When using the DOMPurify library to sanitize HTML from malicious code here, the library doesn't sanitize CSS style tags. These can be used to change the website's appearance and possibly to pull off clickjacking attacks. - https://portswigger.net/web-security/clickjacking
makuga01
commented
1 year ago
When using the DOMPurify library to sanitize HTML from malicious code here, the library doesn't sanitize CSS style tags. These can be used to change the website's appearance and possibly to pull off clickjacking attacks. - https://portswigger.net/web-security/clickjacking
PoC: https://flatgithub.com/makuga01/csv-test?filename=css.csv&sha=9cfecff99206e7a11716d14b48a2edb9c16ce0c1
I suggest adding using a DOMPurify config like this one:
I also added HTML forms to the forbidden tags as they can be used for creating a fake login screen