| Sign in

A source-to-source translator for securing Javascript-based web content

Project Home		Downloads		Wiki		Issues		Source

Search

End-user's Guide

Integration Guide

Developer's Guide

Design Decisions

Releases

CajaVersions

Community

External articles about caja
Containers that use caja
Mailing lists
Ideas and feature requests

RefactoringToolFeatureRequests

Glossary of common terms
All wiki pages

Updated Apr 06, 2009 by mikesamuel
Labels:	Attack-Vector

CssImportsAllowUnsanitizedCodeExecution

@import(<url>) can allow execution of script in unsanitized CSS

Reported by Michal Zalewski

`@import` can import unsanitized CSS

Effect

Allows import of arbitrary CSS which can execute arbitrary javascript.

Background

In a CSS file <style> tag, an @import declaration can be used to import styles from an external source specified by a URL relative to the URL of the CSS or HTML file containing the @import.

The data: protocol can be used to specify inline content in some browsers.

Assumptions

@import is allowed in style tags or third party CSS files and is not restricted to known safe CSS.

Versions

Example

Expression is IE specific, but the same could be applied to -moz-binding in Firefox. IE 7 does not support data: urls.

<style>
@import "data:text/css;charset=UTF-8,p%7Bwidth%3Aexpression%28alert%281%29%29%7D";
</style>

An @import with a HTTP url will also allow importing of unsanitized CSS.

IE has an undocumented extension that serves as a shorthand for @import:

    <style><!--@\ "http://www.finjan.com/mcrc/file.css";--></style>

Sign in to add a comment