ansaurus

Question

Answer 1

A:

This is a tricky question. HTML encoding is not going to help for this type of XSS. HTML Purifier's CSS filter will only fix <div> tags, which isn't good enough. In this specific case the part of the CSS that makes this a security threat is the word "javascript", and the variation java\nscript

This quote is taken from the Sammy worm explanation (Sammy was the XSS worm that spread on MySpace):

myspace strips out the word "javascript" from ANYWHERE. To get around this, some browsers will actually interpret "java\nscript" as "javascript" (that's javascript). Example: <div id="mycode" expr="alert('hah!')" style="background:url('java script:eval(document.all.mycode.expr)')">

A simple, and secure solution to XSS in CSS would be the following line of Ruby:

css=css.gsub(/(java|script)/i, "") (Although is is very likely that stopping just the word "java" or just "script" would make xss in css impossible i matched both out of paranoia)

Rook 2010-06-16 08:22:13

This regexp won't match java\nscript. `a*` means "any series of a's", not "an a followed by any number of characters".

Amnon 2010-06-16 09:22:27

@Amnon good call, i changed my regex.

Rook 2010-06-16 18:36:34

Answer 2

+4 A:

Rails has a built-in css sanitizer

See http://apidock.com/rails/ActionView/Helpers/SanitizeHelper/sanitize_css and its parent http://apidock.com/rails/ActionView/Helpers/SanitizeHelper/sanitize

> ActionController::Base.helpers.sanitize_css('background:#fff')
=> "background: #fff;" 
> ActionController::Base.helpers.sanitize_css('javascript:alert("garr");')
=> ""

mylescarrick 2010-06-16 08:28:10

Ok, thank you! But as I understand it this method is only used to sanitize a style attribute on a HTML element. It can't be used to sanitize an entire stylesheet…?

Erik 2010-06-16 17:34:33

It should be just the same - one line or a stack of lines... it won't matter.

mylescarrick 2010-06-17 06:55:26

Answer 3

A:

Sanitizing CSS could be simple if you start using something like LESS. Less offers a tool that parses CSS and raise an exception if the CSS is not valid. This will both make sure the CSS the user entered is valid (feature!) and avoid any dangerous injections.

marcgg 2010-06-16 08:31:02

mylescarrick 2010-06-16 08:33:17

@mylescarrick: They don't have to write less, they can just write plain CSS.

marcgg 2010-06-16 09:15:02

I installed the less gem and did a quick test to parse "bad code" (i e javascript code in a background attribute), however Less didn't remove this. Maybe there was some argument to the Less.parse method that I missed…?

Erik 2010-06-16 17:43:52

Answer 4

A:

Here is something i came across:

Liquid is a template engine which was crafted for very specific requirements

It has to have simple markup and beautiful results. Template engines which don’t produce good looking results are no fun to use.
It needs to be non-evaling and secure. Liquid templates are made so that users can edit them. You don’t want to run code on your server which your users wrote.
It has to be stateless. The compile and render steps have to be separate, so that the expensive parsing and compiling can be done once; later on, you can just render it by passing in a hash with local variables and objects.
It needs to be able to style emails as well as HTML.

Check it out here: http://github.com/tobi/liquid

Shripad K 2010-06-20 14:05:34

ansaurus

tags:

views:

answers:

Sanitizing CSS in Rails

related questions