Re: Seamless iframes + CSS3 selectors = bad idea

2009/12/8 Devdatta <dev.akhawe@gmail.com>

> >
> > Daniel that's the point. The site is assumed safe from XSS but allows CSS
> > and those selectors and it assumes they are safe.
> >
>
> Does anyone have any data to support that such sites do exist ? Viz. sites
> that
>   * Disallow script injection
>   * Allow arbitrary CSS injection (no whitelist/blacklist)
>   * Aren't vulnerable to XSS.
>
> Maciej gave a few examples that clearly demonstrate how widely
> attribute selectors are used. We could do with some examples to show
> how the scenario we are talking about is actually widely prevalent.
>

This is quite a good overview of which email/web clients support which CSS
properties:-
<http://www.campaignmonitor.com/css/>

Myspace seemed to allow CSS selectors when sirdarckcat tested

Received on Tuesday, 8 December 2009 19:54:59 UTC