XSS attack vector at "style" context for LESS.js


LESS & SASS suddenly came to my mind when researching about of CSS Injection attacks. You know, both are css pre-processor so I think they don't support any client based operation. It is a mistake...

I saw less.js when visiting to http://lesscss.org/ page. less.js provides interpreting javascript code with backtick char in LESS code. So DOM based XSS vulnerability arises at this point.

I published it on Twitter as new attack vector for LESS.


Also thanks to Rakesh Mane for the shortening!


less.js includes the regex pattern for type attribute of style element.

var t=/^text\/(x-)?less$/;

So it is supporting these payloads:

<style type='text/less'>x{x:`alert(1)`}</style>
<style type='text/x-less'>x{x:`alert(1)`}</style>