如何在不引入XSS的情况下允许用户控制CSS? [英] How can I allow user controlled CSS without introducing XSS?

问题描述

我有一个应用程序，可以根据客户的要求自定义HTML模板.它提供了在创建模板时包括CSS样式脚本的规定，该模板将在生成模板时最后注入.这样，客户/支持人员可以动态生成各种HTML模板.

I have an application where I could customize HTML templates depending on requirement of client. It has a provision of including CSS style scripts when creating a template which would be injected at the end when generating the template. By this way, client/support person could dynamically generate variety of HTML templates.

但是当我将该项目进行安全扫描时，所有CSS注入都被检测为安全漏洞(XSS注入).我的应用程序本身是基于CSS注入进行设计的，因为创建动态HTML模板时不需要开发人员参与.

But when I give this project for a security scan, all the CSS injections are detected as security vulnerabilities (XSS Injections). My Application itself designed based on the CSS injection as it is required to create dynamic HTML template without the involvement of a developer.

有没有办法在达到应用程序最终结果的同时防止XSS安全漏洞?

Is there a way to prevent XSS security flaws at the same time of achieving application's end result?

请让我知道是否还有另一种方法.

Please let me know if there is an alternative way of doing this.

推荐答案

允许不受信任的CSS输入是XSS的缺陷，因为它可用于修正UI.例如，恶意用户可以通过使用相同的样式和位置来使他们的文本和内容看起来像是来自网站本身的权威文本.

Allowing untrusted CSS input is an XSS flaw as it could be used for redressing the UI. For example, a malicious user could make their text and content appear to be authoritative text coming from the website itself by dressing it with the same style and positioning.

有关更多信息，请参见 Google浏览器安全手册信息.

See the Google Browser Security Handbook for more information.

还有也可以通过CSS运行脚本 :

JavaScript执行的风险.作为一个鲜为人知的功能，一些CSS 实现允许将JavaScript代码嵌入样式表中. 至少有三种方法可以实现此目标: expression(...)指令，它可以求值 任意JavaScript语句并将其值用作CSS 范围;通过对属性使用url('javascript:...')指令 支持它；或通过调用特定于浏览器的功能(例如 -moz绑定机制.

The risk of JavaScript execution. As a little-known feature, some CSS implementations permit JavaScript code to be embedded in stylesheets. There are at least three ways to achieve this goal: by using the expression(...) directive, which gives the ability to evaluate arbitrary JavaScript statements and use their value as a CSS parameter; by using the url('javascript:...') directive on properties that support it; or by invoking browser-specific features such as the -moz-binding mechanism of Firefox.

• 通过-moz-binding执行脚本在Firefox 2和3上可用.自Firefox 3起，似乎未更新Google浏览器安全手册. HTML组件允许在CSS中执行脚本.
• Script execution via -moz-binding is available on Firefox 2 and 3. The Google Browser Security Handbook doesn't appear to have been updated since Firefox 3. This post indicates this is now fixed so that the XML file has to be readable from your own domain. XBL doesn't seem to be possible in current versions of Firefox.
• In Internet Explorer 10 and earlier HTML Components allow script execution in CSS.

您可以通过实施HTML5沙箱来减轻不受信任的内容的风险.还可以考虑实施带有消毒措施的内容安全策略，以防止用户以任何方式逃避您的CSS上下文(我还没有没看到您的代码，但是我想知道用户是否输入</style>作为CSS的一部分，是否允许他们转义样式标签?).

You can mitigate the risk of untrusted content by implementing an HTML5 sandbox. Also consider implementing a Content Security Policy with sanitisation to prevent users from escaping from your CSS context in any way (I haven't seen your code, but I wonder if a user enters </style> as part of the CSS, whether it allows them to escape the style tag?).

这篇关于如何在不引入XSS的情况下允许用户控制CSS?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！