detail
less & sass suddenly came to my mind when researching about of css injection attacks. you know, both are css pre-processor so i think they don’t support any client-based operation. it is a mistake…
i saw less.js when visiting http://lesscss.org/ page. less.js provides interpreting javascript code with backtick char in less code. so dom-based xss vulnerability arises at this point.
i published it on twitter as the new attack vector for less.
shortening
also thanks to rakesh mane for the shortening!
payloads
`less.js` includes the regex pattern for the `type` attribute of the style element.
var t=/^text/(x-)?less$/;
so it is supporting these payloads: