2

In our app we allow the display of html from an external source, so before we display it, we sanitize it. The source is somewhat trusted but we want to add another layer.

We remove the style tag but wish to preserve style attributes. I know scripts can be placed in that attribute and was wondering to what extent can these be used for XSS. In other words what are the specific risks with allowing style tags?

Tamar
  • 2,016
  • 1
  • 15
  • 26

1 Answers1

2

Many of the same risks are shared with HTML emails. If you're showing your HTML email in a web-based reader, such as Gmail, you want to ensure it can't escape its container and try to mess with the mail interface itself. Because of this, many styles are ripped out before the email is served to the user. Campaign Monitor has a good guide as to what CSS is allowed and disabled in different mail clients. This may be a good starting point.

Diodeus - James MacFarlane
  • 112,730
  • 33
  • 157
  • 176
  • Thanks for your answer, the resource you linked seems very helpful! However I was wondering more about potential XSS risks, that I have read can exist with style attributes in some cases. I was wondering what those cases are... – Tamar May 03 '12 at 13:56
  • See: http://stackoverflow.com/questions/3607894/cross-site-scripting-in-css-stylesheets – Diodeus - James MacFarlane May 03 '12 at 14:21