What is unsafe about the inline style (or: why is it more unsafe than using classes)

Question

To comply with CSP specs, I am analyzing an older application for the use of inline style in the HTML.

What I don't understand is why inline styles are insecure, or rather what am I gaining in a security sense when I replace style="color:red" with class="red".

I see a lot of sites where I can find out how great it is that CSP solves the insecure inline style, or how to apply the syntax of CSP for inline style, but I can't seem to find what the vulnerability is with inline style vs. classes.

All the things in CSP style-src: 'unsafe-inline' - is it worth it? also apply for classes. It also states what can happen when you use inline styles and you get hit by an XSS. On of the comments in the answers is "Couldn't they just as easily mess up your page by modifying classes? I'm still not seeing the benefit." - that is still my question, and not answered.

For example, this answer says:

They could turn your page pink, and make it look silly.

When they have (via XSS for instance) have access to my page, they can also inject some style and add a class, or add any of the bootstrap color classes to my HTML, so the also my page looks silly.

They could modify the text of your page...

Has nothing to do with the inline style, that is about XSS in general

They could make user generated content, like a link they provided appear outside of the normal places where people expect to see user content, making it appear official.

Again has nothing to do with the inline style, that is about XSS in general

Using a carefully crafted style rules they could send any information included on the page to external domains...

Again has nothing to do with the inline style, that is about XSS in general.

What is unsafe about the inline style (or: why is it more unsafe than using classes)

Answers (1)

Related Questions