Cross Site Scripting in CSS Stylesheets
From the browser security handbook
The risk of JavaScript execution. As a little-known feature, some CSS implementations permit JavaScript code to be embedded in stylesheets. There are at least three ways to achieve this goal: by using the expression(...) directive, which gives the ability to evaluate arbitrary JavaScript statements and use their value as a CSS parameter; by using the url('javascript:...') directive on properties that support it; or by invoking browser-specific features such as the -moz-binding mechanism of Firefox.
... and after reading that, I find this on StackOverflow. See Using Javascript in CSS
In Firefox, you can use XBL to inject javascript in a page via CSS. However, the XBL file must reside in the same domain, now that bug 324253 is fixed.
There is another interesting (though different from your question) way to abuse CSS. See http://scarybeastsecurity.blogspot.com/2009/12/generic-cross-browser-cross-domain.html. Essentially, you misuse the CSS parser to steal content from a different domain.
Can XSS attacks be performed from within a linked stylesheet?
In Internet Explorer, Firefox and other browsers you can embed JavaScript in CSS by specifying a javascript:
URL in a url()
CSS statement.
Even if you manage to filter these out, an attacker can still completely redesign the page (including all of its textual content) with advanced CSS. Therefore, it becomes extremely easy to trick users to execute stupid actions, which is what XSS is about. For example, you could make the Delete Account
button fill the entire window and change its text to "Click here to win 1000$".
You can white-list a select few properties (text-*
, font-*
, color
, background
(only colors and gradients, no URLs or other fancy stuff)), but you'll have to reject anything that does not match these restrictions.
Can Malicious Code Be Executed From A CSS File?
It can if they have access to modify. The below link describes xss and css (cross site scripting). They can redirect your background as one example
http://www.acunetix.com/websitesecurity/cross-site-scripting/
Cross Site Scripting Array Multiple Results
This is an update to the suggestion provided by "nobody"
The code provided was accurate except with the "." placement. Other than that, the code worked perfect.
Suggested:
<td>"htmlspecialchars(.$results['Date Saved'], ENT_QUOTES)."</td>
Correct Code:
<td>".htmlspecialchars($results['Date Saved'], ENT_QUOTES)."</td>
Complete Working Code:
echo "<tr align='center' bgcolor='#0f7ea3'>
<td height='25px'>"
.htmlspecialchars($results['Website'], ENT_QUOTES)."</td>
<td>".htmlspecialchars($results['Keywords'], ENT_QUOTES)."</td>
<td>".htmlspecialchars($results['Category'], ENT_QUOTES)."</td>
<td>".htmlspecialchars($results['Date Saved'], ENT_QUOTES)."</td>
<td> <a href='" . htmlspecialchars($results['Website'], ENT_QUOTES) . "'>Click To Access Your Link</a></td>
</tr>" ;
Thank you so much.
Related Topics
Position a CSS Background Image X Pixels from the Right
Gradients in Internet Explorer 9
How Do Min-Content and Max-Content Work
Ie7 Z-Index Issue - Context Menu
Set Flexbox Children to Have Different Heights to Use Up Available Space
CSS Transition with Linear Gradient
@Import in @If Statement in SASS
How to Override the Properties of a CSS Class Using Another CSS Class
"Text-Align: Justify;" Inline-Block Elements Properly
What Does @Media Screen and (Max-Width: 1024Px) Mean in Css
Bootstrap 3 - Disable Navbar Collapse
Css Transition Shorthand With Multiple Properties
Css @Font-Face Absolute Url from External Domain: Fonts Not Loading in Firefox