mj-saunders
/
epicyon
forked from indymedia/epicyon
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Check for non-local web links in css

alt-html-css
Bob Mottram 2020-12-12 21:21:06 +00:00
parent 49091dea9f
commit 76eb19b311
1 changed files with 14 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
content.py
View File

@ -202,6 +202,20 @@ def dangerousCSS(filename: str, allowLocalNetworkAccess: bool) -> bool:
if match in content: if match in content:
return True return True
# search for non-local web links
if 'url(' in content:
urlList = content.split('url(')
ctr = 0
for urlStr in urlList:
if ctr > 0:
if ')' in urlStr:
urlStr = urlStr.split(')')[0]
if 'http' in urlStr:
print('ERROR: non-local web link in CSS ' +
filename)
return True
ctr += 1
# an attacker can include html inside of the css # an attacker can include html inside of the css
# file as a comment and this may then be run from the html # file as a comment and this may then be run from the html
if dangerousMarkup(content, allowLocalNetworkAccess): if dangerousMarkup(content, allowLocalNetworkAccess):