Chris@0: # Escaping Cascading Style Sheets
Chris@0: 
Chris@0: CSS is similar to [escaping Javascript](escaping-javascript.md).  CSS escaping
Chris@0: excludes only basic alphanumeric characters and escapes all other characters
Chris@0: into valid CSS hexadecimal escapes.
Chris@0: 
Chris@0: ## Example of Bad CSS Escaping
Chris@0: 
Chris@0: In most cases developers forget to escape CSS completely:
Chris@0: 
Chris@0: ```php
Chris@0: <?php header('Content-Type: application/xhtml+xml; charset=UTF-8'); ?>
Chris@0: <!DOCTYPE html>
Chris@0: <?php
Chris@0: $input = <<<INPUT
Chris@0: body {
Chris@0:     background-image: url('http://example.com/foo.jpg?</style><script>alert(1)</script>');
Chris@0: }
Chris@0: INPUT;
Chris@0: ?>
Chris@0: <html xmlns="http://www.w3.org/1999/xhtml">
Chris@0: <head>
Chris@0:     <title>Unescaped CSS</title>
Chris@0:     <meta charset="UTF-8"/>
Chris@0:     <style>
Chris@0:     <?= $input ?>
Chris@0:     </style>
Chris@0: </head>
Chris@0: <body>
Chris@0:     <p>User controlled CSS needs to be properly escaped!</p>
Chris@0: </body>
Chris@0: </html>
Chris@0: ```
Chris@0: 
Chris@0: In the above example, by failing to escape the user provided CSS, an attacker
Chris@0: can execute an XSS attack fairly easily.
Chris@0: 
Chris@0: ## Example of Good CSS Escaping
Chris@0: 
Chris@0: By using `escapeCss()` method in the CSS context, such attacks can be prevented:
Chris@0: 
Chris@0: ```php
Chris@0: <?php header('Content-Type: application/xhtml+xml; charset=UTF-8'); ?>
Chris@0: <!DOCTYPE html>
Chris@0: <?php
Chris@0: $input = <<<INPUT
Chris@0: body {
Chris@0:     background-image: url('http://example.com/foo.jpg?</style><script>alert(1)</script>');
Chris@0: }
Chris@0: INPUT;
Chris@0: 
Chris@0: $escaper = new Zend\Escaper\Escaper('utf-8');
Chris@0: $output = $escaper->escapeCss($input);
Chris@0: ?>
Chris@0: <html xmlns="http://www.w3.org/1999/xhtml">
Chris@0: <head>
Chris@0:     <title>Escaped CSS</title>
Chris@0:     <meta charset="UTF-8"/>
Chris@0:     <style>
Chris@0:     <?php
Chris@0:     // output will look something like
Chris@0:     // body\20 \7B \A \20 \20 \20 \20 background\2D image\3A \20 url\28 ...
Chris@0:     echo $output;
Chris@0:     ?>
Chris@0:     </style>
Chris@0: </head>
Chris@0: <body>
Chris@0:     <p>User controlled CSS needs to be properly escaped!</p>
Chris@0: </body>
Chris@0: </html>
Chris@0: ```
Chris@0: 
Chris@0: By properly escaping user controlled CSS, we can prevent XSS attacks in our web
Chris@0: applications.