[Ur] Supporting 'style' attribute securely
Adam Chlipala
adamc at impredicative.com
Sun Apr 15 12:59:17 EDT 2012
A number of folks have asked to be able to use the HTML 'style'
attribute in Ur/Web. It's easy enough to add the attribute with type
[string], but this seems likely to allow for some sort of code injection
attack. At a minimum, URL's can appear in styles and be interpreted as
URL's, which seems to function as a "universal interpreter" for whatever
programming languages browsers want to support via URL's! (At a
minimum, there are "javascript:" URL's.)
So, any suggestions on "the right way" to support 'style' in Ur/Web?
I'm unlikely to accept an idea that leaves open code injection
vulnerabilities; one important global guarantee of Ur/Web is that code
injection attacks are impossible. But I don't have such a clear idea of
(a) what the attack possibilities are in CSS style code and (b) what the
appropriate countermeasures are, including how they should be
represented with typed combinators in Ur/Web.
More information about the Ur
mailing list