1

I'm writing a rails app which allows user inputted CSS rules, and I want to restrict script execution. Is disallowing 'binding' (for -moz-binding) and 'behavior' enough? It would be implemented with a simple regex called before save.

Are there other methods of including scripts into css stylesheets?

Improve this question
0

2 Answers 2

Reset to default
3

It's been proven, time and time again, that blacklisting doesn't work. Keep a whitelist of CSS you can safely allow.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

There are numerous methods for XSS. Here's a cheat sheet.

Is it a complete list?

never

Sufficiently creative attackers will find a way of getting by your paltry parsers.

Improve this answer

2 Comments

ha.ckers.org is gone. Additionally, that dealt with script-tag injection in general, as opposed to XSS-in-CSS.
@fahadsadah i guess i should have checked my bookmark before adding it. I'd been to the page I was trying to link to earlier in the day.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.