CSS / style context injection
Check parser breakouts and risky URL tokens when user input enters style tags, style attributes, or CSS URLs.
HTML payload check
This scenario tests how user input is rendered into HTML / DOM, not iframe sandbox behavior.
- Verify that user input is not inserted directly inside style tags
- If style attributes are allowed, restrict CSS properties and url() schemes with an allowlist
- Verify that the HTML sanitizer safely handles CSS parser boundaries
Payload
Payload to copy
Use this when untrusted text is inserted inside a style element.
Preview
The preview intentionally performs unsafe rendering for learning. In a real service, this payload should be escaped as text or removed.
Log
// no logs
Explanation
- Modern browsers block many old CSS-to-JavaScript tricks, but
</style>breakouts are still HTML parser boundary issues. - Allowing style attributes can still enable layout manipulation, clickjacking support, and remote resource requests.
- Allow only the CSS properties you need, and validate
url()values through a dedicated URL policy.