[Ur] Supporting 'style' attribute securely
Adam Chlipala
adamc at impredicative.com
Thu Apr 26 09:31:16 EDT 2012
OK, here's a summary of my current plan for how to implement this
support. Feedback remains welcome.
There are two main problems to be addressed:
1) Prevent code injection, where strings (especially those coming
directly from users) are implicitly interpreted as code.
2) Prevent anti-modular code patterns, such as, in a library, absolute
positioning to move some content to a part of the page where the author
of the client code doesn't expect it to appear.
Problem 2 is harder to address without imposing onerous programming
restrictions, so my plan is to start by addressing only problem 1.
Specifically, a simple type of abstract syntax for CSS style code will
be introduced. A style is a list of key-value pairs. A key is a string
naming a style, allowing only characters from a small whitelist. A
value is a list of subvalues, each of which is noted with one of the
primitive value syntax forms from the CSS 2.1 spec. The URL syntax
deserves special mention, since it will interpreted to ensure that all
URL's meet the application-wide URL policy.
In places where the CSS spec allows escaping of certain fancier
characters, I will instead rule those characters out, at least at first.
As with the several other languages already embedded in Ur/Web, the
compiler will do desugaring of the usual CSS syntax into calls to
combinators from the standard library; but programmers will remain free
to work with the combinators directly.
More information about the Ur
mailing list