Reputation: 11763
PHP: Safe to allow users to write custom CSS to customize a webpage on my site?
I am building a web app to allow others to design their own pages. I am using PHP, MySQL.
I was wondering. Is it SAFE to allow users to customize their pages by writing their own CSS code?
So I was thinking of a TEXTAREA field that they can then enter in their CSS code.
I am using PHP filter_var($string, FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_HIGH); to filter the string before it's saved to my database.
So.... allow it or disallow?
Thanks!
Upvotes: 0
Views: 961
Answers (4)
Reputation: 4841
It should generally be safe to allow users to enter their own CSS code for their sites. Browsers already implement their own user agent CSS to enforce a common styling on unstyled elements. (From the CSS2 specification: "a user agent’s default style sheet should present the elements of the document language in ways that satisfy general presentation expectations for the document language") Also, a large part of ensuring accessibility on a site is to allow customer user agent CSS.
Just because this likely can be safely done does not mean it should be, however. Any user could easily set the background image for an element to an inappropriate image on the web, for one example. Providing the ability to do this only opens the door for malicious attacks on your site and should be generally avoided in my opinion.
Upvotes: 2
Reputation: 272507
It's safe in the sense that users can override your CSS with their own anyway, with a browser plug-in and so on. Just make sure that one user can't affect the CSS for another user.
Use dedicated escaping functions to sanitise the data for your database, though. e.g. mysql_real_escape_string() for MySQL.
Upvotes: 3
Reputation: 2039
Sanitize the code is the best practice.
To avoid IE holes, you can use the W3C validator to check the CSS sintax before to save.
http://jigsaw.w3.org/css-validator/api.html
Hope it helps. Ciao!
Upvotes: 1
Reputation: 318508
No.
IE allows you to include JavaScript files via CSS (behavior attribute) for example. However, if ONLY the user who entered the CSS code will ever see it, it's safe. If you restrict the allowed attributes it's also safe - but note that you have to restrict values too (again, thanks to IE, which allows dynamic values using JavaScript).
Upvotes: 3
Related Questions
- How to edit css files using php safely?
- Storing CSS in Database
- security issues with user-supplied CSS?
- Allowing user css
- User Uploaded CSS safe?
- Is there a security threat if I enable a user to add CSS?
- Is it ok to let user customise css and Javascript
- Safe to use dynamic HTML stylesheets using PHP?
- Is it a bad idea to let users add their own stylesheet?
- Is it safe to allow users to edit css?