Hello,
We would like to use custom fonts declared via @font-face CSS directive defined in <style> tag, but unfortunately blockcerts.org certificate viewer seems to remove any <style> tags, despite that certificate html is placed inside of shadow DOM and I believe all <style> tags are encapsulated in this case and do not affect outer DOM. Is there any other reason for removing <style> tags? Or is there any alternative for loading custom fonts?
Many thanks in advance.
Hi Siarhei!
This is a good point and I could see this very useful.
@lemoustachiste was there a reason we didn’t whitelist the <style> tag before?
We are filtering out style tags to prevent possible XSS attack:
if you look though this page: https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet and search for style, there are various cases that could open the door to such attack. Since we don’t have control over the HTML injected into the verifier and its location, and that it would be complicated to safe guard against all weaknesses in that code, it seems safer to just exclude the style tag.
I haven’t researched the possibility of loading custom fonts since we only rely on system fonts, so I don’t have anything to propose to you at this point. But I am not closed to the idea, we just need a clean way to do it.
@lemoustachiste I see, thanks for explaining. Will try to avoid using custom fonts for now.
@lemoustachiste I just noticed <svg> tags also seem to be removed. Is it due to the same security concerns?
@s.ermakovich Correct, the sanitizer takes it out.