Hacker News new | ask | show | jobs
by DanielBark 1233 days ago
I created a video where any comment that was valid CSS would be added to the site without moderation.

I suggest that you have a look at the site. Its a testament to programming joy.

Early on someone posted css that added a trollface that would zoom across the site. I realized that allowing images inside the css was simply to dangerous so whenever an image was included in the css i would have to approve the css before it being applied to the site.

This video explains how the technical setup was achieved.

https://youtu.be/z8b9WJ1oD8w

Hope you enjoyed this little experiment!

// Daniel
2 comments
arturventura 1233 days ago
Interesting idea, but if you didn't filter the elements with URLs, you're creating a CSS injection attack that enables people who visit the website to work as bots in a botnet and attack some url.
link
DanielBark 1232 days ago
I did :)
link
paulluuk 1233 days ago
It's fun! Are there any security considerations when allowing random CSS?
link
kroltan 1233 days ago
Privacy ones by using URLs for images or imports that point to external domains, could leak who is visiting.

There is also a way to do a CSS keylogger for input elements, but I don't think the website has any or that users would type anything sensitive.

Beyond that, it's as safe as visiting any other website, especially if you don't use an ad blocker.

link
oh_sigh 1233 days ago
Not with content-security-policy set correctly(I think?)
link