metawidget: [garblegarblescript] Political! Science! for Amusement! [pictures of John A. Macdonald with swirly eyes] (science)
metawidget ([personal profile] metawidget) wrote in [site community profile] dw_styles2010-12-02 01:54 pm
  • Add Memory
  • Share This Entry
  • Current Mood: curious
Entry tags:

CSS cleaner question

I'm not sure if this is the best place for this, but I bet someone here has the relevant deep understanding.

Is there a way to vouch for Unicode characters as safe (or otherwise input them) in custom CSS? I'd like to use asterisms (\u2042) in a content: attribute as separators in my custom stylesheet, but the cleaner objects and removes the whole bunch of CSS due to suspect high bytes (whether I use the \u2042 as suggested in the spec, or the character ⁂, wrapped as CDATA or not).

Thanks for any insight you can share!
Flat | Top-Level Comments Only
denise: Image: Me, facing away from camera, on top of the Castel Sant'Angelo in Rome (Default)

[staff profile] denise 2010-12-02 10:35 pm (UTC)(link)
To the best of my knowledge there isn't, because there are too many possible attacks with Unicode symbol characters...
marahmarie: (M In M Forever) (Default)

[personal profile] marahmarie 2011-02-13 07:00 pm (UTC)(link)
It's stripping out non-Unicode Western characters too with the same error message. Why? Are all non-standard characters treated as suspect by the cleaner? If so, is there any way around that? I can use image replacements but it's harder and I really don't want to. :(
denise: Image: Me, facing away from camera, on top of the Castel Sant'Angelo in Rome (Default)

[staff profile] denise 2011-02-13 07:05 pm (UTC)(link)
Yeah, sorry, anything that's outside of 7-bit ASCII gets stripped. CSS injection is one of the most frequent attack vectors out there.
marahmarie: (M In M Forever) (Default)

[personal profile] marahmarie 2011-02-13 07:09 pm (UTC)(link)
So, in character map, are there any [non-standard] 7-bit ASCII characters? Is that equivalent to the DOS character map(s)?

ETA: googled, and I guess not: http://www.w3schools.com/tags/ref_ascii.asp

I never had any idea that character usage was so limited here nor why up until now.
Edited 2011-02-13 19:12 (UTC)
denise: Image: Me, facing away from camera, on top of the Castel Sant'Angelo in Rome (Default)

[staff profile] denise 2011-02-13 07:15 pm (UTC)(link)
It's not just here; it's on LJ, too. (We actually haven't made any changes to the CSS cleaner since the fork, except for a few bits of refactoring.) I think you'll find that any site that allows user-submitted CSS that displays on a view that has access to a user's login cookies will have much the same restrictions. I really can't overstate the risk.
Flat | Top-Level Comments Only