- From: gaz Heyes <gazheyes@gmail.com>
- Date: Tue, 8 Dec 2009 01:48:41 +0000
- To: Daniel Glazman <daniel@glazman.org>
- Cc: public-web-security@w3.org
- Message-ID: <252dd75b0912071748u34170413qde6b1b0ddf50277a@mail.gmail.com>
2009/12/7 Daniel Glazman <daniel@glazman.org>
> sird@rckc.at wrote:
>
> a[href$=.pdf]::before{content:url(pdficon.gif)}
>>
>> And it rocks, it really rocks.. but do we really want to give soooo much
>> power to CSS?
>>
>
> "we"? Who's that "we"? In the World Wide Web Consortium, that "we"
> is the Community on one hand, the W3C Membership (including browser
> vendors) on the other.
> So yes, "we" wanted to add that ability to CSS
>
The scenario is a web site allows a user to place a external stylesheet with
background rules and selectors. This could be encoded using BOM characters
or @charset 'UTF-7'; Wonderful Safari allows me to specify multiple
backgrounds for the same element, allowing me to send more than one scan of
data.
Try this with Safari 4.04:-
<http://www.businessinfo.co.uk/labs/test_files/css_fun/page_allows_css.php>
I can brute force a common field "first name", I can check what a token
starts and ends with and I can scan for which characters it contains. All
with pure CSS (no HTML). "We" (Me, Sirdarckcat and David) are not saying
this is a serious vulnerability now but it has potential to be in future.
Especially when browsers support more selectors and allow multiple
backgrounds.
Received on Tuesday, 8 December 2009 01:49:23 UTC