[bug] JavaScript evaluation in CSS `url`

un-ts / domiso

The smallest and fastest DOM sanitizer based on browser native DOMParser

https://domiso.js.org

MIT License

4 stars 1 forks source link

[bug] JavaScript evaluation in CSS `url` #35

Closed JounQin closed 10 months ago

JounQin commented 10 months ago

background: url('javascript:alert(100)');

JounQin commented 10 months ago

https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html#rule-4-javascript-escape-before-inserting-untrusted-data-into-the-css-attribute-subcontext-within-the-execution-context

From my experience, calling the expression() function from an execution context (JavaScript) has been disabled. In order to mitigate against the CSS url() method, ensure that you are URL encoding the data passed to the CSS url() method.