7

I'm working on a site that has a higher-than-normal concern for user security. I've recently been working on some CSS issues with older versions of IE (we support 7 and higher) and found that an easy solution to some of them would be the use of HTML Component files (.htc) to add certain CSS3 behaviors. http://msdn.microsoft.com/en-us/library/ms531018(v=vs.85).aspx

I was given an uncertain suggestion by someone that these methods could lead to a security issue, either on the part of compromising the client browser, or the server (the latter would surprise me). I've tried doing a bit of Google research but couldn't easily find very much mention of any such issues. Would someone here have more insight into this issue?

Katana314
  • 193
  • 5

1 Answers1

1

I'm not super familiar with them but can't see anything unsafe about them in a blanket fashion, I can imagine risks from them being used in an unsafe fashion though, typical owasp top ten type risks from trusting user input too much.

Are you allowing these files/other CSS/html content to be uploaded or edited by untrusted input? Can untrusted users edit the files on the server? If the client machine is compromised (malware etc) they can no doubt alter it but that's a moot point anyway.

There's mention of htc here too, but seems to fit within the risks above: CSS based attacks

Community
  • 1
pacifist
  • 794
  • 3
  • 8
  • No, no user-uploading; I've already looked at the contents in Notepad and it contains JavaScript, so that would be a very bad idea anyway. I basically assume it to be at least as risky as any HTML/JS/CSS file, but wasn't sure if it was an IE-specific feature with its own ActiveX-style vulnerabilities. – Katana314 Jan 03 '14 at 02:23