Geek Answers Handbook

How to ensure user input of CSS, not malicious code?

On my website, I want to include a text box that will allow members to change everything they need, css-wise according to their profiles .... but I don't want to wake up one morning to find that my site is hacked or someone sealed and destroyed everything or gained access to things that they do not need.

Is there an easy way to verify that the text entered is css only? I saw another question that looked like it had an XSS workaround and advice on what to disable (<and]]> and <! [), But I don't know if that will be enough. I will definitely use this information.

Essentially, I just want to get PHP to call any custom css and insert it between the script tags for the user profile. I want to allow as much css as possible. Is this the best way to do this? I donโ€™t know how to create a system for creating safe files or patience to compose the entire section with the parameters (especially since I want to give members more freedom with their profiles).

Any advice is welcome, and if anyone knows about some kind of script that does this already, that would also swing and help me figure out what to do: D.

+7
source share
3 answers

When a user logs in, add a separate <link> element for that user. Href can point to a script that generates css for the user, for example customcss.php?userid=1234&version=2 *). The script needs to return everything that the user entered earlier. Since you attach it as a separate CSS file, the browser will always consider it as such and will never run any scripts. Any HTML or Javascript is simply considered invalid CSS.

Note, however, that there is no harm in this, including scripts, because they will only be run in the browser of a registered user, so they can only crack their own look at your site. If they want to add Javascript, they can still do it by writing their own browser plugins, so you wonโ€™t open an opportunity that was not there before.

The main thing you need to worry about:

  • Usability. What to do if the user makes a mistake and accidentally hides the Body element. How can they reset this?
  • SQL injection. Regardless of what you do or do not allow, always make sure that your entrance is a reorganization.
  • Php injection Do not execute custom content (eval). Someday.
  • Hide user information. Add the code to url customcss.php so that other users canโ€™t guess about the user ID in order to get an idea of โ€‹โ€‹the settings of other users.

*) I added a version number to the CSS URL, which you should update in the database every time the user updates their CSS. If you do not, browsers will cache the old CSS and users will complain to you because their changes will not be visible.

+6
source

I think that should be enough

 $style = $_POST['style']; $style = strip_tags($style); $forbiddenStuff = array( '-moz-binding', 'expression', 'javascript:', 'behaviour:', 'vbscript:', 'mocha:', 'livescript:', ); $style = str_ireplace($forbiddenStuff, '', $style);

save $ style in db and display in user profile.

Please note that this solution is copied from well-known software and has a large community, so I hope it should be perfect.

+3
source

O hai MySpace ...

Just give users the ability to specify colors and images from a web form and create a specific stylesheet from it. Allowing users to define their own CSS will completely lead to ugly, ugly pages. See: MySpace 1.0.

-3
source

More articles:


All Articles