W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: Risks from CSS injection

From: Maciej Stachowiak <mjs@apple.com>
Date: Wed, 09 Dec 2009 11:49:23 -0800
Cc: Aryeh Gregor <Simetrical+w3c@gmail.com>, public-web-security@w3.org
Message-id: <F48C46AF-92D1-4558-88BD-4FA6A7E7D405@apple.com>
To: gaz Heyes <gazheyes@gmail.com>

On Dec 9, 2009, at 11:30 AM, gaz Heyes wrote:

> So you may think that getting the width is ok, right? Here I use the  
> width as a reference to the letter:-
>
> input[value*="a"] {
>  width:0;
> }
> input[width="0"] {
>  background:attr(width, url);
> }
> input[value*="b"] {
>  width:1;
> }
> input[width="1"] {
>  background:attr(width, url);
> }

Selectors cannot select based on CSS property values, as opposed to  
DOM attribute values. So what you write here won't work. It's setting  
the width CSS property, not the width attribute in the DOM, but the  
other selectors are reading from the DOM.

I think that in general there will never be a CSS selector that  
depends on the value of CSS property, because then style resolution  
could cause an infinite loop.

Regards,
Maciej
Received on Wednesday, 9 December 2009 19:50:04 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT