Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do we need CSS to be mentioned in both 5.3.1 and 5.2.8. #1994

Closed
tghosth opened this issue Jul 24, 2024 · 2 comments
Closed

Do we need CSS to be mentioned in both 5.3.1 and 5.2.8. #1994

tghosth opened this issue Jul 24, 2024 · 2 comments
Labels
1) Discussion ongoing Issue is opened and assigned but no clear proposal yet Community wanted We would like feedback from the community to guide our decision otherwise we will progress V5 Temporary label for grouping input validation, sanitization, encoding, escaping related requirements _5.0 - prep This needs to be addressed to prepare 5.0

Comments

@tghosth
Copy link
Collaborator

tghosth commented Jul 24, 2024

We currently mention CSS twice in chapter 5:

5.3.1 (will get further modified soon):

# Description L1 L2 L3 CWE
5.3.1 [MODIFIED] Verify that output encoding is relevant for the interpreter and context required. For example, use encoders specifically for HTML values, HTML attributes, JavaScript, CSS, URL parameters, HTTP headers, SMTP, and others as the context requires, especially from untrusted inputs (e.g. names with Unicode or apostrophes, such as ねこ or O'Hara). 116

5.2.8:

# Description L1 L2 L3 CWE
5.2.8 Verify that the application sanitizes, disables, or sandboxes user-supplied scriptable or expression template language content, such as Markdown, CSS or XSL stylesheets, BBCode, or similar. 94

Does it need to be mentioned in both places?
@tghosth tghosth added 1) Discussion ongoing Issue is opened and assigned but no clear proposal yet _5.0 - prep This needs to be addressed to prepare 5.0 V5 Temporary label for grouping input validation, sanitization, encoding, escaping related requirements Community wanted We would like feedback from the community to guide our decision otherwise we will progress labels Jul 24, 2024
@tghosth tghosth mentioned this issue Jul 24, 2024
Closed
@jmanico
Copy link
Member

jmanico commented Jul 24, 2024

  • Sometimes you need to encode data added to CSS (like a background color authored by a user)
  • Sometimes you need to validate data added to CSS (like a image URL authored by a user)
  • Sometimes you need to sanitize untrusted CSS (like when you let users author chunks of CSS)

The whole story here about avoiding CSS injection is unfortunately complicated.

@tghosth
Copy link
Collaborator Author

tghosth commented Jul 24, 2024

Ok so let's leave it in both.

@tghosth tghosth closed this as completed Jul 24, 2024
tghosth added a commit that referenced this issue Jul 24, 2024
@tghosth
Keeping CSS in as discussed in #1994
ac20e77
tghosth added a commit that referenced this issue Jul 24, 2024
@elarlang @tghosth
update 5.3.1 (as per #1589) including keeping CSS (#1944) adding HTML…
cc919fc 
… comments (#1997) and adding a catch all (PR #1943)

* update 5.3.1, #1589

* Minor fix to pluralise relevant items

* Keeping CSS in as discussed in #1994

* Add HTML comments to resolve #1997

* Final change to resolve #1589

* Add an encoding catch all.

---------

Co-authored-by: Josh Grossman <tghosth@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
1) Discussion ongoing Issue is opened and assigned but no clear proposal yet Community wanted We would like feedback from the community to guide our decision otherwise we will progress V5 Temporary label for grouping input validation, sanitization, encoding, escaping related requirements _5.0 - prep This needs to be addressed to prepare 5.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jmanico @tghosth