Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl-Sensitive Sunglasses

Re: Safe CSS Stylesheets

by belg4mit (Prior)
on May 14, 2002 at 20:33 UTC ( #166570=note: print w/replies, xml ) Need Help??

in reply to Safe CSS Stylesheets

I'd recommend not letting them do that. The CSS model used here is a good one to follow. there are CSS themes, but to become generally available any submissions would have to be audited. However, the user is free to insert a style sheet of their own for themselves (which btw, is just a crutch for old browsers; true CSS enabled browsers should support user-defined style sheets). UPDATE; Note of course this is exploitable as well, but requires the explicit action of the naive user, and there's not much you can do about that. If a user were to create a tainted sheet, make it publically available and convince others to use it (maybe it "looks cool")...
  • Did you come across this FAQ?
  • It is interesting to note that the acronym CSS is also used for Cross Site Scripting.
  • As for IMG, etc. you might find (~OT) WARNING: Live Ammo WAS: Re: Am I javascript or not? helpful, or frightening.
  • --
    perl -pew "s/\b;([mnst])/'$1/g"

    Replies are listed 'Best First'.
    Re: Re: Safe CSS Stylesheets
    by osfameron (Hermit) on May 14, 2002 at 20:49 UTC
      Thanks - good links.

      One of the possible problems: text/data being added or hidden by the stylesheet doesn't seem so problematic to me. (On first glance anyway - I'll mull over it!!) The idea would be that every topic or discussion group would be owned by one person, who would set the stylesheet. If they want to add "BIG LIE" (as per the link's example) that's their business.

      On the other hand, it does seem like a fraught business, maybe I will go with accepting CSS sheets in a form and ratifying them centrally before releasing them to the general public. What a pain!

      (By the way, TheHobbit pointed out that my link to an external site above was wrong: thanks! this seems to work.


    Log In?

    What's my password?
    Create A New User
    Domain Nodelet?
    Node Status?
    node history
    Node Type: note [id://166570]
    and the web crawler heard nothing...

    How do I use this? | Other CB clients
    Other Users?
    Others examining the Monastery: (2)
    As of 2021-11-29 14:23 GMT
    Find Nodes?
      Voting Booth?

      No recent polls found