[Ur] Supporting 'style' attribute securely

Adam Chlipala adamc at impredicative.com
Sun Apr 15 12:59:17 EDT 2012


A number of folks have asked to be able to use the HTML 'style' 
attribute in Ur/Web.  It's easy enough to add the attribute with type 
[string], but this seems likely to allow for some sort of code injection 
attack.  At a minimum, URL's can appear in styles and be interpreted as 
URL's, which seems to function as a "universal interpreter" for whatever 
programming languages browsers want to support via URL's!  (At a 
minimum, there are "javascript:" URL's.)

So, any suggestions on "the right way" to support 'style' in Ur/Web?  
I'm unlikely to accept an idea that leaves open code injection 
vulnerabilities; one important global guarantee of Ur/Web is that code 
injection attacks are impossible.  But I don't have such a clear idea of 
(a) what the attack possibilities are in CSS style code and (b) what the 
appropriate countermeasures are, including how they should be 
represented with typed combinators in Ur/Web.



More information about the Ur mailing list