You are not logged in. Please login or register.
PHP Labware forum → htmLawed → CSS expressions and remote URL loading
When CSS expressions are set to 1, the following will load remote URLs:
<div style="position: absolute; top: 0px; left: 0; width: 200px; height: 200px; background-image: /*url('')*/url('http://google.com/images/srpr/nav_logo13.png');"> </div>With 'css_expression' set to 1, htmLawed won't check for CSS expressions, allowing browsers to execute them. The behavior you are seeing seems expected. (documentation).
Hmm, I thought that setting only controlled whether IE CSS "expression()" function was allowed. Admittedly that is a security problem in it's own right, but the interesting thing (I thought) was that this bug:
1. Has nothing to do with IE expression()s (no expressions are used in my example)
2. extends the scope of the problem to Firefox and presumably other browsers.
Given that (especially #1) I thought this probably deserved an extra look.
Sorry, my reply wasn't exactly accurate. You are correct that 'css_expression' is meant for IE's 'expression()'. I will look more into this.
Added on 07/03/10: When 'css_expression' is not set to 1, as is the case in htmLawed's default setting, any '\*' is removed from 'style' values. This changes the CSS markup in the 'style' value in the example input (in the first posting) and 'inactivates' the second URL (at least in Firefox 3.6/Mac OS X), giving the impression that 'css_expression' of '1' introduced a vulnerability.
The display of the background-image itself is not a vulnerability in an absolute sense. By not permitting the 'style' attribute, by setting 'safe' to 1, by using 'hook_tag' or$spec, etc., such a 'risk' can be removed by the code-developer who is implementing htmLawed.
PHP Labware forum → htmLawed → CSS expressions and remote URL loading