From 76eb19b311dea0f92dc1ab6fb46eb0aa9ffdb424 Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@freedombone.net>
Date: Sat, 12 Dec 2020 21:21:06 +0000
Subject: [PATCH] Check for non-local web links in css

---
 content.py | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/content.py b/content.py
index 7b000563..68fea997 100644
--- a/content.py
+++ b/content.py
@@ -202,6 +202,20 @@ def dangerousCSS(filename: str, allowLocalNetworkAccess: bool) -> bool:
             if match in content:
                 return True
 
+        # search for non-local web links
+        if 'url(' in content:
+            urlList = content.split('url(')
+            ctr = 0
+            for urlStr in urlList:
+                if ctr > 0:
+                    if ')' in urlStr:
+                        urlStr = urlStr.split(')')[0]
+                        if 'http' in urlStr:
+                            print('ERROR: non-local web link in CSS ' +
+                                  filename)
+                            return True
+                ctr += 1
+
         # an attacker can include html inside of the css
         # file as a comment and this may then be run from the html
         if dangerousMarkup(content, allowLocalNetworkAccess):