*What* css security issues?
Apr. 17th, 2011 12:16 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
branchandrootOkay, I am annoyed. I have been unable to find any security issues associated with user-entered or user-uploaded CSS except in cases where a url is permitted as a value. Presumably setting one's loading form to refuse any document with http in it anywhere, or just strip the http string, will fix this.
So WHY is the AO3 skin dialogue so freaking limited?! *yanks own hair* This is supposedly for security reasons, but I fail to see what they could possibly be as long as http strings are axed.
Especially the :before. I could see it being a vandalism concern, but that just means that the reviewer for public skins may want to do a quick find for any "before"s or "after"s. But a security issue? And for pity's sake what's the problem with text-transform? Is there a security issue with me capitalizing things?!
This brief rant brought to you by the number of CSS variables which do not seem to be whitelisted for even private AO3 skins. And the increasing suspicion that both the explanation and the error message script were poorly thought out, totally aside from the obvious bugs in the allow/disallow script.
All I want is some freaking metadata labels! This platform has distinguished itself as the second, only after Wordpress, to receive an "argh" tag of its very own.
So WHY is the AO3 skin dialogue so freaking limited?! *yanks own hair* This is supposedly for security reasons, but I fail to see what they could possibly be as long as http strings are axed.
Especially the :before. I could see it being a vandalism concern, but that just means that the reviewer for public skins may want to do a quick find for any "before"s or "after"s. But a security issue? And for pity's sake what's the problem with text-transform? Is there a security issue with me capitalizing things?!
This brief rant brought to you by the number of CSS variables which do not seem to be whitelisted for even private AO3 skins. And the increasing suspicion that both the explanation and the error message script were poorly thought out, totally aside from the obvious bugs in the allow/disallow script.
All I want is some freaking metadata labels! This platform has distinguished itself as the second, only after Wordpress, to receive an "argh" tag of its very own.
no subject
Date: 2011-04-18 12:16 am (UTC)That last one is very confusing, given the author is using CSS for Cross Site Scripting rather than Cascading Style Sheet. I can see why XSS is more common.
At any rate, aside from adding any string including &x to the "strip this out" list, along with anything http, none of this would be applicable to user-loaded styles, at least on AO3. They're already escaped and run through a rendering engine to boot.
I'm not suggesting throwing away the blacklist, but what's in place there now is getting really absurd, and way beyond anything that would address the security examples you've mentioned.
no subject
Date: 2011-04-18 12:27 am (UTC)no subject
Date: 2011-04-18 12:33 am (UTC)no subject
Date: 2011-04-18 12:35 am (UTC)