HTML can be injected into the page using a sub stylesheet. Here's an example stylesheet which will pass CSS validation and create a div on the page:
body {
background-image: </style><div class="popup">Gotcha</div></script>;
}
A separate but also important bug in CSS validation is that misc.validate_css will fail to check URLs and strings in any rules wrapped in a @media rule.
For those of you running Throat sites, I've made a branch https://github.com/happy-river/throat/tree/disable-sub-styles which puts an immediate stop to this problem by removing sub stylesheets from the page templates and hiding the UI for them. Another strategy, if you're willing to manually review all the stylesheets that are already on your site, would be to make /do/edit_sub_css/<sub> an admin-only route.
HTML can be injected into the page using a sub stylesheet. Here's an example stylesheet which will pass CSS validation and create a div on the page:
A separate but also important bug in CSS validation is that
misc.validate_csswill fail to check URLs and strings in any rules wrapped in a@mediarule.For those of you running Throat sites, I've made a branch https://github.com/happy-river/throat/tree/disable-sub-styles which puts an immediate stop to this problem by removing sub stylesheets from the page templates and hiding the UI for them. Another strategy, if you're willing to manually review all the stylesheets that are already on your site, would be to make
/do/edit_sub_css/<sub>an admin-only route.