2

According to OWASP recommendations, CSS values from an untrusted source should be escaped.

In an attempt to follow these recommendations I am escaping my CSS values using Microsoft's AntiXss library, specifically System.Web.Security.AntiXss.AntiXssEncoder.CssEncode(value).

This produces a stylesheet that looks like this:

a,
a:visited {
    color:\00002329c;
}
a:hover,
a:active {
    color:\000023036;
}
body {
    background:\000023eee;
    color:\000023333;
    font-family:Arial;
    font-size:15px;
}

This works fine for IE and Chrome, but Firefox will not recognize the escaped values.

Is this a bug with Firefox or am I misinterpreting how to implement the OWASP recommendation? Also, if this is a Firefox shortcoming then what is the best work around?

Uber Schnoz
  • 140
  • 1
  • 5

2 Answers2

0

I did a quick POC, and at the outset it does look a bug in firefox. For simplicity here's the code I used and tried to open this webpage in IE, Chrome, Safari, and Firefox. With IE, Chrome, and Safari, the background gets changed to #FFCCCC, however in Firefox there is an error in the console.

"Stylesheet could not be loaded." Expected color but found '\#FFCCCC'.  Error in parsing value for 'background'.  Declaration dropped.

Sample Code:

<html>
<head>
    <meta http-equiv="Content-Type" content="text/html;charset=UTF-8">
    <style>
    body {
        background:\000023FFCCCC;
        font-family:Arial;
        font-size:15px;
    }
    </style>
</head>
<body>
    <p>Test</p>
</body>
</html>

Out of curiosity, I have gone ahead and raised a bug with Mozilla here - https://bugzilla.mozilla.org/show_bug.cgi?id=1172570

I also doubted that it could be an issue with respect to the @charset, but couldn't get it to working either. Till the guys at mozilla gets back, if you find a workaround please post back.

gmaran23
  • 2,118
  • 2
  • 17
  • 18
  • 1
    Unfortunately, we have not been able to find a work around and the only option has been to abandon the OWASP recommendation. From reading your Mozilla bug report, it looks like Mozilla does not consider this an issue with their browser. – Uber Schnoz Aug 06 '15 at 15:48
-1

This comment is not a "fix", but it sheds some light on the issue.

Unless I am mistaken, this issue only seems to effect sites loaded through standard http but not those loaded securely through https. In other words, Firefox will recognize the escaped values... but only when the site is loaded through https and not http.

http://domain may not load properly but https://domain will.

John-Mark Costello
  • 1
  • 1