W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: Risks from CSS injection

From: gaz Heyes <gazheyes@gmail.com>
Date: Thu, 10 Dec 2009 08:58:53 +0000
Message-ID: <252dd75b0912100058h3c1613cdw8e665b929c2f7339@mail.gmail.com>
To: Maciej Stachowiak <mjs@apple.com>
Cc: Aryeh Gregor <Simetrical+w3c@gmail.com>, public-web-security@w3.org
2009/12/9 Maciej Stachowiak <mjs@apple.com>

> Selectors cannot select based on CSS property values, as opposed to DOM
> attribute values. So what you write here won't work. It's setting the width
> CSS property, not the width attribute in the DOM, but the other selectors
> are reading from the DOM.
>
> I think that in general there will never be a CSS selector that depends on
> the value of CSS property, because then style resolution could cause an
> infinite loop.
>

Thanks Maciej I wasn't aware of this but still the Attr() function shouldn't
be allowed to get the value attribute of a element and I would suggest the
url syntax be dropped or that url() be a requirement when using it.
Received on Thursday, 10 December 2009 08:59:25 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT