[Ur] Supporting 'style' attribute securely

Edward Z. Yang ezyang at MIT.EDU
Sun Apr 15 13:55:41 EDT 2012 

I can give a few examples, and we can patch them up, but perhaps
the bigger question is how adversarial we consider our users.
In an adversarial setting, the only secure policy is a whitelist
policy, and given the complexity of CSS you really need more
types than URLs and strings.

  - A trivial example: background-color:expression(...) causes JavaScript execution
    in Internet Explorer.

  - The background CSS property takes an embedded URL, so it is neither pure URL
    nor pure text.

  - User provided styles can be used to implement phishing; via absolute
    positioning user-controlled links on top of normal ones.

  - The innerHTML attack: foo.innerHTML = foo.innerHTML is not an idempotent
    operation; if applied multiple times you "lose" levels of backslash escaping.

  - Treatment of escape sequences is inconsistent across browsers; for example,
    numeric escapes don't work in many contexts.  You have to very carefully
    pick the escaping function you want.

  - Font-families are another can of worms, because they're "unrestricted" but
    subject to the above problems.

Edward

Excerpts from Adam Chlipala's message of Sun Apr 15 13:28:01 -0400 2012:
> Edward Z. Yang wrote:
> > The obvious thing to do is to create a new datatype representing styles. There are a lot of things to worry about, e.g. colors and lengths and all of those types, which means it'd need a bit of engineering effort. But you want this because there are a lot of non-canonical representations and Javascript injection vectors to worry about. (This is speaking from my experience with HTML Purifier)
> 
> The strawman I had in mind was that a style would be a list of key-value 
> pairs, with pretty standard escaping applied to keys.  Values would be 
> either URL's or text, with suitable escaping applied to each, so that 
> "text" values can never contain URL's.
> 
> Do you have a few examples showing inadequacy of the strawman?
> 
> > Adam Chlipala<adamc at impredicative.com>  wrote:
> >
> >> A number of folks have asked to be able to use the HTML 'style'
> >> attribute in Ur/Web.  It's easy enough to add the attribute with type
> >> [string], but this seems likely to allow for some sort of code
> >> injection
> >> attack.  At a minimum, URL's can appear in styles and be interpreted as
> >>
> >> URL's, which seems to function as a "universal interpreter" for
> >> whatever
> >> programming languages browsers want to support via URL's!  (At a
> >> minimum, there are "javascript:" URL's.)
> >>
> >> So, any suggestions on "the right way" to support 'style' in Ur/Web?
> >> I'm unlikely to accept an idea that leaves open code injection
> >> vulnerabilities; one important global guarantee of Ur/Web is that code
> >> injection attacks are impossible.  But I don't have such a clear idea
> >> of
> >> (a) what the attack possibilities are in CSS style code and (b) what
> >> the
> >> appropriate countermeasures are, including how they should be
> >> represented with typed combinators in Ur/Web.
> >>
>

More information about the Ur mailing list