
Keylogging Users via Slack Themes - robbya
https://fletchto99.dev/2019/november/slack-vulnerability/
======
akersten
How is it possible to patch this while retaining the ability for users to make
custom themes? I'm genuinely curious what the right solution is. CSS is
practically a programming language at this point (isn't it Turing complete?)
so it seems hard (if not impossible) to accurately identify all of the
features that might constitute a vulnerability when the script is deliberately
loaded and run by a user.

Is there a way to tell a browser "this stylesheet can't make external
requests"? Are they manually parsing the stylesheet to look for the naughty
selector (on the textbox element, or on $=, etc.)?

Update: Oh, it looks like this is being entered via an input field in the
settings meant to specify a color code. So not actually a fully-fledged user
stylesheet. On that note, does Slack support those?

~~~
barryvan
The correct way to prevent this would be to constrain the input and validate
it on output -- so that users cannot enter anything that's not a hex value,
and Slack won't send back anything that's not a hex value in the theme. Even
limiting the length of the input (and output) would mitigate the issue to some
extent...

