The cheat sheet currently gives three examples of CSS
1. <style>selector { property : ...ESCAPE UNTRUSTED DATA BEFORE PUTTING
HERE...; } </style> property value
2. <style>selector { property : "...ESCAPE UNTRUSTED DATA BEFORE PUTTING
HERE..."; } </style> property value
3. <span style="property : ...ESCAPE UNTRUSTED DATA BEFORE PUTTING
HERE...">text</style> property value
only 2 is safe against IE's expression syntax even when correctly encoded (see
Issue 236).
The text then goes on to say:
"All attributes should be quoted but your encoding should be strong enough to
prevent XSS when untrusted data is placed in unquoted contexts."
which is impossible since in an unquoted context, IE will still honour an
encoded expression.
There's a missing syntax:
4. <span style="property : '...ESCAPE UNTRUSTED DATA BEFORE PUTTING
HERE...'">text</style> property value
It's a dangerous omission since it's the only safe syntax for the style
attribute.
I think three things need to be done:
* Add syntax example 4
* Mark 1 and 3 as "unsafe"
* Modify the wording underneath to read "All attributes should be quoted or they will be vulnerable to XSS" or similarly acknowledge that encoding isn't enough in unquoted contexts.
Original issue reported on code.google.com by jon.trap...@googlemail.com on 6 Aug 2011 at 10:42
Original issue reported on code.google.com by
jon.trap...@googlemail.comon 6 Aug 2011 at 10:42