1

This question (where the answer links to this post) discusses executing arbitrary JavaScript called from a CSS file using various hacks in IE and in Firefox, such as using expression(). (Someone in comments clarified that the correct names for these techniques are XBL in Firefox and HTC in IE)

How to do the same (execute arbitrary unsafe JS from CSS) in Chrome using client-side code only and using native methods without any additional libraries?

Community
  • 1
  • 1
  • the question you linked to is not firefox/ie specific - any answer in that question is browser agnostic as the work is done on the server side (in most answers that I could be bothered to read) – Jaromanda X Dec 29 '16 at 03:23
  • @JaromandaX I've clarified a bit. The answer there links to an article about methods like expression() used in CSS. –  Dec 29 '16 at 03:29
  • You mean [XBL](https://developer.mozilla.org/en-US/docs/Mozilla/Tech/XUL/Tutorial/Using_XBL_from_stylesheets) in firefox? and HTC in IE? – Jaromanda X Dec 29 '16 at 03:33
  • _"How to do the same (execute arbitrary unsafe JS from CSS) in Chrome using client-side code only and using native methods without any additional libraries?"_ What is purpose of the process? – guest271314 Dec 29 '16 at 03:34
  • 2
    @guest271314 - clearly to execute arbitrary **unsafe** JS, perhaps to own all your bases? – Jaromanda X Dec 29 '16 at 03:35
  • @JaromandaX exactly –  Dec 29 '16 at 03:36
  • 1
    HTC doesn't work for IE after IE10, XBL can only be loaded using `file:///` scheme or from an add-on ... so, chrome isn't missing anything spectacularly useful – Jaromanda X Dec 29 '16 at 03:37
  • @K48 Why would you want to achieve such a requirement? – guest271314 Dec 29 '16 at 03:38
  • also, sXBL (a subset of XBL for SVG) and XBL 2.0 (a cross browser standards proposal) are dead, so nobody sees any use in such dubious functionality – Jaromanda X Dec 29 '16 at 03:40
  • @JaromandaX thanks! Didn't know that it's dead after IE10 and other limitations. That should be the answer. –  Dec 29 '16 at 05:46

1 Answers1

1

JavaScript in CSS isn't possible in modern browser - except for any currently supported URL parameters (e.g. background-image) where javascript: URLs will cause any script to be executed.

See this answer, but I've summarised here.

moz-binding was possible in Firefox 2 & 3, and an identified flaw was later mitigated, however support was dropped in future versions.

HTML Components haven't been supported since Internet Explorer 10, so there is little point in developing a website that relies on this technology.

CSS Expressions are only supported in IE5/7 quirks/standards mode respectively.

Are you looking to create an exploit, or to achieve some functional requirement using CSS? If the former, concentrate on URL parameters or breaking out of the CSS context into JavaScript. Also UI redress may be possible to trick the user into believing site content you inject is authoritative. If the latter, then go down a different route rather than shoehorning CSS to acheive script execution.

Community
  • 1
  • 1
SilverlightFox
  • 32,436
  • 11
  • 76
  • 145