security issues with user-supplied CSS?

Question

I am not very good at putting on my "black hat" and figuring out what a nefarious user might be able to do with a certain type of open door. I'm working on an app that is planned to have such a door and would like some help figuring out how to protect it.

Imagine a site that is a distant cousin to WordPress. It is a content creation and hosting site for specific vertical markets with features to make it more appealing to those markets (compared to the many existing more general alternatives).

On such a site you want to enable the users to cook up their own look and feel for their content. I'm planning a sort of 3 tiered approach to that. 1) provide some selectable "templates" to choose between, 2) provide specific points of additional adjustability (vis. select background color, font-family, etc.) and 3) as a backup for the truly format obsessed customers, the ability to supply a CSS file for use on their pages.

It is about the security hole(s) that might be created by this last item that I wish some help. First and foremost, what sorts of nefarious things can a black hat accomplish from unfettered access to such a door? Is there anything they could do there that would adversely affect any pages that don't specifically include that CSS? Is there anything they could do through malicious CSS to gain some sort of system access? Is there any standard way of filtering user-supplied CSS to prevent (most of) these exploits?

thanks much!

Answer 1

Unless you're doing some sort of preprocessing (LESS, SASS, etc), there should be no risk to your server. The risk is that your users could modify the page in ways you weren't expecting.

Will your site contain any content that users aren't allowed to modify? Maybe a unified toolbar at the top where any user can sign in to their dashboard? A user could modify the CSS on their page to create a phishing attack for other users of the system.

Are you going to put ads on the page? A user could modify the CSS to direct any ad clicks to their own destination.

If any of the content on the page is outside of your users' control, you probably shouldn't let them upload custom css.

If the entire page can be controlled by the user (like in a custom site hosting environment), then custom css should be fine.

Answer 2

Do not allow them to upload anything of the sort, give them a user interface to modify their look and feel. This way you are limiting the damage they can do.