[Esapi-dev] CSS encoding

Jeff Williams jeff.williams at owasp.org
Sat Aug 6 00:41:57 EDT 2011 

Hi Jim,

 

Could you take a look at this and see if you agree?

 


 

Injecting Up

Injecting Down


Quoted Style Value

You can "inject up" are with the " and ' tokens as well as the </style>
token which targets the HTML parser.

You can "inject  down" with the expression( token (IE7 and earlier only) and
any of the URL tokens (like background-image:url)


Unquoted Style Value

You can "inject up" with ; } and </style> and possibly other characters like
/* and @-rules

Same

 

Let me know if your understanding is different.  *
http://www.w3.org/TR/CSS2/syndata.html#tokenization

 

I'm nervous about attempting to build support for strictly validating all
the possible CSS property values. That seems difficult to me. I think there
are hundreds and then lots of extensions, particularly the -moz stuff.

 

If I have this right, then I think we can create a single "defusing" method
to handle these requirements. In fact, I think it's as simple as adding some
logic to prevent the "expression(" token and "javascript:" urls to our
current escaping method.

 

I don't want to get into a terminology battle about whether this is
encoding, escaping, or validation.  I'm focused on making the value safe for
rendering in a CSS context.  I think of this as "defusing" attacks - so
maybe that's a better name.

 

--Jeff

 

 

-----Original Message-----
From: esapi-dev-bounces at lists.owasp.org
[mailto:esapi-dev-bounces at lists.owasp.org] On Behalf Of Jim Manico
Sent: Thursday, August 04, 2011 2:19 PM
To: esapi-dev at lists.owasp.org
Subject: [Esapi-dev] CSS encoding

 

CSS hex encoding is an almost useless control due to IE expressions.

This is exactly why this control does not exist in .NET AntiXSS libraries.

 

When dealing with user driven CSS values, you .must. very strictly validate
both the characters and structure of the user driven CSS value.

 

I say we deprecate CSS encoding or at least fix the JavaDoc.

 

- Jim Manico

_______________________________________________

Esapi-dev mailing list

 <mailto:Esapi-dev at lists.owasp.org> Esapi-dev at lists.owasp.org

 <https://lists.owasp.org/mailman/listinfo/esapi-dev>
https://lists.owasp.org/mailman/listinfo/esapi-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-dev/attachments/20110806/9d405e71/attachment.html

More information about the Esapi-dev mailing list