CSS Argument Vulnerable to XSS Injection

Issue Description

Diffoscope allows custom CSS to be loaded for an HTML report. While the HTML input appears to be properly escaped, the --CSS argument, which expects a URL, can be abused to insert custom javascript instead. For example, the following payload: --css "\"><svg/onload=alert(43433)>", results in an XSS vulnerability that executes an alert, when creating a report.

Risk

XSS allows attackers to inject malicious scripts into a trusted differential report, which comes with a variety of problems associated with XSS e.g. reading sensitive data. Although the --css argument is typically under user control, this assumption might not hold for all diffoscope use cases. For instance, a web service like try.diffoscope.org could, in the future, permit users to specify custom CSS, exposing the service to potential XSS attacks.

Mitigation

Ensure that inputs provided to the --css argument are validated as valid URLs, as specified in the --help documentation for --css.