Check whether a CSS property value contains dangerous patterns that could enable script execution or external resource loading.
The value is first normalized via normalizeCssValue() to resolve CSS escapes and comments, then checked against a blocklist:
normalizeCssValue()
url()
expression()
-moz-binding
behavior:
@import
The CSS property value to check.
true if the value contains a dangerous pattern and should be removed.
true
Check whether a CSS property value contains dangerous patterns that could enable script execution or external resource loading.
The value is first normalized via
normalizeCssValue()to resolve CSS escapes and comments, then checked against a blocklist:url()-- blocks all URL-based loading (images, fonts, cursors) because even image URLs can leak data or trigger requestsexpression()-- blocks IE's CSS expression evaluation-moz-binding-- blocks Firefox XBL binding injectionbehavior:-- blocks IE behavior attachment@import-- blocks external stylesheet loading