Monday, February 1

Notes : Mathias Bynens: 3.14 Things You Didn't Know About CSS (Updated) - CSSConf.Asia 2015

!important has nothing do to with specificity. To fake !important, you can use the class multiple times.

Font Family
No need to have quotes in font family names which has white spaces.
Font family name beginning with integer are not correct, however you can fix this by giving quotes to such family names.

Attribute Values
Attribute values are usually quoted. It is not necessary to have quotes in HTML for attribute values, however for CSS you may require to have quotes. So the best practice is to use the quotes always.

CSS comments
CSS does not have single line comments. However for identifiers, if you give invalid text, spelling mistakes etc, it will be considered invalid however there will not be any parsing error.

HTML tags
You can omit closing tags in HTML and it is still valid. You can also omit the head and body tags and it will still be a valid HTML.

Using CSS without HTML - Refer nojs.css
We can use the body, head, before, after etc which are not part of HTML. To display some text, you can use the CSS content property.

Unicode in HTML and CSS
Every possible unicode value is valid for class and ID name in HTML. In ID it should not have a white space.  Eg of valid classes and ID

<div id="#id">Good luck styling me!</div>

<div class=".class">heh</div>

<div id="#id.class:hover{}">huh</div>

<div id="[attr='value']">not</div>

However how you would style it in css. So in CSS, you need to escape the character.

XSS - Cross site scripting
Execute custom javascript code. If you have control over the css of a website, it is possible to do all sorts of things like hitting the performance of a website, inserting your own content etc.

How to avoid CSS expression vulnerabilities?
1) Sanitize user input before injecting it in a CSS context
2) Disallow framing using the HTTP header
x-Frame-Options: Deny
3) use

Be the first one to Comment!!!

Post a Comment