2009/12/8 Devdatta <dev.akhawe@gmail.com> > > > > Daniel that's the point. The site is assumed safe from XSS but allows CSS > > and those selectors and it assumes they are safe. > > > > Does anyone have any data to support that such sites do exist ? Viz. sites > that > * Disallow script injection > * Allow arbitrary CSS injection (no whitelist/blacklist) > * Aren't vulnerable to XSS. > > Maciej gave a few examples that clearly demonstrate how widely > attribute selectors are used. We could do with some examples to show > how the scenario we are talking about is actually widely prevalent. > This is quite a good overview of which email/web clients support which CSS properties:- <http://www.campaignmonitor.com/css/> Myspace seemed to allow CSS selectors when sirdarckcat tested
Received on Tuesday, 8 December 2009 19:54:59 UTC