-
Notifications
You must be signed in to change notification settings - Fork 202
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
justify or revert addition of "position" to allowed CSS list #388
Comments
Thanks for pointing this out. Embarrassingly, the list of CSS properties in the README wasn't updated, either 😳 I'm not sure how to proceed re default CSS properties. The goal of HtmlSanitizer is to prevent XSS. XSS through standard CSS is impossible so we could allow all standard CSS properties. This is what's currently happening. OTOH we might want to try and minimize other kinds of wrongdoing like visually hiding elements etc. If that was the goal we'd have to disallow a lot of CSS properties (all the color ones, visibility etc etc). |
Concern over the position property comes from a "sandbox" security model of page content, where the goal is to allow an untrusted party to supply markup for a given region of the page. The untrusted markup should not affect anything else on the page by:
In this model, color and visibility attributes are permitted even though they could be used to make misleading content, because the security concern is about how the untrusted markup interacts with the rest of the page. |
So your suggestion is to exclude only the position property and allow all other standard CSS properties by default? |
Yes. |
d580039 added "position" to the default allowed CSS list without obvious justification.
The "position" property previously had been disallowed, presumably because of the potential to use it to create a misleading interface by overlaying malicious content.
http://www.technicalinfo.net/papers/Phishing.html
Please:
The text was updated successfully, but these errors were encountered: