XSS attacks and style attributes
There are known Style Attribute XSS attacks like:
<DIV STYLE="width: expression(alert('XSS'));">
Or
<DIV STYLE="background-image: url(javascript:alert('XSS'))">
All the examples I've seen use either expression or url functionality - basically something function like that require "(" and ")".
I'm thinking of following method of filtering style tags, I would check them using following (approximately) grammar:
identifier: [a-zA-Z_][a-zA-Z0-9\-]*
number: [0-9]+
string: '[a-zA-Z_0-9 ]*'
value : identifier | number | string | number + "(em|px)" | number +"%"
entry: identifier ":" value (\s value )*
style: (entry ;)*
So basically I allow ASCII properties with numeric values or very limited string values (basically for font names) not allowing using anything that looks like call.
The question is this good enough? Are there any attacks that may do something like that:
<DIV STYLE="this-is-js-property: alert 'XSS';">
And succeed?
Can anybody think of XSS vulnerability of such test?
To Make it clear
I need style attributes as many tools like TinyMCE use them and filtering harmless style attributes off would significantly hurt the functionality.
So I prefer pass common cases removing all things that may use @import, url, expression etc. And also make sure that basic css syntax is ok.
Answer
No it is not safe due to click-jacking vulnerability.
Answer
This does not work due to click-jacking vulnerability.
Example:
<a href="http://example.com/attack.html" style="display: block; z-index: 100000; opacity: 0.5; position: fixed; top: 0px; left: 0; width: 1000000px; height: 100000px; background-color: red;"> </a>
Found at: http://www.bioinformatics.org/phplabware/forum/viewtopic.php?id=164
The code would be perfectly validated but it may cause serious damage.
So - rule of thumb use very strict white list or do not allow style attributes.