morty icon indicating copy to clipboard operation
morty copied to clipboard

Published 20 hours ago verified publisher icon asciimoo

Improve CSS url() regex

Open josch opened this issue 6 years ago • 0 comments

Hi,

I found some ways to smuggle some css url() bits past morty so that the user's browser will still request the 3rd party resources and thus breaking the privacy expectation. I found the following ways:

background-image: url( 'http://127.0.0.1:8000/test11.jpg' );
background-image: \75 \72 \6C ('http://127.0.0.1:8000/test3.jpg');
background-image: \75\72\6C ('http://127.0.0.1:8000/test13.jpg');
background-image: \75r\6C ('http://127.0.0.1:8000/test14.jpg');

Notice the space after the opening bracket in the first example. The other three make use of encoding stuff in hex arbitrarily (and also put spaces between each hex character).

Thanks!

cheers, josch

josch avatar May 30 '18 13:05 josch