Allow users to customize web page

Question

I am on a project to provide a platform that will allow my users to write blog and customize the look of the page however they want it using just html and css. I will be using python/django. I am just concern as to how do I go forward with it. Will there be any security issues that I should be concerned about? If you could guide me on how to proceed I would be very grateful.

Answer 1

For starters, check this question. You will need to remove the tags (and attributes) that may create dangerous behaviours (like the script tag or the onload attribute). Give them fields to add their css and html(for this add a pretty wysiwyg editor like ckeditor, tinymce, etc.

In css, stripping html and removing urls should be enough (let me know if there is something additional on this part.). Put the css inside a tag in the head.

For html you should be adding the content inside with the safe filter {{content|safe}} after your mandatory content (if there is a global navbar, etc). Again, kill dangerous tags as soon as possible...script, iframe, etc.

With something like this, user should have control over the layout of their content and the style of that section of the site. This is assuming you want to have the same structure for all users (i.e. sidebar to the right showing the 3 latest entries).

If you want to give them some more customization, the easiest way (both for developers and users) is just show them a list of options (ie. sidebar can show n latest entries, it shows/hide blogger info, it does have social share options, blog entry has comments enabled, etc).