How to exploit websites that include user input in their CSS

The linked article Show archive.org snapshot shows how to exploit websites that include unsanitized user input in their CSS.

Although the article often mentions React and CSS-in-JS libraries, the methods are applicable to any web app that injects user input into style tags or properties.

Also, sanitizing user input for CSS injection is much harder than sanitizing HTML.

reactarmory.com
Henning Koch Over 6 years ago
This website uses short-lived cookies to improve usability.
or learn more