是否可以在 CSS 样式表中使用跨站点脚本?例如,引用样式表包含恶意代码,您会怎么做? 我知道您可以使用样式标签,但是样式表呢?
最佳答案
The risk of JavaScript execution. As a little-known feature, some CSS implementations permit JavaScript code to be embedded in stylesheets. There are at least three ways to achieve this goal: by using the expression(...) directive, which gives the ability to evaluate arbitrary JavaScript statements and use their value as a CSS parameter; by using the url('javascript:...') directive on properties that support it; or by invoking browser-specific features such as the -moz-binding mechanism of Firefox.
...读完之后,我在 StackOverflow 上找到了这个。参见 Using Javascript in CSS 在 Firefox 中,您可以使用 XBL通过 CSS 在页面中注入(inject) javascript。但是,XBL 文件必须位于同一个域中,因为 bug 324253 is fixed .
还有另一种有趣的(尽管与您的问题不同)滥用 CSS 的方式。参见 http://scarybeastsecurity.blogspot.com/2009/12/generic-cross-browser-cross-domain.html .本质上,您滥用了 CSS 解析器来窃取来自不同域的内容。
关于css - CSS 样式表中的跨站点脚本,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/3607894/