Expand Cut Tags

No cut tags
branchandroot: Hatsuharu completely snapped (Haru snapped)
[personal profile] branchandroot
Okay, I am annoyed. I have been unable to find any security issues associated with user-entered or user-uploaded CSS except in cases where a url is permitted as a value. Presumably setting one's loading form to refuse any document with http in it anywhere, or just strip the http string, will fix this.

So WHY is the AO3 skin dialogue so freaking limited?! *yanks own hair* This is supposedly for security reasons, but I fail to see what they could possibly be as long as http strings are axed.

Especially the :before. I could see it being a vandalism concern, but that just means that the reviewer for public skins may want to do a quick find for any "before"s or "after"s. But a security issue? And for pity's sake what's the problem with text-transform? Is there a security issue with me capitalizing things?!

This brief rant brought to you by the number of CSS variables which do not seem to be whitelisted for even private AO3 skins. And the increasing suspicion that both the explanation and the error message script were poorly thought out, totally aside from the obvious bugs in the allow/disallow script.

All I want is some freaking metadata labels! This platform has distinguished itself as the second, only after Wordpress, to receive an "argh" tag of its very own.
(deleted comment)

Date: 2011-04-17 11:50 pm (UTC)
synecdochic: torso of a man wearing jeans, hands bound with belt (Default)
From: [personal profile] synecdochic
Pure CSS can be pretty dangerous all on its own, and is the most common vector for XSS attacks, which in turn were something like 90% of vulnerabilities discovered last year. It's definitely a security issue: if you have total control over the CSS you can add, you can get at the user's cookies and force their browser to run whatever you want it to.

(Which is not to say that your frustrations about the whitelist are not warranted, etc! I'm sure there are some things they forgot to whitelist, and that's why LJ/DW uses blacklist and not whitelist. But still. It's not as harmless as people think.)
Edited (clarify) Date: 2011-04-17 11:51 pm (UTC)

Date: 2011-04-18 12:27 am (UTC)
synecdochic: torso of a man wearing jeans, hands bound with belt (Default)
From: [personal profile] synecdochic
Ah, got it -- I'm not at all familiar with AO3 stuff, since I don't have an account there!

Date: 2011-04-18 12:35 am (UTC)
synecdochic: torso of a man wearing jeans, hands bound with belt (Default)
From: [personal profile] synecdochic
Oh, I totally grok the needing to froth. :)

November 2024

S M T W T F S
     12
34 56789
10111213141516
17181920212223
24252627282930

Page Summary

Style Credit

Page generated Sep. 3rd, 2025 06:17 am
Powered by Dreamwidth Studios