I found a some MIT-licensed CSS I would like to use for my web app. I've been reading that malicious css can be injected into websites (source: Can Malicious Code Be Executed From A CSS File?) to launch a cross-site-scripting type of attack.
Here's my question:
I'm wondering if it is possible for malicious css to infect my webserver with malware, and if so, what would be the tell-tale signs of malice in that kind of css that I should look out for?
Short answer: Yes.
Long answer: You should always read and own the code you are copy-pasting. It’s also a good clean code practice to fix “smelly” code. You should check for any links and suspicious css. Do not just publish a code before testing it yourself; ie. visiting the pages yourself like a user/visitor of the website. This way you can be sure to avoid any malicious css code.
Related
While I was searching a website that helps me to obfuscate my html source.
I found this website.
http://snapbuilder.com/code_snippet_generator/obfuscate_html_source_code/
Do you guys think this website is reliable?
I am now learning about front-end stuff, so I am not sure this helper might have some harmful code.
Thank you
Do not do this, it will simply make your site slow, and if they have Javascript disabled your site will not function at all. Not to mention the fact that as soon as this script is executed they will still be able to see the HTML via the dev tools in any browser.
tl;dr DO NOT DO THIS
For learning purposes I want to view the html source of sites like amazon.com, ebay etc , After learning I want use it in my work, I don't want to copy and paste the html source.
Points to consider:
1. Hiding html source is unprofessional, here
2. Viewing HTML Source is safe for developers, here
3. All working web professionals do it for learning, here
So can i View HTML Source to learn css styles etc ? or should I get permission from website's owner ?
Any help would be great.
Client side code is always accessible publicly, viewing it or using it for learning purpose is absolutely fine. There is nothing illegal to that. However, if you are using the design of the any website or the part of website such as java-script or css, there should be a copyright notes; just read that once before using it. I don't think all java-scripts and css may have the copyright issues and you can also read the website policy before using it.
That depends.
If you live in the USA and circumvent a copyright protection system (however badly implemented) while viewing and using source code you broke the law. There are many other ways to break the law by misusing other peoples websites (like scraping, leaching, mirroring, hacking, etc). Search for "laws you break every day" and you will see how hard it can be to not break the law, but the rule of thumb is be a nice small fish and likely any laws you break people wont care enough to charge you with.
You can read a source, but you shouldn't use it if not allowed. If the source has a license, you should read it to know.
The HTML/CSS/Javascript code is loaded in your browser and you can watch it as many times as you want without any concern.
yup, it is 100% legal to view and use
So I take this class, and I'm way ahead of everyone else and a lot of people steal code from my website, I have already disabled right clicking but it's rather easy to get around this, is their any way to stop people from being able to view my source code?
tl;dr: Nope.
You could look into obfuscation, as well as CSS & JS minification.
"If you steal from one author, it’s plagiarism; Steal from many, it’s art."
No, if someone wants it, they will get it, you can make it harder but, you will just alienate your users from normal functionality, focus on your backend code.
If they steal your code, your lector will hopefully notice, either way they only hurt themselves.
Afaik the only way to hide your source code is if you put it on the server-side.
It is not possible from hiding client-side source code from users - sorry.
One suggestion would be stopping the user from right-clicking but that might cause you more problems...
You could render the html pages server side and convert them into images which get sent to the client. You could then have some image maps that handle clicking on the various locations.
There isn't a perfect solution (100% bullet proof) to protect your JavaScript code on the client side, however there are some tools on the market that can help you to protect your code:
Code Compression/Minification (Usually don't protect the code)
Google Closure (Free)
Uglify JS (Free)
Code Obfuscation/Compression/Minification
JScrambler (Paid, but is on my opinion the best one on the market)
Jasob (Paid)
Stunnix (Paid, it seems to be outdated)
Hope this answers your question!
Before I start I'd like to say I have read similar questions here but I don't think it really answers the question: Show HTML user input, security issue and Security risks from user-submitted HTML
I think these highlight the problems quite well but I am essentially asking advice for best practice in these circumstances.
I have been programming for a while and have just now come to the point where I want website administrators to submit HTML markup to display the content they want in their own sites.
Securing this content in the database is fine but now I want to display it on the site securely.
Even though, this feature is only available to the site admins I still want to secure against malicious script injections and try to prevent them breaking the page by using poor HTML.
Is the reality that I cannot safely guard against script injections as the threads above seemed to point out?
Do I use the mentality that if they break the site, it's down to them, or can I use some sort of markup validator when they update the content?
What do you think about markdown?
It's a safe way to submit html, and have libraries to most popular languages.
You're correct, if you allow to submit pure HTML - there's no way to prevent all possible injections. Even if you disable <script> tag in all it's possible combinations (and there're many) there're other ways like onfocus onmouseover events that can be used to run malicious code.
I would advice HTMLPurifier, it's the best solution out there for sure. Google it!
possible duplicate: What tools to automatically inline CSS style to create email HTML code ?
note from author: Oh yeh, definitely duplicate. Sorry.
In general, HTML emails do not support proper CSS techniques.
However, it's nice to develop in these techniques because it makes it a lot quicker to play around with changes etc. (I don't need to sell the benefits of CSS to you all!)
Is there a tool that will take lovely HTML and turn it into nasty email compatible HTML with all the styles extrapolated from the CSS files and placed inline?
Even though 100% compatibility cannot be achieved due to the numerous differences in email clients out there, a tool that helps the process would be very useful, even if it simply takes the CSS and inlines it.
Campaign Monitor have an excellent guide to CSS support in email clients as of 2008. It's very comprehensive.
There are no standards for "email compatible" CSS or HTML, so a tool to perform this task is unlikely to exist. Various client strip out different tags and attribues, especially web-based ones. A lot of it is trial and error. Trial and error is difficult to automate.
I imagine you could run the text of the page through a script that will discover CSS classes and ids and store the styles for them in an array, then go through and replace class="class" with style="style" and id="id" with style="style" etc. It would just be a matter of programming the thing.
Unfortunately, I don't know of any tools, but I would think this could be done using javascript (using jQuery, prototype, or other js framework), to rip through the rendered DOM and discover applied styles and create new HTML based on that
A good start would be to have a source div tag and a target div tag and see that the HTML in the target ends up looking like the source.
Just wrote blog post about converting "good" HTML/CSS into bad, but compatible HTML/inline CSS.
I personally use Premailer for this task, you can read more about it in my post: http://www.versapay.com/developer-blog/the-art-and-science-of-email-rendering-across-email-clients/
Yes, In my experience the best are:
http://premailer.dialect.ca/
http://beaker.mailchimp.com/inline-css
http://zurb.com/ink/inliner.php