Reputation: 38714
style considered harmful?
We have some code that removes "dangerous" attributes and tags from HTML. I noticed that style is among the list of "dangerous" attributes. What could be the risk from that attribute?
Upvotes: 5
Views: 125
Answers (3)
Reputation: 237060
It's possible to make things that are invisible or otherwise very deceptive using style sheets. For example, you could put a giant, invisible anchor link over the whole page so that when the user clicks on something, he's taken to an identical page on a server in Russia.
Upvotes: 1
Reputation: 51062
Here's an example of a bug in MediaWiki that creates a vulnerability based on inline style attributes.
Upvotes: 2
Reputation: 1069
In IE you can include @behaviors in there which can load little Javascripts.
With CSS3 you can also interject little bits of text, which could be dangerous depending on your website.
Upvotes: 2
Related Questions
- Why is using the style-attribute in html bad?
- Using <style> and <script> in html...is it really so bad?
- security issues with user-supplied CSS?
- Does html doctype make the page more secure?
- Security risk (xss) with style attributes
- Why is a <style> block considered unsafe markup?
- User-defined CSS: What can go wrong?
- dangers to user css
- Is using the style attribute frowned upon?
- Unsafe Html