Safe CSS Stylesheets

osfameron has asked for the wisdom of the Perl Monks concerning the following question:

After I read the recent post about Cross Site Scripting attacks, I sat down and wrote an HTML filter to make user-submitted HTML safe (using HTML::Parser). Then I read some more posts, and followed some links (I particularly liked this one) and then got scared.

You can call malicious code from an <IMG> tag??!! And even stranger, from a <STYLE> tag... (well, I thought it was strange, because STYLE is for, um, formatting, not for running code, but of course this allows for dynamically generated styles).

So, for plain HTML, I think I now know what I can do: I will add the necessary filtering ability to my self-rolled version, test it against the exploits listed in the various articles, and if it doesn't come up to scratch, I'll use HTML::TagFilter as recommended by some (Hell, I'll maybe use that anyway, but this is the first time I've been able to get HTML::Parser to do anything useful, so I'm enjoying reinventing this wheel...)

But if I want users to be able to submit their own Stylesheets, how do I parse the CSS entry to make sure they aren't adding malicious code? Can I just filter out @ and expression()? Surely there must be a pre-rolled solution? (I found CSS::SAC which looks like a CSS parser, but didn't seem to have any documentation on how to use it for this kind of eventuality.

I think that one suggestion involved creating a user interface to limit what CSS is entered, which I don't want to have to do if I can avoid it!!

Cheerio!
Osfameron
http://osfameron.perlmonk.org/chickenman/

Comment on Safe CSS Stylesheets Select or Download Code

Replies are listed 'Best First'.
Re: Safe CSS Stylesheets by belg4mit (Prior) on May 14, 2002 at 20:33 UTC
I'd recommend not letting them do that. The CSS model used here is a good one to follow. there are CSS themes, but to become generally available any submissions would have to be audited. However, the user is free to insert a style sheet of their own for themselves (which btw, is just a crutch for old browsers; true CSS enabled browsers should support user-defined style sheets). UPDATE; Note of course this is exploitable as well, but requires the explicit action of the naive user, and there's not much you can do about that. If a user were to create a tainted sheet, make it publically available and convince others to use it (maybe it "looks cool")... Did you come across this FAQ? It is interesting to note that the acronym CSS is also used for Cross Site Scripting. As for IMG, etc. you might find (~OT) WARNING: Live Ammo WAS: Re: Am I javascript or not? helpful, or frightening. `-- perl -pew "s/\b;([mnst])/'$1/g"`	[reply]
Re: Re: Safe CSS Stylesheets by osfameron (Hermit) on May 14, 2002 at 20:49 UTC
Thanks - good links. One of the possible problems: text/data being added or hidden by the stylesheet doesn't seem so problematic to me. (On first glance anyway - I'll mull over it!!) The idea would be that every topic or discussion group would be owned by one person, who would set the stylesheet. If they want to add "BIG LIE" (as per the link's example) that's their business. On the other hand, it does seem like a fraught business, maybe I will go with accepting CSS sheets in a form and ratifying them centrally before releasing them to the general public. What a pain! (By the way, TheHobbit pointed out that my link to an external site above was wrong: thanks! this seems to work. Cheerio! Osfameron http://osfameron.perlmonk.org/chickenman	[reply]
Re: Safe CSS Stylesheets by robot_tourist (Hermit) on May 15, 2002 at 07:31 UTC
The `<img />` and `<style></style>` tags can tell the browser to load things from any valid URI, plus I think all tags can contain the `style=""` attribute. Therefore, obviously they can be pointed to malicious web pages, cgi scripts etc. An image doesn't have to have a jpeg, png or gif extension and they can be created on the fly, so it would be hard to filter them by name. Plus, a malicious program could be given a picture-like extension that a properly configured server would be able to execute. I never thought of that last one before now, scary. I have a wiry brain/each eye a camera. Robot Tourist, by Ten Benson	[reply] [d/l] [select]
Re: Re: Safe CSS Stylesheets by belg4mit (Prior) on May 15, 2002 at 14:22 UTC
Style attributes (style="") do not refer to a URI, though any valid CSS setting for that element which uses a URI may be used. In this case the STYLE attribute and tag are not different. The SRC value of an IMG tag is not the issue, whatever type of image, the browser SHOULD only handle it as an image. Although certain plugins may have co-opted control of given MIME-types (eg. QuickTime and PNG), and be exploitable. What was likely referred to is touched upon in the JavaScript discussion I linked to, IMG tags (and so many others) are allowed event attributes such as ONLOAD which can execute inlined script. The matter at hand is Cross Site Scripting, this is protecting the user from malicious foreign content. Misconfiguration of a server to execute images on the server is irrelevant( The only likely means for this is to have the execution bit set on the file on a UNX server and allow execution of either any file, or files by location. Files from a Samaba share typically appear to have the execution bit set. Again though, this affects the server*.) `-- perl -pew "s/\b;([mnst])/'$1/g"`	[reply]

Back to Seekers of Perl Wisdom