-prefix-free lets you use only unprefixed CSS properties everywhere. It works behind the scenes, adding the current browser’s prefix to any CSS code, only when it’s needed.
“[-prefix-free is] fantastic, top-notch work! Thank you for creating and sharing it.”
— Eric Meyer
<link> or <style> elements and adds a vendor prefix where neededstyle attribute and adds a vendor prefix where needed<link> or <style> elements, style attribute changes and CSSOM changes (requires plugin).css() method get and set unprefixed properties (requires plugin)@import-ed files is not supportedstyle attribute) won’t work in IE and Firefox < 3.6. Properties as well in Firefox < 3.6.Check this page’s stylesheet ;-)
You can also visit the Test Drive page, type in any code you want and check out how it would get prefixed for the current browser.
Just include prefixfree.js anywhere in your page. It is recommended to put it right after the stylesheets, to minimize FOUC
That’s it, you’re done!
The target browser support is IE9+, Opera 10+, Firefox 3.5+, Safari 4+ and Chrome on desktop and Mobile Safari, Android browser, Chrome and Opera Mobile on mobile.
If it doesn’t work in any of those, it’s a bug so please report it. Just before you do, please make sure that it’s not because the browser doesn’t support a CSS3 feature at all, even with a prefix.
In older browsers like IE8, nothing will break, just properties won’t get prefixed. Which wouldn’t be useful anyway as IE8 doesn’t support much CSS3 ;)
Test the prefixing that -prefix-free would do for this browser, by writing some CSS below:
Old applications or those using outdated PHP frameworks (like older Laravel, Symfony, or WordPress plugins) that haven't updated their dependencies are highly vulnerable.
Because many modern PHP applications use Composer to manage dependencies, the vendor folder is often deployed to the web root. If the web server is misconfigured to allow public access to the /vendor directory, the vulnerability becomes remotely exploitable. The Attack Vector
The flaw is located specifically in vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php . The source file originally contained a single line designed to facilitate internal framework testing: eval('?>' . file_get_contents('php://input')); Use code with caution.
The keyword refers to one of the most persistent and scanned-for security flaws in the PHP ecosystem: CVE-2017-9841 .
folder of a web application is publicly accessible from the internet. They can send a malicious request to the file with a body beginning with , followed by commands like system("id"); phpinfo(); CVE Details vendor phpunit phpunit src util php eval-stdin.php cve
The original code used a dangerous combination of functions: eval('?> ' . file_get_contents('php://input')); Use code with caution. Copied to clipboard
composer show phpunit/phpunit
The vulnerability, identified as CVE-2022-0847, affects PHPUnit versions prior to 9.5.0. It resides in the util.php file within the src directory of PHPUnit, specifically in the eval-stdin.php script. This script is used to evaluate PHP code from standard input.
Inside the original Util/PHP/eval-stdin.php file, the core execution routine was written as: eval('?>' . file_get_contents('php://input')); Use code with caution. Why it is Dangerous Old applications or those using outdated PHP frameworks
Use the --no-dev flag when installing dependencies on a production server: composer install --no-dev Use code with caution. 3. Configure Web Server Properly (Nginx/Apache)
This report examines , a critical remote code execution (RCE) vulnerability in PHPUnit that remains one of the most frequently scanned vulnerabilities by threat actors, even years after its initial disclosure. Vulnerability Overview CVE ID : CVE-2017-9841
The keyword vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php refers directly to within PHPUnit, the standard testing framework for PHP applications. Despite being disclosed in 2017, it remains one of the most heavily scanned and actively exploited flaws on the web.
. This flaw allows an attacker to execute arbitrary PHP code on a server by sending a crafted HTTP POST request to the eval-stdin.php National Institute of Standards and Technology (.gov) 1. Vulnerability Overview The issue stems from the script vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php The Attack Vector The flaw is located specifically
Understanding CVE-2017-9841: The Persistent Threat of PHPUnit's eval-stdin.php
The string vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php represents one of the most heavily targeted files in web security history. Cataloged as , this critical remote code execution (RCE) vulnerability continues to dominate global malicious threat scanning logs. Despite its age, a lethal combination of unauthenticated access, trivial exploitation, and systemic deployment flaws keeps this flaw highly relevant for modern security teams. Anatomy of the Vulnerability
What is the PHPUnit eval-stdin.php Vulnerability (CVE-2017-9841)?
Extra code on top of -prefix-free that makes it more flexible, integrates it with different APIs etc
Originally a part of -prefix-free, it’s now a separate plugin. It makes -prefix-free take care of:
<link> and <style> added to the document afterwardsstyle attribute added to the document afterwardsstyle attribute changes through setAttribute() (except in Webkit)element.style.transform = 'rotate(10deg)';
style attribute modifications will not work in Webkitelement.style.transform = 'rotate(5deg)';will not work in Chrome (reading will)
Get the Dynamic DOM plugin now:
A tiny plugin (I didn’t even bother minifying it as it’s so small) that lets you set/get unprefixed CSS properties through jQuery's .css method.
Get the jQuery plugin now:
A static polyfill for the new vw, vh, vmin, vmax units.
Enables rudimentary CSS variables support.