Is there a security risk if I allow the user to add CSS?

Question

Is there a security risk if I allow the user to add CSS?

Is it safe to allow the user to add their own CSS rules to their personal page in a (e.g.) social website?

+4

security css

Blaze boy Apr 29 '11 at 16:23

source share

3 answers

grahamparks · Answer 1 · 2011-04-29T17:07:47+0000

not protected . There are several ways to embed JavaScript in CSS so that it can be executed by at least some browsers. Google "XSS CSS" and browse the best hits.

Do not do this if you do not want to do CSS hardcore sanitation and clean up the mess when your disinfection inevitably gets around and your users cookie is at risk.

FrustratedWithFormsDesigner · Answer 2 · 2011-04-29T17:31:12+0000

Permission to enter CSS as free text (or file download) can lead to security problems. Perhaps it would be safer to provide them with a control panel that allows them to customize the appearance (under certain restrictions, it may not be possible to create a form that allows them to customize EVERYthing) and implement customization using CSS while saving their settings as values in a structured set of database tables data.

Wyatt barnett · Answer 3 · 2011-04-29T18:04:45+0000

I think someone answered this question before .

History lesson: myspace allowed customization of CSS and scripts. For those of you who did not hang on the Internet in 2003 or so, this was a serious security risk. Later, the mass of user-created CSS, which was the point of sale, became a serious damage to the platform, as many changes and improvements could not be made, since they actually created an open API for their CSS hooks.

So, really, it’s a really bad idea to let users do CSS.

Is there a security risk if I allow the user to add CSS?

More articles: