[thelist] CSS

Dave Hinton catbells at pat.mkn.co.uk
Fri Jun 15 02:26:51 CDT 2001

"Charles F. Johnson" wrote:

> toby,
> right you are and thanks for the caveat. in general, never a good idea
> to pass URLs in a query string without inspecting them. but i don't
> know if anything evil can be achieved by changing the stylesheet in a
> <LINK> tag, except to make the page unreadable for whoever put in the
> bogus url.
> (undoubtedly someone will now tell me how a resourceful script kiddie
> can cause thermonuclear armageddon by manipulating the "border-style"
> attribute...)

If someone could specify a stylesheet on their own server, then with
"display: none;", creative use of CSS2 selectors and generated content,
they could link to your page and utterly twist its meaning.

Though it would be far easier just to make the page unreadable, as you
say.  Then everyone who follows the link gets a bad impression of you.

  //  Dave Hinton
=()=  Web Developer, MarketNet
//    London 7691 8968

More information about the thelist mailing list