Why is a <style> block considered unsafe markup?

Question

I recently plugged in PageDown to santize some HTML input coming from a textarea, and I noticed that it trims out "style" elements.

I was just wondering why these are considered unsafe ?

Answer 1

IE has a special CSS feature that allows JavaScript to be embedded within CSS. This alone would be reason enough to want to ban <style> tags.

behavior: expressions can also be entered into the style attribute, so you should make sure that you either remove style attributes from your whitelist, or whitelist specific styles. You should not attempt to blacklist styles because there are a few ways script can make its way into styles, and there are plans to add more in the future.

Also, as others mentioned you can completely change the look of a page using CSS. I can't think of any way this could be harmful without also allowing some other markup (like a <form> tag) but given enough creativity I'm sure a malicious person could come up with some ideas.

Answer 2

If you're going to strip out any HTML tags, it's generally better if you whitelist tags and attributes (that is, have a list of stuff you allow, and strip out everything else) rather than blacklisting. HTML can be somewhat complex, and is still evolving; how do you know there won't be a <stuff> element in the future that lets supporting browsers run arbitrary stuff?

With that said...unlike most elements, a stylesheet can change the look of the whole page it's embedded in. And it can't reliably be restricted without either resorting to iframes and such, or parsing the CSS and stripping out the offending properties and/or adding specificity. (HTML5 rules can't be relied on for, say, IE8 -- which is still one of the more commonly used browsers out there. In fact, scoped style elements don't seem to be very well supported at all yet.) In particular, it's theoretically possible to write some CSS that takes the whole page and turns it into another page entirely. It can even cause native code to run (via behavior in IE, for example). So for content that'll be output as HTML, it's not something i'd generally allow at all anyway. For an admin back-end, maybe...but not for, say, a comment form.

Answer 3

Style sheets are fairly powerful. They can effectively replace the entire contents of the page (with an image, even if the browser doesn't have full support for content insertion.). Not only that, but some newer browsers have had a poor track record with vulnerabilities related to 3d transforms. (As far as I know, you can't trigger those with maliciously crafted CSS, but it wouldn't surprise me if that situation arose.)

(In HTML4 style belongs unequivocally in the head. In HTML5, it can be scoped to affect only a subtree of elements, which might potentially reduce the impact area of a css-based attack, but doesn't affect the damage it can do within that region.)

Answer 4

My consideration is simple as that, you should prevent the users from submitting <script> and other tags that could manipulate your code, and maybe their regular expression for doing that also removes <style> tags. But don't take that for granted.

credit goes to: http://www.squarefree.com/securitytips/web-developers.html

Things you should ensure are never allowed in user-submitted HTML, to protect the accounts of visitors who use Firefox and IE:

javascript:, vbscript:, and data: URLs in links, images, anywhere.
<script> tags, with or without src attributes.
Event attributes (on*), which contain scripts.
-moz-binding: or behavior: CSS properties inside <style> elements or style attributes.
HTML is that is not "well-formed" -- you can't be sure how quirky browsers will parse it. (Example: <b <i>Foo)