Marc Portier wrote:
>
>
> No pro, actually I already found out about the fact that the
> image() inside css was the real trigger, so I actually hacked it
> up like this for the moment:
>
> inline-group {
> background-color: #eeeeee;
> content: " to select @src right-click: " image(attr(src), 20, 20);
> }
> inline-group:before {
> content: "<inline-group src=\"" attr(src) "\" />";
> color: #296D94;
> font-family: monospace;
> }
>
> which displays the broken image for the moment, but I can live
> with this.
>
> I presume this approach will trigger more error-handling inside
> xxe (since the src will not point to images) but it doesn't seem
> to affect preformance ATM.
No. What you did is a good idea and is totally harmless for XXE in terms
of error handling and performance.
