I am writing a shopping cart component is react and my boss says i shouldn't use css in html cause it can be hacked. If he had said good coding practice i would have understood that, but i just dont see how someone inspecting and seeing css in the html code will let them hack into it, to top it off I am using material UI and there's no pure css styling, just props, and forgive me if i'm wrong but i don't think MUI lets people see the props of components in the inspect from what i've seen. So why does he have that logic.
No a website cannot be hacked with/by CSS
Yes, its best practice to keep the styling code in either an external script, or rather when building the component using the style prop on the element. like
jsx
import { styles } from './mycss.css';
function app(){
return (<div className={styles.mycomponent}>
content here
</div>);
}
css
.mycomponent {
display: block;
background: red;
}
note
The only thing an outsider can do is temporary change what is displayed on their browser on their machine only.
Yes and no. Yes because, even if it it is exceedingly rare, CSS3 can be a target of an exploit, allowing educated users to access unwanted certain elements. The same with insecure usage of CSS selectors. However, no because keeping CSS elements on a different file will not prevent this, there can be other preventative measures.
Though, of course, it doesn't go without saying it is best practice to keep your CSS files and HTML files separate.
Further reading:
Example of an old CSS exploit: https://www.evonide.com/side-channel-attacking-browsers-through-css3-features/
How to be secure your CSS Selectors: https://cheatsheetseries.owasp.org/cheatsheets/Securing_Cascading_Style_Sheets_Cheat_Sheet.html
Related
This question already has answers here:
How can I write 'a:hover' in inline CSS?
(24 answers)
Closed 1 year ago.
Is it possible to create inline pseudo styles?
For instance, can I do something like the following?
Coding Horror
The reason behind this is I'm developing a .NET library that creates UI elements. I want to produce HTML elements that can have their hover state set without the use of an external style sheet.
Unfortunately no, you can't implement hover effects using inline CSS.
A (poor) work-around for this problem is to have your controls render style blocks when they are rendered. For example, your control could render as:
<style type="text/css">
.custom-class { background-color:green; }
.custom-class:hover { background-color:Red; }
</style>
Coding Horror
If you could force your users to drop a "style control" at the top of their pages you could render all your custom classes there instead of rendering them next to each control, which would be a very, very bad thing (browsers will restart rendering every time they come across a style block, having a lot of style blocks scattered around your page will cause slow rendering).
Unfortunately there's no elegant solution to this problem.
This is kind of a Catch-22 situation.
On one hand, you can add a style block right before where your element is inserted into the page, but Chris Pebble points out the problems with that. (If you decide on this, make sure you pick unique IDs for your Elements so your selectors don't accidentally select or style anything else).
On the other hand, you could do something like this:
...
But, that's nasty in its own right as it ties together markup, presentation, behavior, and a whole bunch of other things.
You could also inject a stylesheet into the page by writing out a link tag or manipulating document.stylesheets, but that's going to trigger a download.
I've usually seen the first method (adding a style block) done on large. "Modular" portal sites do this sort of thing, so maybe it's the de-facto standard (it is at least more readable and maybe easier to maintain than cramming JavaScript in there?). The JavaScript method seems to have the least impact on the DOM and the overall page as you're keeping your presentation to yourself.
This is one of those front-end dev morasses where every answer you choose is wrong to some extent, so weigh the options and pick what's easiest for you to build and maintain.
I would dynamically create a CSS file as I parse all the controls, and I would add a server side attribute to the controls that contained the hover or other pseudoclass styles.
<a style="color:blue" styleHover="color:blue" id="a1">Click!</a>
Your code can look for these attributes and generate a css file on the fly
#a1:hover {
color:blue
}
I don't know if .NET allows for you to do this type of parsing of the attributes, but I do something similar in a framework I created for php.
Hacss effectively brings pseudo-selectors to inline styles.
You could send a static stylesheet with the built page that uses css variables to control specific states and generate those in your script. Sadly you have to do this for every state and property you want to use.
* {
background-color: var(--n-background-color);
}
:hover {
background-color: var(--hover-background-color);
}
Coding Horror
To avoid using !important we cannot define the normal state inline directly.
Or you can use jQuery's hover function and set the background color.
I have made a small popup window that shows up at the bottom of the page (like a recommendation system). But whenever I embed my script to any of the client's website, it disturbs my CSS. Like the CSS which is on the client's website overshadows my CSS and this causes me to fix my CSS for each client. Is there a fix that I will have to install on my code?
Please help
Thanks
This is due to overlapping CSS properties of client's and your newly developed. I recommend you to inspect element of google chrome's very nice feature. You can individually identify your overlapping properties. If this is too much complex. Like James commented give a new id to your pop-up menu, which will separate your pop-up CSS from all other components on your web page
On of the ways I heard about is Shadow Dom, and in this article it describe it and at the beginning of the article he listed the problem in brief: http://www.html5rocks.com/en/tutorials/webcomponents/shadowdom/
But there is a fundamental problem that makes widgets built out of
HTML and JavaScript hard to use: The DOM tree inside a widget isn’t
encapsulated from the rest of the page. This lack of encapsulation
means your document stylesheet might accidentally apply to parts
inside the widget; your JavaScript might accidentally modify parts
inside the widget; your IDs might overlap with IDs inside the widget;
and so on.
Else which I did my self long time ago is: to name all your ids, classes with a special names for example 'mywebsite.myclass' this may minimize the issue. and I saw this way is used by many bookmarklets which import html,css and javascript to user opened page.
"All browsers" is a lot of browsers :P
CSS is going to get interesting soon thanks to shadow DOM. You are going to be able to create a web component that is completely isolated, DOM and CSS, from the rest of the document, which is exactly what you want.
Obviously, it's not in place in al browsers (only in Chrome at the time of me writing this). Meanwhile, this is what I would do:
Use shadow DOM components if available
Anyway, manually name-space everything you use (CSS classes, JavaScript, etc)
Try to use custom elements for everything. (that way, there's less risk of your e.g. <h2>s being styled by outer CSSs)
As a last resource, use very specific selectors (look up CSS specificity), and use !important. Just to be clear: never do this routinely!
Most of that stuff will fail for some value of "All browsers". You'll have to compromise somewhere, I guess.
Yes you can reset your div styles.
Something like this:
div.your-popup * {
/* your reset */
}
And try to set !important to styles or put them inline.
In addition create unique class names that no one can override it.
P.S. http://www.cssreset.com/
I am building out a page for work that has a section where the content needs to change dynamically on button(s) click. I know of several different ways to accomplish this but all of them involve javascript of some kind or another. My capabilities don't currently include writing script for this site so I am researching to see if there is a way to do this with JUST css before I inform my project manager that one of our javascript guys will have to handle it. So, anyone know of any cool CSS techniques that might get the desired effect?
You could potentially use CSS's :target pseudo-class selector. This would require replacing your buttons with a elements instead, which cause your document's URL to apply a hash relating to the id attribute of the element you want to change.
div {
display: none;
}
:target {
display: block;
}
Click here to show the hidden <code>div</code> element<br>
Click here to hide it again.
<div id="foo">This should only show when the link is clicked.</div>
Yes, you can use dynamic content without any scripting language, but your options are very limited. As James suggested, you use CSS. One common way is to use checkboxes and a label to control items visibility. You use this to make simple games, tab menus and more.
A great tutorial with examples you can try out is at http://css-tricks.com/the-checkbox-hack/ but in essence, you'd do something like this: (from the tutorial)
input[type=checkbox]:checked ~ div {
background: red;
}
Note that you have the :checked property and the general sibling selector in this example. You can get a lot more sophisticated.
Check out the CSS Panic game which uses this same capability.
I don't think there is any way to directly modify the content with CSS, because as its name suggests, it is specifically for style. I don't know of any tricks, sorry. I don't think CSS is actually an appropriate way to do this, because it is not good code organization (although web is not known for good code organization anyway). It should be really simple to bang out the javascript, so I recommend just doing it yourself if at all possible. Changing content with a button press really isn't a difficult javascript problem. Throw in some jquery, and you can get slick transitions, too.
HTML is not designed to be dynamic, it's simply a document format, more or less. I don't think CSS was designed for much dynamism either, just changing styles on certain events. So I think because changing content is not changing style, it is either not possible, or not a very pretty way to do it.
Good luck!
I have been tasked with making some updates to an existing web control and placing it on an existing web page. The web control uses a lot of hard coded formatting to make it look "pretty", and the web page uses CSS to override just about every visual element you could imaging. So when the control is placed on the page it looks REALLY bad. Its basically unusable and I'm not sure what the best approach is to fix it.
Is there a way to clear CSS from, for example, all elements which are part of a specified DIV, or some way to prevent the main css from being applied to these components?
You could try a CSS reset stylesheet (just add the class yui3-cssreset to your element).
The only problem, though, is that it only normalizes little nuances between browsers, and isn't made for completely killing all stylesheets.
You could, however, edit in code to reset the background, font, border, etc.
You can use the not pseudo selector like:
:not(#idname) {
Properties... }
But that won't work everywhere without a JS shim.
As someone who is beginning to make a transition from table based design to full CSS I'm wondering if using the style attribute to make adjustments to elements is considered "cheating" and if absolutely ALL presentation should be strictly in the style sheet?
See also:
A question of style - approaches to styling and stylesheets
There are cases where you know for sure that all you want to do is tweak the style of this one specific element, and nothing else.
In those cases you can happily use an inline style attribute. But then, at some point in the future, you'll realise that in fact you need to apply the same style to something else, and you'll realise you were wrong.
Been there, done that. 8-)
I feel there's an aspect that has not been touched upon here: the distinction between hand-edited HTML snippets and generated HTML snippets.
For human editing, it's probably better and easier to maintain to have the styles in a file.
However
As soon as you start generating HTML elements, with server-side scripts or with some kind of JavaScript, be sure to make all styles required for basic functionality inline!
For example, you wrote some kind of JavaScript library that generates tooltips. Now, you will inject DIVs into your page, that will need some styles. For example, position: absolute and, initially, display:none. You may be tempted to give these elements the class .popup and require that this class has the correct definitions in some CSS file. After all, styles should be specified in the CSS file, right?
You will make your JavaScript library very annoying to reuse, because you can no longer simply copy and invoke one .js file and be done with it. Instead, you will have to copy the .js file, but also have to make sure that all styles required by the script are defined in your CSS file, and you have to go hunting for those, and make sure their names don't conflict with classes you already have.
For maximum ease of use, just go ahead and set the required styles directly on the element as you create it. For styles that are purely for aesthetical purposes, such as background-color, font-size and such, you can still attach a class, to give the consumer of your script an easy way to change the appearance of your script elements, but don't require it!
You can use the style attribute, but the point of using CSS is that you make a change in a single file, and it affects the entire site. Try to avoid it as much as possible (old habits die hard)
It's not maintainable. All of us have done it. What you're best to do is put every adjustment into a style. Let me teach you something most developers do not know about CSS ... you can use N styles at a time.
For example, imagine you have a great style for colorized divs called someDIVStyle:
.someDIVStlye
{
background-color: yellow;
...
}
You want to use it, but just want to adjust the background-color to blue. Many people would copy/paste it and then make a new style with the change. However, simple create a style like this:
.blueBackground
{
background-color: blue;
}
Apply it as such:
<div class="someDIVStyle blueBackground">...
The style furthest to the right always overrides the properties of the styles preceding it. You can use a number of styles at once to meet your needs.
I agree with some other posters that it is best to keep the style information in the stylesheet. CSS tends to get complicated quickly, and it is nice to have that information in one place (rather than having to jump back and forth from HTML to stylesheet to see what styles are being used).
A little off-topic tip: Pressing F12 in IE8 brings up a great tool that lets you inspect the styles of elements in web pages you're browsing. In Firefox, FireBug does the same thing. Those kinds of tools are lifesavers if you want to know how a style change will affect an element.
It's a very "personal" question, to me the word "ALL" is a very strong word. You should do your best to have most of the styling in your css. but you can use style occetionally if it makes your life easier.
Generally it is best to have styles on the style sheet especially if it will be used multiple times, but using the style attribute is definitely not "cheating". A quick look through the stackoverflow source shows many examples of this.
Yes, it's kind of cheating, but it's up to you if you want to cheat a little. :)
The fundamental idea of having the styles in a style sheet is to separate the content from the layout. If you use the style attribute you are still mixing layout within the content.
However It's not that terrible, as you can quite easily move the style into a class. It's quite handy during development to be able to set a style on a specific element so easily without having to make up a class name and worry how the style will cascade.
I sometimes let the style attribute go through in the production code, if it's something that is specific for just one page, and if it's doubtful that it will be there for long. Occationally just because I am pressed for time, and it can be cleaned up later on...
So, even if you use a style attribute sometimes, you should still have the ambition that all the styles should be in a style sheet. In the long run it makes the code easier to maintain.
As others have said, in general, no.
However, there are cases where it makes perfect sense. For example, today I had to load an random background image into a div, from a directory with an unknown # of files. Basically, the client can drop files into that folder and they'll show up in the random background image rotation.
To me, this was a clear reason to dynamically build up the style tag on the div.
In addition, if you're using, for example, the .net framework with webforms and built-in controls then you'll see inline styles used anyway!
There can be very good reasons to put style information in a specific page.
For example, if you want to have a different header background on every page (travel agencies...), it is far easier to put that style information in that specific element (better, in the head of the document...) than to give that element a different class on every page and define all those classes in an external style-sheet.
The style attribute does have one important use: setting style programmatically. While the DOM includes methods to manipulate style sheets, support for them is still spotty and they're a bit heavyweight for many tasks, such as hiding and showing elements.
Yes, the style attribute is frowned upon in general. Since you're moving to the CSS method from table-based, I'd strongly recommend that you avoid inline styles. As a previous poster pointed out: bad habits are hard to break and getting into the habit of using inline styles for their temporary convenience is a mistake. You might as well go back to using the font tag. There's really no difference.
Having said that, there are occasions where it makes sense to use a simple inline style, but first develop the habit of using stylesheets. Only when you're comfortable with putting everything in a stylesheet should you start looking at shortcuts.
I think that's the general consensus of everyone who posted an answer