You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Feb 2, 2021. It is now read-only.
Kevin Reid edited this page Apr 16, 2015
·
1 revision
(legacy summary: @import(<url>) can allow execution of script in unsanitized CSS)
(legacy labels: Attack-Vector)
Reported by Michal Zalewski
@import can import unsanitized CSS
Effect
Allows import of arbitrary CSS which can execute arbitrary javascript.
Background
In a CSS file <style> tag, an @import declaration can be used to import styles from an external source specified by a URL relative to the URL of the CSS or HTML file containing the @import.
The data: protocol can be used to specify inline content in some browsers.
Assumptions
@import is allowed in style tags or third party CSS files and is not restricted to known safe CSS.
Versions
All
Example
Expression is IE specific, but the same could be applied to -moz-binding in Firefox. IE 7 does not support data: urls.