Cross Site Scripting in CSS Stylesheets

by

From the browser security handbook

The risk of JavaScript execution. As a little-known feature, some CSS implementations permit JavaScript code to be embedded in stylesheets. There are at least three ways to achieve this goal: by using the expression(…) directive, which gives the ability to evaluate arbitrary JavaScript statements and use their value as a CSS parameter; by using the url(‘javascript:…’) directive on properties that support it; or by invoking browser-specific features such as the -moz-binding mechanism of Firefox.

… and after reading that, I find this on StackOverflow. See Using Javascript in CSS
In Firefox, you can use XBL to inject javascript in a page via CSS. However, the XBL file must reside in the same domain, now that bug 324253 is fixed.

There is another interesting (though different from your question) way to abuse CSS. See http://scarybeastsecurity.blogspot.com/2009/12/generic-cross-browser-cross-domain.html. Essentially, you misuse the CSS parser to steal content from a different domain.

More Related Contents:

  1. How to make attractive button using CSS
  2. Center multiple images horizontally in CSS
  3. How do you easily horizontally center a using CSS? [duplicate]
  4. Select every Nth element in CSS
  5. Font Awesome 5 Choosing the correct font-family in pseudo-elements
  6. Footer at bottom of page or content, whichever is lower
  7. Is there a way to make a child DIV’s width wider than the parent DIV using CSS?
  8. CSS background opacity with rgba not working in IE 8
  9. Can I position an element fixed relative to parent? [duplicate]
  10. When will an tag not inherit color attribute of parent tag?
  11. Style child element when hover on parent
  12. Eliminate flash of unstyled content
  13. Hidden scrollbars in Firefox (allows scrolling but just no scrollbar)
  14. Can we use any other TAG inside along with ? [duplicate]
  15. CSS @font-face – what does “src: local(‘☺’)” mean?
  16. -webkit-margin adds unwanted margin on texts
  17. How to align nav items to the right in Bootstrap 5?
  18. Icon fonts not loading in IE11
  19. What is the value of the css ‘ex’ unit?
  20. How to Identify Microsoft Edge browser via CSS?
  21. Print Background colours in Chrome
  22. CSS Equivalent of the “if” statement
  23. Switching CSS classes based on screen size
  24. CSS3 3D Transform doesn’t work on IE11
  25. up/down arrow key issue with typeahead control (angular bootstrap UI)
  26. Creating CSS3 Circles connected by lines
  27. CSS: Constrain a table with long cell contents to page width?
  28. How do I change md-input-container placeholder color using css in angular material?
  29. internet explorer font face ssl
  30. Styling the arrow on bootstrap tooltips [duplicate]

Leave a Comment