Re: Risks from CSS injection from gaz Heyes on 2009-12-10 (public-web-security@w3.org from December 2009)

From: gaz Heyes <gazheyes@gmail.com>
Date: Thu, 10 Dec 2009 08:58:53 +0000
To: Maciej Stachowiak <mjs@apple.com>
Cc: Aryeh Gregor <Simetrical+w3c@gmail.com>, public-web-security@w3.org
Message-ID: <252dd75b0912100058h3c1613cdw8e665b929c2f7339@mail.gmail.com>

2009/12/9 Maciej Stachowiak <mjs@apple.com>

> Selectors cannot select based on CSS property values, as opposed to DOM
> attribute values. So what you write here won't work. It's setting the width
> CSS property, not the width attribute in the DOM, but the other selectors
> are reading from the DOM.
>
> I think that in general there will never be a CSS selector that depends on
> the value of CSS property, because then style resolution could cause an
> infinite loop.
>

Thanks Maciej I wasn't aware of this but still the Attr() function shouldn't
be allowed to get the value attribute of a element and I would suggest the
url syntax be dropped or that url() be a requirement when using it.

Received on Thursday, 10 December 2009 08:59:25 UTC