• Locked
4 replies [Last post]
Sun, 2010-08-15 02:33
Ne0nx3r0
Ne0nx3r0's picture
User offline. Last seen 1 year 25 weeks ago. Offline
newbie
Timezone: GMT-5
Joined: 2009-08-07
Posts: 8
Points: 7

Just curious, can Javascript (or anything asside from CSS actually...) be executed from the style attribute?

I have a chat room setup where users can customize their font using css (hasn't been an issue except for people setting their height/width in crazy fashions); and I want to make sure that they can't do anything that is harmful. Quotes/single quotes are already filtered out, so they are pretty much stuck in the style attribute, just want to make sure they are safe there.

I did try googling (as always Smile) but didn't find much on the subject, except css property lists that basically list what I expected them to.

Thanks for your time!

Top
Tags:
Sun, 2010-08-15 07:59
#1
Tony
Tony's picture
User offline. Last seen 2 hours 48 min ago. Offline
rank Moderator
Moderator
Timezone: GMT+10
Joined: 2003-03-12
Posts: 3705
Points: 1115

Sounds like you should be

Sounds like you should be safe as long as they can't add html by closing off the current tag early.

Your question may have already been answered, search and read before you ask.

Top
Sun, 2010-08-15 11:14
#2
Debayan Gupta
Debayan Gupta's picture
User offline. Last seen 1 year 18 weeks ago. Offline
rank Regular
Regular
Timezone: GMT-4
Joined: 2010-08-10
Posts: 45
Points: 51

umm.. only in _some_ crazy situations

IE allows "expression" & "eval" inside the CSS, which lets users execute js.

This allows someone to do something like :

left:expression(eval( JS CODE ));

Using this, they can easily access the rest of your html+css+js, change urls, modify their cookie time and basically wreak havoc.

Top
Sun, 2010-08-15 15:19
#3
Ne0nx3r0
Ne0nx3r0's picture
User offline. Last seen 1 year 25 weeks ago. Offline
newbie
Timezone: GMT-5
Joined: 2009-08-07
Posts: 8
Points: 7

Didn't work in IE8

I tried running white;left:expression(eval(alert(undefined))); (and a few other related expressions) with no luck in IE8, are expressions/evals allowed in style attributes? I wasn't able to find any supporting info one way or the other.

*Edit*

Well I was able to find some evidence they work in certain browser versions here:
http://ha.ckers.org/xss.html

I suppose my main concern is them using some sort of XSS to grab user info from other users, or force an admin into acting out some higher permissions exploit.

Any sort of meddling with the sites JavaScript locally could be done with any modern browsers developer toolset, so I don't view that as a real danger.

I guess I'll play around and see what I come up with Smile... My initial thoughts are that filtering out eval/expression/javascript would take care of most issues.

Top
Sun, 2010-08-15 17:45
#4
Debayan Gupta
Debayan Gupta's picture
User offline. Last seen 1 year 18 weeks ago. Offline
rank Regular
Regular
Timezone: GMT-4
Joined: 2010-08-10
Posts: 45
Points: 51

Na.. you're ok with ie8

Only older versions have this problem.

http://blogs.msdn.com/b/ie/archive/2008/10/16/ending-expressions.aspx

Top
  • Locked