Is a XSS attack possible when the point of injection is the value of the style attribute?

Question

Example code:

<!DOCTYPE html>
<html lang="en">
<head><title>XSS test page</title></head>
<body>
<p>
<?php
  $style = htmlspecialchars($_GET['style']);
  echo '<div style="'.$style.'">This is a style test</div>';
?>
</p>
</body>
</html>

Would it be possible to inject javascript code using nothing but a properly escapted html style attribute?

I have heard that it's possible to trigger XSS attacks through CSS (Source 1, Source 2).

I was wondering if this was possible through just the style attribute as well.

Answer 1

I already pointed this out in the comment-section of the question, but I think it fits better as an actual answer.

CSS

Apart from an actual XSS-threat, passing user-input to a style-tag on your page opens op a whole set of other opportunities for attackers, some by just using plain css.

By setting the element to position: absolute;, one could overlay your whole page with it. This could be used to just render it unusable (with opacity:0; for example) or an attacker could use it for a defacement of the whole page. By using CSS3-properties like :before and :after, they are even capable of putting content on your page through CSS.

Another outcome could be "click-jacking", this was actually already discussed on StackOverflow already.

XSS

When it comes to pure XSS though, it would be hard to use this on modern browsers, still I wouldn't say that it's impossible. Anyhow, on older browsers like, for example, Internet Explorer 7, this could be used for an attack. There have been very creative XSS-Injections that where obfuscated and decoded in the craziest ways to outsmart input-validation, which would still succeed on several (now) old browsers because they were still parsing it. Matters got a lot better on modern browsers considering this.

Additionaly, there where functions like expression() and background-image:url, which made script-execution possible in CSS for old versions of Firefox, IE7 and older and probably some other browsers.

The OWASP XSS Prevention cheat sheet actually lists an example, where these functions are used in style - tags and style - attributes.

Scriptless Attacks (might work on modern browsers too!)

Putting old browsers and XSS aside, there still are other ways that may be applicable here, mostly in the form of "Scriptless Attacks". Going into detail would blast the scope here, but there is a great presentation on this topic, providing several ways and good examples on how even modern browsers could be affected. Another example would be this blog post where CSS was used for Cross Site Request Forgery. (a big thanks to @BenjaminGruenbaum for providing the links)

Finally, for a great insight on how crazy clever attackers can get when it comes to script-insertion, I recommend browsing http://www.thespanner.co.uk/. For example, there's even a pretty wild example of XSS on a style-attribute, stated to work on "on IE7 and Firefox (no version given)".

So, watch out really well when doing things like that, people might still find a way...

Answer 2

It depends on the browser. For example IE had scripting within CSS and style tags via the expression keyword. Thankfully this went away in IE8.

From my limited PHP knowledge what you are doing is fine; htmlspecialchars() worksas you use it for an attribute value surrounded by quotes. If you leave the quotes off and did <div style='.$style.'> then you are in for a world of trouble.