Is custom CSS loaded?

Question

Is custom CSS loaded?

Is there anything complicated that someone can do with CSS loaded by the user to harm the site? If I wanted to allow users to upload / publish their own CSS themes to the site, is there anything I should look for or ban?

EDIT: suppose I know how to check if it is a valid CSS file, etc. I am looking for specific CSS exploits that I need to avoid.

+5

security css

Ultimatebrent Jul 01 '11 at 22:26

source share

4 answers

I believe that standard CSS, parsed in a standard way, is safe. However, through various non-standard extensions, CSS is unsafe .

This is not just CSS, which is unsafe due to the fact that some browsers ignore RFC 2616 and sniff the content type rather than respect the title Content-Type, some browsers can be bypassed to embed JavaScript hidden in static image files.

, , .

, , , cookie www. , , , .

+3

Jim 01 . '11 22:40

.htc, Javascript. .htc, Javascript CSS (). ( ), , / .

+2

pixelfreak 01 . '11 22:30

, . - , CSS, , , - - java script .

, - , , .

, , , css, .

+1

Jakub 01 . '11 22:31

Mike · Accepted Answer · 2011-07-01T22:36:38+0000

Even if you parse the file for valid CSS, the hacker can still be evil using something like : before and: after . To ensure security, you will want to include a whitelist of a subset of css properties and selectors in your validation.

Is custom CSS loaded?

More articles: