W3C home > Mailing lists > Public > www-style@w3.org > July 2000

Re: virus?

From: Jan Roland Eriksson <jrexon@newsguy.com>
Date: Wed, 19 Jul 2000 20:21:24 +0200
To: "Bruno" <bruno@teraram.com>
Cc: <www-style@w3.org>
Message-ID: <8csbnssotu37dio4vmj1u436gheh5l3g5j@4ax.com>
On Tue, 18 Jul 2000 20:15:32 +0200, "Bruno" <bruno@teraram.com> wrote:

>I was just wondering where there or is there any CSS virus?

In the best of worlds it should be impossible to create a CSS virus.

CSS code is per specification only _describing_ a relationship between
specific properties of document content and suggested values for those
properties. CSS code in it self is not really "executed" in any way.

Now since not so long ago this inherent security level in CSS was broken
by MS when they included a possibility to use JS style "function calls"
to assign values to properties.

So as the saying goes, "make something idiot proof and some one will
invent a better idiot".

My guess is that now we only have to sit back and wait for that some one
to "invent a better idiot" and the first CSS based security attack will
be a reality through some version of MSIE at least.
It's my opinion and I stand for it.

-- 
Jan Roland Eriksson <jrexon@newsguy.com>
<URL:http://member.newsguy.com/%7Ejrexon/>
Received on Wednesday, 19 July 2000 14:21:24 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 27 April 2009 13:54:05 GMT