Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Can Malicious Code Be Executed From A CSS File?

Tags:

html

css

security

I currently have a form that allows administrators to change basic CSS attributes on a website. I was thinking of creating a form for advanced admins that will display the entire CSS file inside a text area and allow them to edit it freely. Im not worried about the file being wiped as it can be easily restored. What i am worried about is that someone could add some code to the CSS file that could cause major damage to the web server. Is it possible to execute malicious code from a CSS file?

like image 463
Dan Hastings Avatar asked Oct 15 '25 15:10

Dan Hastings

1 Answers

Yes, there are some XSS risks to consider. XSS doesn't attack your webserver directly with malicious code. It is an attack on other users of your system, via their own browser. Basically, it is a browser based code execution flaw, albeit limited via what JavaScript can do (quite a lot though, bar from escaping from the browser sandbox).

As you are letting them edit text presented in a CSS file, this mitigates some of the attacks that are only possible when CSS is embedded in an HTML document (such as via STYLE="" attributes and <style> tags).

However, the following risks are still present:

  • The JavaScript expression directive allows JavaScript to be inserted into a CSS stylesheet. Note that this only affects Internet Explorer version 8 and earlier.
  • The url directive can allow JavaScript: style URLs on Internet Explorer 6.
  • Script execution via -moz-binding is available on Firefox 2 and 3. The Google Browser Security Handbook doesn't appear to have been updated since Firefox 3. This post indicates this is now fixed so that the XML file has to be readable from your own domain. XBL doesn't seem to be possible in current versions of Firefox.
  • In Internet Explorer 10 and earlier HTML Components allow script execution in CSS.

Note that allowing users to alter your CSS gives them the ability to freely position text. This would enable a malicious user to mimic trusted UI elements with their CSS code and possibly being able to trick users with the newly rendered page. This very much depends on the functionality present and the intent of the rest of your site. Definitely bear this in mind.

like image 168
SilverlightFox Avatar answered Oct 18 '25 07:10

SilverlightFox
Sign in to Comment

Related questions

Should I respond with a 400 error if a form submit contains validation errors?
Replace HTML links with text
Unable to find PHPunit phar. check php unit congifurations:eclipse oxygen
forms html action
Place dollar symbol inside a text input
QT html and CSS to pdf file
PHP DOMDocument loadHTML error
How to use bootstrap 4 margin and padding properties with pixels?
Python-Docx Inserting HTML into Docx
Flex items not centering vertically
Passing Variable from HTML to Python/Flask
How to properly download and install packages in Go?
Scrollable table with rounded corners
Problems with overlapping sticky header (overlaps main content below it)
html - verify that each div will be on separated print page
Center a 1:1 radial background
draw 1/2 or 1/4 equal line width circle line with css

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!