Is CSS (and derivates SASS, SCSS, ...) is it safe to allow user upload? Is there a security issue?

Question

pre: I was here SO: Coldfusion: What are security issues that can occur if I allow users to upload .css and .js files to my site, but it talks about js, in the first

I talk/ask about CSS,SASS,SCSS only, is the a security problem, if I allow users to upload (template - like) CSS

• for themselves

• for others, if they make the template public (not talking abut ugly, or porn background - thats an other story)

and if, what do I have to check?

or just - better not?

(side note, trusted users, will be allowed to contribute even more complex templates, with .rb, .js , .haml, but these will step through clearing and demployment steps ..., for CSS alone I am not sure)

Answer 1

based on @wireghouls answer

CSS files can execute JavaScript (persistent xss)

I found a use full link for others probably looking at my question, that shows: "it is not the best idea to let user upload css w/o white listed control."

... and learned, that there is a better place to ask my question:

stackexchange/security

that explains the close quesstion request in my question

Answer 2

While a lot of the security around file uploads are implementation specific (f.ex could I find a way to trick your CSS validation into acception a php file?). There are a few concerns assuming your implementation is solid:

1) CSS files can execute JavaScript (persistent xss) which could be used to upload a malicious file of a trusted user where to view a page contacting the malicious CSS.

2) CSS files can completely rewrite the way a website displays and could be used to replace legitimate content with offensive images for example.

Serving user supplied content can be made safer by serving it from a separate (sub)domain and setting appropriate security headers for your website.