Check for non-local web links in css

2020-12-12 21:21:06 +00:00 · 2020-12-12 21:21:06 +00:00 · 76eb19b311
parent 49091dea9f
commit 76eb19b311
1 changed files with 14 additions and 0 deletions
--- a/content.py
+++ b/content.py
@ -202,6 +202,20 @@ def dangerousCSS(filename: str, allowLocalNetworkAccess: bool) -> bool:
            if match in content:
                return True

+        # search for non-local web links
+        if 'url(' in content:
+            urlList = content.split('url(')
+            ctr = 0
+            for urlStr in urlList:
+                if ctr > 0:
+                    if ')' in urlStr:
+                        urlStr = urlStr.split(')')[0]
+                        if 'http' in urlStr:
+                            print('ERROR: non-local web link in CSS ' +
+                                  filename)
+                            return True
+                ctr += 1
+
        # an attacker can include html inside of the css
        # file as a comment and this may then be run from the html
        if dangerousMarkup(content, allowLocalNetworkAccess):