2 comments

[ 3.6 ms ] story [ 8.0 ms ] thread
How is it possible to patch this while retaining the ability for users to make custom themes? I'm genuinely curious what the right solution is. CSS is practically a programming language at this point (isn't it Turing complete?) so it seems hard (if not impossible) to accurately identify all of the features that might constitute a vulnerability when the script is deliberately loaded and run by a user.

Is there a way to tell a browser "this stylesheet can't make external requests"? Are they manually parsing the stylesheet to look for the naughty selector (on the textbox element, or on $=, etc.)?

Update: Oh, it looks like this is being entered via an input field in the settings meant to specify a color code. So not actually a fully-fledged user stylesheet. On that note, does Slack support those?

The correct way to prevent this would be to constrain the input and validate it on output -- so that users cannot enter anything that's not a hex value, and Slack won't send back anything that's not a hex value in the theme. Even limiting the length of the input (and output) would mitigate the issue to some extent...