CSS Cleaner
From No LJ Ads Wiki
The CSS Cleaner was made to try and prevent malicious exploits for some browser vulnerabilities.
An unofficial Support guide made by ![[info]](http://noljads.com/images/userinfo.gif){kind=small}
idonotlikepeas (not affiliated with us in any way) to avoid tripping the CSS Cleaner in your code is available here (![[info]](http://noljads.com/images/community.gif){kind=small}
lj_support), but we repeat it here for convenience.
[edit] The CSS Cleaner and You: Partners in History
Some folks have wondered what the mysterious messages about "suspect CSS" mean. Now's your chance to find out!
A brief introduction for the folks who may not have heard about this: CSS, AKA Cascading Style Sheets, are the tool used on well-behaved web pages to send style information to your browser; layout, color, positioning, and so on. HTML describes what an element is (a paragraph, a header, an emphasized word, a link) and stylesheets tell your browser how that should be rendered (separate all paragraphs by seven pixels, make every header eighteen-point bold text, emphasize words by coloring them orange, links should be underlined and purple). Most S1 overrides and S2 styles use CSS to create certain looks for your journal, and S2 styles actually have a large box which you can use to enter your own CSS code to override the style's code if you like.
There's an unfortunate consequence to that last part, though: some unscrupulous journal owners could put harmful code in their CSS, that exploited vulnerabilities in some browsers to create unfortunate consequences. The CSS Cleaner is the solution to that problem: it looks for things that look nasty in the CSS code and yanks those things out before transmitting it to the client. Unfortunately, some people may have perfectly innocent CSS code which /looks/ like hostile code and also gets edited out. This post is meant to explain what the CSS cleaner does, so that volunteers working in Styles can understand why the messages are showing up and what to do about them. (And, e.g., write tutorials in howto about fixing problems, etc.)
Please note that this post is based only on my reading of the CSS cleaner. I didn't write the thing, so I may be missing some intricacy; I am certain that I'll be corrected if that's the case. Largely, though, this information should be correct, since the code is relatively straightforward. I will edit this post to accommodate any corrections that need to be made.
The CSS cleaner does two scans of the code; once before removing the comments from it, and once afterwards. (This prevents tricky things like having a hostile instruction with a giant comment in the middle, which a browser would ignore but a CSS cleaner might miss.) Whitespace is also ignored. So code which is separated by large stretches of comments and line breaks may still be stripped, and that can be harder to detect. Before the cleaner begins its scan, it converts HTML entities into their corresponding character values. So, for instance, % would become %.
The following table summarizes what is removed and what it is replaced with. In each case, the "replaced with" message will look like this: /* suspect CSS: [message] */. (The /* and */ are signals to browsers that the code in between is a comment, not to be handled as CSS code.) In stylesheets, the code will also be marked with the text /* Cleaned CSS: */ whether it's been stripped or not. (You can also add style information to HTML elements directly. That code will be checked, but not marked in this way.)
| Text | Error Message | How to Avoid |
|---|---|---|
| non-standard characters | low bytes or high bytes | Only use standard ASCII characters. (Things you can type on an English keyboard.) |
| <foo | start HTML tag | Don't follow < with a character. (Better yet, just don't use <.) |
| \0, \1, \2, ..., \9, \a, \b, ..., \f | backslash hex | Don't put \ in front of any numbers or any of the letters a-f. |
| @import [foo] | import rule | Don't import external stylesheets. If you need code from them, copy and paste it to your stylesheet directly. |
| @charset [foo] | charset rule | Don't manually set the character set in your stylesheet. |
| &# followed by anything except a number | found irregular &# | Don't use those symbols in order unless you're making a character entity. (In which case you need a number there.) |
| </ | close HTML tag | Don't use this anywhere in your CSS code. |
| data: [foo] | potential scripting: data | See above |
| javascript | potential scripting: javascript | Ditto |
| jscript | potential scripting: jscript | " |
| livescript | potential scripting: livescript | " |
| vbscript | potential scripting: vbscript | " |
| expression | potential scripting: expression | " |
| eval | potential scripting: eval | " |
| cookie | potential scripting: cookie | " |
| window | potential scripting: window | " |
| parent | potential scripting: parent | " |
| this | potential scripting: this | " |
| behavior | potential scripting: behavior | " |
| behaviour | potential scripting: behaviour | " |
| moz-binding | potential scripting: moz-binding | " |
Phew. Now, keep in mind this text can be anywhere in your code. For instance, the following (completely innocent) code would get my CSS axed in four separate ways:
.this-sucks { /* I really hate JavaScript or "livescript" stuff, and also <font> tags. */
color: #000000;
}
And that's about it. If you've got any questions or comments... well, you know what to do!
