Summary
A CSS injection issue exists in WeasyPrint when HTML presentational hints are enabled. Unescaped attribute values are embedded into CSS, allowing injection of arbitrary CSS declarations. This affects applications processing untrusted HTML input.
Details
File: weasyprint/css/init.py
The background attribute is used to construct CSS:
background-image:url({element.get("background")})
This string is parsed by tinycss2.parse_blocks_contents().
Because the value is not escaped, additional CSS declarations can be injected.
PoC
Impact
- CSS injection
- Server-side requests via injected
url()
- Limited to cases where
presentational_hints=True
Suggested Fix
References
Summary
A CSS injection issue exists in WeasyPrint when HTML presentational hints are enabled. Unescaped attribute values are embedded into CSS, allowing injection of arbitrary CSS declarations. This affects applications processing untrusted HTML input.
Details
File: weasyprint/css/init.py
The
backgroundattribute is used to construct CSS:background-image:url({element.get("background")})
This string is parsed by
tinycss2.parse_blocks_contents().Because the value is not escaped, additional CSS declarations can be injected.
PoC
Impact
url()presentational_hints=TrueSuggested Fix
VULN-05_css_injection_presentational_hints.md
References