Pretty cool, but yeah, you have to be careful of CSS injection (as mentioned by ...

pedalpete · on Sept 10, 2013

I'm curious if this is truly a 'security' concern, or more like a hackability issue. Though I could enter that string into the page myself, I can't actually start running scripts on the page or anything, can I? Really, this doesn't seem any more 'dangerous' than opening the web-inspector and changing the CSS to hide. Do you agree?

(It may sound like I'm trying to be an ass, but I am actually curious).

thorum · on Sept 10, 2013

It's possible to execute remote Javascript through CSS in Internet Explorer and possibly Firefox according to this: http://stackoverflow.com/questions/476276/using-javascript-i...

You can also clickjack, i.e. make a button that does something important invisible and stretch it across the entire page. Next time the user clicks, they'll inadvertently be clicking the button.

Edit: I did some research and testing and it looks like XBL and element behaviors are no longer possible in Firefox and IE 10, thankfully:

http://stackoverflow.com/questions/9679527/do-moz-behaviors-... http://msdn.microsoft.com/en-us/library/ie/hh801219%28v=vs.8...

Skalman · on Sept 10, 2013

I can't get that to work in Firefox 25.

Skalman · on Sept 10, 2013

If you can get a user to click a link which exposes CSS injection, it can be a security issue. For instance, you could change the text of links and buttons, and otherwise trick the user into doing something that s/he wouldn't otherwise.

Cyranix · on Sept 10, 2013

My initial reaction is that you would need an additional moving part to turn this into a vulnerability. Say you had the ability to permalink to a filtered view -- the querystring param could carry an XSS payload... breaking out of the CSS context early, or maybe (and this is off-the-cuff speculation) staying in the CSS context but adding a rule which refers to an attacker-controlled file.