:Elements#binding

-moz-binding XML ( : URL-)

CSS DOM, .

IE 5 ( IE 8 " " ).

Mozilla/Firefox, .

+12

More articles:


All Articles