Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
XSS in CSS
Posted by: rsnake
Date: August 21, 2006 07:20PM

There's an article at http://jeremybanks.ca/XSSIMG that goes over the very basics of what I talk about on the XSS Cheat Sheet http://ha.ckers.org/xss.html

One of the questions he proposes is why anyone would ever allow JavaScript through CSS. The obvious reason is that JavaScript can know a lot of things about a page, and make real time calculations based on that information that CSS cannot. JavaScript has a clear advantage there that CSS could never provide without becoming a fully scriptable engine (which sorta defeats the purpose of not having JavaScript). Anyway, there definitely is a purpose and it's definitely not safe on a page.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: XSS in CSS
Posted by: Legionnaire
Date: August 22, 2006 03:15AM

It is a thin line. In our efforts to increase functionality we may compromise security. By using scripted languages we are exposing our selves to possible exploits. On the other hand, that's why we are here right now talking about this stuff :P

Options: ReplyQuote
Re: XSS in CSS
Posted by: trix
Date: August 22, 2006 08:10AM

Without javascript we migth have to rely on server side generated scripts. Who really wants to do that? :p

trix

Options: ReplyQuote
Re: XSS in CSS
Posted by: rsnake
Date: August 23, 2006 11:26AM

Well at the end of the day, Ajax really is a mix of server generated content and JavaScript. JavaScript could really take care of everything by itself. I dunno the answer, actually. People want faster access, and server lookups just aren't cutting it. Dynamically streaming data is where it's at. Flash was way ahead of it's time and Ajax is trying to catch up. Vectored graphics will be the wave of the future, which is why Microsoft is jumping on the game now. I don't care who wins, I just want to see the result, personally.

Options: ReplyQuote
Re: XSS in CSS
Posted by: majohn
Date: August 30, 2006 09:58AM

The article is gone. Has anyboy a archived version available?

Options: ReplyQuote
Re: XSS in CSS
Posted by: rsnake
Date: August 30, 2006 11:07AM

No, and I checked IArchive and no luck there either. The article just basically talked about what CSS can do and why JavaScript was allowed in it. I'm not sure why he took it down. Maybe he wasn't prepared for the scrutiny? Either way, it wasn't an earth shattering article, you didn't miss much.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote


Sorry, only registered users may post in this forum.