[Esapi-dev] CSS encoding
jeff.williams at owasp.org
Sat Aug 6 00:41:57 EDT 2011
Could you take a look at this and see if you agree?
Quoted Style Value
You can "inject up" are with the " and ' tokens as well as the </style>
token which targets the HTML parser.
You can "inject down" with the expression( token (IE7 and earlier only) and
any of the URL tokens (like background-image:url)
Unquoted Style Value
You can "inject up" with ; } and </style> and possibly other characters like
/* and @-rules
Let me know if your understanding is different. *
I'm nervous about attempting to build support for strictly validating all
the possible CSS property values. That seems difficult to me. I think there
are hundreds and then lots of extensions, particularly the -moz stuff.
If I have this right, then I think we can create a single "defusing" method
to handle these requirements. In fact, I think it's as simple as adding some
current escaping method.
I don't want to get into a terminology battle about whether this is
encoding, escaping, or validation. I'm focused on making the value safe for
rendering in a CSS context. I think of this as "defusing" attacks - so
maybe that's a better name.
From: esapi-dev-bounces at lists.owasp.org
[mailto:esapi-dev-bounces at lists.owasp.org] On Behalf Of Jim Manico
Sent: Thursday, August 04, 2011 2:19 PM
To: esapi-dev at lists.owasp.org
Subject: [Esapi-dev] CSS encoding
CSS hex encoding is an almost useless control due to IE expressions.
This is exactly why this control does not exist in .NET AntiXSS libraries.
When dealing with user driven CSS values, you .must. very strictly validate
both the characters and structure of the user driven CSS value.
I say we deprecate CSS encoding or at least fix the JavaDoc.
- Jim Manico
Esapi-dev mailing list
<mailto:Esapi-dev at lists.owasp.org> Esapi-dev at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Esapi-dev