Stylish, yet vulnerable: CSS and security in Drupal 11

"Bleu de Sassenage" Hall Advanced Jeudi 14:45 - 15:25 (09/04/2026)

Warning: this session will be held from 15:10 to 15:30 (shared slot)

CSS is usually treated as “just styling.” However, documented security research shows that it can be leveraged as an attack vector under certain conditions. From CSS injection and data exfiltration techniques using attribute selectors and external resource loading, to the historical :visited history leak and CSP bypass scenarios, CSS has a non-trivial security footprint.

In Drupal 11, these risks intersect with real-world features:

  • Custom CSS capabilities (themes, contrib modules, layout tools)
  • CKEditor 5 and text format permissions
  • Asset libraries defined in *.libraries.yml
  • Content Security Policy configuration
  • Role and permission management

This session will break down realistic attack scenarios involving CSS in a Drupal environment, explain why they work, and outline concrete mitigation strategies. The goal is not fear, but clarity: understanding where the risks truly lie and how to address them responsibly.

Length of the session
20 min
Prerequisites (concepts or base knowledge expected to attend)

Required

  • Basic understanding of how CSS works (selectors, properties, external stylesheets)
  • General familiarity with Drupal site building concepts (themes, modules, permissions)
  • Awareness of common web security terms (e.g., XSS, CSP, injection), even at a high level

No deep security expertise is required.

Recommended (Helpful but Not Mandatory)

  • Experience working with Drupal themes or *.libraries.yml
  • Basic understanding of Content Security Policy (CSP)
  • Familiarity with Drupal text formats and role permissions
  • Some frontend development experience
What will the audience have learned after your session?

By the end of this session, attendees will:

  • Understand how CSS can be used as an attack vector
  • Recognize realistic CSS-related risks in Drupal 11
  • Identify misconfigurations that increase exposure
  • Apply concrete mitigation strategies
  • Improve collaboration between frontend, backend, and security teams
  • Leave with a practical hardening checklist for real-world projects
Langue de présentation
English

About the Speaker

Profile picture for user Nicoloye

Nicoloye

CTO at Smile

Grenoble, France

Nicolas is an active member of the French Drupal Association. He has joined the community in 2006 and is a Drupal enthusiast since then. He has participated in several community projects and initiatives. He is Chief Technology Officer at Smile. When he is not coding he likes any kind of game (board, card, tabletop roleplaying, etc) and spending some time with his cat.

Other sessions at the same time

Drupal et MCP : Modélisez et connectez vos contenus par l'IA

"Gratin Dauphinois" Hall | by Guillaume

Dompter le Refactoring

"Tarte aux noix" Hall | by nerea

Deploying more than 60 Drupal Websites for the French Ecological Transition Ministry (MTE) : innovation at scale over an 8-year period

"Bleu de Sassenage" Hall | by Audrey VL, "Bleu de Sassenage" Hall | by Sylvain Moreau

Belledonne Sponsors

logo ecedi

Vercors Sponsors

Logo Axess
Logo baksla.sh
Logo Bluedrop
Logo Code Enigma
Logo Koriolis
Logo Makina Corpus
Logo Sully