Beefy Boxes and Bandwidth Generously Provided by pair Networks
P is for Practical

Safe CSS Stylesheets

by osfameron (Hermit)
on May 14, 2002 at 19:47 UTC ( #166560=perlquestion: print w/replies, xml ) Need Help??
osfameron has asked for the wisdom of the Perl Monks concerning the following question:

After I read the recent post about Cross Site Scripting attacks, I sat down and wrote an HTML filter to make user-submitted HTML safe (using HTML::Parser). Then I read some more posts, and followed some links (I particularly liked this one) and then got scared.

You can call malicious code from an <IMG> tag??!! And even stranger, from a <STYLE> tag... (well, I thought it was strange, because STYLE is for, um, formatting, not for running code, but of course this allows for dynamically generated styles).

So, for plain HTML, I think I now know what I can do: I will add the necessary filtering ability to my self-rolled version, test it against the exploits listed in the various articles, and if it doesn't come up to scratch, I'll use HTML::TagFilter as recommended by some (Hell, I'll maybe use that anyway, but this is the first time I've been able to get HTML::Parser to do anything useful, so I'm enjoying reinventing this wheel...)

But if I want users to be able to submit their own Stylesheets, how do I parse the CSS entry to make sure they aren't adding malicious code? Can I just filter out @ and expression()? Surely there must be a pre-rolled solution? (I found CSS::SAC which looks like a CSS parser, but didn't seem to have any documentation on how to use it for this kind of eventuality.

I think that one suggestion involved creating a user interface to limit what CSS is entered, which I don't want to have to do if I can avoid it!!


Replies are listed 'Best First'.
Re: Safe CSS Stylesheets
by belg4mit (Prior) on May 14, 2002 at 20:33 UTC
    I'd recommend not letting them do that. The CSS model used here is a good one to follow. there are CSS themes, but to become generally available any submissions would have to be audited. However, the user is free to insert a style sheet of their own for themselves (which btw, is just a crutch for old browsers; true CSS enabled browsers should support user-defined style sheets). UPDATE; Note of course this is exploitable as well, but requires the explicit action of the naive user, and there's not much you can do about that. If a user were to create a tainted sheet, make it publically available and convince others to use it (maybe it "looks cool")...
  • Did you come across this FAQ?
  • It is interesting to note that the acronym CSS is also used for Cross Site Scripting.
  • As for IMG, etc. you might find (~OT) WARNING: Live Ammo WAS: Re: Am I javascript or not? helpful, or frightening.
  • --
    perl -pew "s/\b;([mnst])/'$1/g"

      Thanks - good links.

      One of the possible problems: text/data being added or hidden by the stylesheet doesn't seem so problematic to me. (On first glance anyway - I'll mull over it!!) The idea would be that every topic or discussion group would be owned by one person, who would set the stylesheet. If they want to add "BIG LIE" (as per the link's example) that's their business.

      On the other hand, it does seem like a fraught business, maybe I will go with accepting CSS sheets in a form and ratifying them centrally before releasing them to the general public. What a pain!

      (By the way, TheHobbit pointed out that my link to an external site above was wrong: thanks! this seems to work.


Re: Safe CSS Stylesheets
by robot_tourist (Hermit) on May 15, 2002 at 07:31 UTC

    The <img /> and <style></style> tags can tell the browser to load things from any valid URI, plus I think all tags can contain the style="" attribute. Therefore, obviously they can be pointed to malicious web pages, cgi scripts etc. An image doesn't have to have a jpeg, png or gif extension and they can be created on the fly, so it would be hard to filter them by name. Plus, a malicious program could be given a picture-like extension that a properly configured server would be able to execute. I never thought of that last one before now, scary.

    I have a wiry brain/each eye a camera. Robot Tourist, by Ten Benson

      Style attributes (style="") do not refer to a URI, though any valid CSS setting for that element which uses a URI may be used. In this case the STYLE attribute and tag are not different.

      The SRC value of an IMG tag is not the issue, whatever type of image, the browser SHOULD only handle it as an image. Although certain plugins may have co-opted control of given MIME-types (eg. QuickTime and PNG), and be exploitable. What was likely referred to is touched upon in the JavaScript discussion I linked to, IMG tags (and so many others) are allowed event attributes such as ONLOAD which can execute inlined script.

      The matter at hand is Cross Site Scripting, this is protecting the user from malicious foreign content. *Mis*configuration of a server to execute images on the server is irrelevant( The only likely means for this is to have the execution bit set on the file on a UN*X server and allow execution of either any file, or files by location. Files from a Samaba share typically appear to have the execution bit set. Again though, this affects the *server*.)

      perl -pew "s/\b;([mnst])/'$1/g"

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://166560]
Approved by particle
Front-paged by grep
and the shadows deepen...

How do I use this? | Other CB clients
Other Users?
Others perusing the Monastery: (4)
As of 2017-04-28 00:36 GMT
Find Nodes?
    Voting Booth?
    I'm a fool:

    Results (514 votes). Check out past polls.