[MD settings] quoting font-family names |
|||
Issue descriptionShould font-family names be quoted in a style attribute? The CSS spec calls for quoting or escaping font-family names and while a font-family in a style is not really CSS, is it still a good idea to quote font names there? Specifically in appearance_fonts_page.html/js.
,
Mar 14 2017
There is a CL started at https://codereview.chromium.org/2749873003/ for reference. Whether font names should be quoted is still TBD.
,
May 17 2017
I looked into this a bit more. If a font family name has spaces the name is quoted by the Polymer binding. If there are double quotes (") they are escaped with a backslash. If there are single quotes in the name the font-family style is removed.
Things I tried: using a font with a " in the name, a ' in the name, both " and ' to find some why to execute <script> from a name.
It's hard to say that it cannot be hacked (by escaping from the style with a font name), but the attempts I made didn't show any exploitation opportunities.
,
May 17 2017
Another note: Fonts have several names, there's the font file name, the fontname, font family name, and human readable name. We show the font family name in the UI, which is the one used in the style. So we won't show a name like MyFont where the font-family is ";content:'<script>...'", instead we'd show the name in the UI as ";content:'<script>...'" (which is a bit more secure in itself - the user would need to actively select a font with a very strange name - but even if they do, empirically the name will be escaped or blocked).
,
May 17 2017
I'm ready to call this wontFix since it looks like no changes are needed, but is there more that should be tried?
,
May 25 2017
Dan wdyt?
,
May 30 2017
|
|||
►
Sign in to add a comment |
|||
Comment 1 by dschuyler@chromium.org
, Mar 14 2017