Geek Answers Handbook

Is it a bad idea to let users add their own stylesheet?

I am new to php and I am trying to understand that this is a bad idea or a security risk.

I have a data sheet that I provide to the user, she has a default stylesheet that she loads, but if the user wants to include their own, I made it so that they can just point to the stylesheet:

http://www.mysite.com/info.php?css=http://www.someothersite.com/mystylesheet.css

I tried to add closing style and javascript tags in the css file, but the DOM seems to just load it as CSS, which it cannot handle.

I have never seen any other site allow this method of adding stylesheets, so is this a good idea or a bad idea? I thought I could upload a script file and look for keywords used in javascript, but with my testing, I'm not sure if I need to do this.

Update: I am adding CSS as follows:

 <link href="<?php echo (isset($_GET['css'])) ? $_GET['css'] : 'default.css'; ?>" rel="stylesheet" type="text/css" />
+4
source share
4 answers

As long as the stylesheet is used for their own account, and not for someone else, I would let them do it. However, since it can be used to capture someoneโ€™s session (if they donโ€™t log out), I need a user password to change the stylesheet. I would also force it to be stored locally.

Without a password, all the hijacker needs is:

 #selector:before { content: expression(getCookie('phpsessid')); }

Obviously, if you don't have a function called getCookie, then they will need to do more work, but itโ€™s still too easy for them to get cookie data. This is why password protection is required for a custom style sheet.

If you do not specify a field for each user and use the $_GET['css'] route, remember that it would be trivial to redirect the user from an external site (for example, MySpace) to your page using the route to a malicious CSS file to attack theft. If there is no authentication that protects the CSS file change, which should be password protected even when logging in, then your software is very, very vulnerable.

+8
source

Yes.

Bad idea.

What others said is absolutely correct, but a very important additional point is that if ANYONE, besides the user updating css EVER, views their css, then this user can execute any javascript that they want, in the context of the user viewing his pages. In the worst case, when a user refreshes his own page with malicious xss, you browse your page (register as administrator), the user steals your password and logs in when you take over the site.

Depending on what other security issues on your site are stored in cross-site scripts, for example, this can lead to the xss worm, like the myspace samy worm.

Here's a decent link about some CSS-xss variations, http://www.thespanner.co.uk/2007/11/26/ultimate-xss-css-injection/

+3
source

It seems that XSS and supposedly clickjacking can be done via CSS. You must be sure that the CSS URL cannot be set using a CSRF attack.

If your server makes a request to download the source CSS file, you can not worry about this outgoing (or possibly local) connection. If the client does this, then you may need to leak information in the URL (fortunately, URL rewriting sessions are no longer popular).

+2
source

It depends on how it is used. If one user can see your site using a different stylesheet, then you are setting yourself up for abuse.

0
source

More articles:


All Articles