DOM CSS fight at the O.K. Corral
Tuesday, 27 April 2010
I’ve been having a bit of a fight with DOM CSS. Single css rules in various browsers are carried over to two or more rules in some instances depending which characters you use. This was playing havoc on my HTMLReg sandbox, I whitelist allowed rules so I can’t allow rules to be injected.
The IE gunfighter was strong and stubborn, no matter which method I used it seemed he was always quicker on the draw then me and replaced my cssText faster than I could draw my encoder. I decided to create another sandbox to parse CSS styles called CSSReg this allowed me to control the in-line styles to my new whitelist.
Not phased by this crazy town sheriff Gareth “Wyatt Reg” decided to put a end to this chaos. He drove IE out of town with a HTML hack that allowed to retain correctly sandboxed styles:-
<div sandbox-style="background-image: url('http\3a //red/x\3f y\3d 1');">xxx</div>
Then replaced the sandbox-style by parsing the HTML and renaming sandbox-style to style. This stops IE rewriting the CSS and decoding everything but allowing it to handle invalid nested tags.
Next I had to drive the deadly Mozilla gang out of town, I rewrote the CSS url parser to use a strict whitelist and backslash hex escape any invalid characters. “The kid” and “Smokey” have left town for now. HTMLReg town is for now peaceful and quiet. I have seen the sla.ckers gang lurking but they seem to scared to enter HTMLReg at the moment.
Gareth “Wyatt Reg” would also like to thank the following outlaws:-
Mario “Doc holiday” Heiderich
Kyo “Wild bill”
the “Texas” harmonyguy