Listen to this Post
The vulnerability arises because PostCSS v8.5.5 does not escape the `
` sequence when stringifying CSS ASTs into CSS strings. When user‑submitted CSS is parsed (e.g., via postcss.parse()) and later re‑stringified (e.g., with ast.toResult().css), any `
` inside a CSS value – such as inside `content: “…”` – is output verbatim. If that resulting CSS is embedded directly into an HTML `
` as the closing tag of the style element. An attacker can craft CSS like body { content: "</style><script>alert(1)</script><style>"; }. After parsing and stringification, the output remains unchanged. When placed into <style>${output}</style>, the HTML becomes <style>body { content: "</style><script>alert(1)</script><style>"; }</style>. The `
` closes the style block early, allowing the `
