ansaurus

Question

Answer 1

+9 A:

Javascript can be executed in CSS, you have to make sure that you are using some filtering.

I have also seen incidents where someone has covered the entire page on a microsoft controlled site with a transparent pixel, linking to a malicious site. Clicking anywhere triggered the attackers site to appear.

This could however be safe if the user only sees his or her own CSS, and they would have no way of someone else viewing what they have done. Otherwise some sort of whitelist or markdown would work.

Sam152 2009-09-21 09:09:04

Well, if they are editing their own CSS they could only do an XSS attack on themselves, not too worrisome :-)

Vinko Vrsalovic 2009-09-21 09:13:10

That depends on the site structure.

n1313 2009-09-21 09:14:52

How can javascript be executed in CSS?

Tor Haugen 2009-09-21 09:15:55

For IE there's the expression property.

meder 2009-09-21 09:16:29

There's also behaviours, `[-ms-]behavior` in IE and -moz-binding in Firefox.

bobince 2009-09-21 09:23:29

@Vinko Vrsalovic: No, no, no, no, no, no, no! They aren't doing an XSS attack on themselves, they are doing an XSS attack on everyone who visits their profile page. From there, they can steal passwords, hijack sessions, whatever.

jammycakes 2009-09-21 15:43:34

Thank you everyone, lots of very good answers here.I'll have to think how best to allow customising then, setting colours and backgrounds and creating the css might be sufficient

John Burton 2009-09-21 21:06:23

Answer 2

+2 A:

You may get customer support overhead if a user with his custom CSS screws the screen to that extent that he won't find the controls to reset it back. In which case you as admin will need to do it manually.

For that case a possible solution. Arrange for a specific Url to reset the style. Something like:

http://mysite.com/users/234234/reset

And advice to the user when he's about to modify the style to remember this Url and just follow it if things have gone out of control. When hit, the custom styles will be deactivated.

Developer Art 2009-09-21 09:10:08

Actually, as other replies have noted, you can execute JavaScript in CSS.http://www.slideshare.net/simon/web-security-horror-stories-presentation

jammycakes 2009-09-21 09:14:40

Answer 3

+2 A:

Depending on your server and configurations, it may be possible to run server-side code from a CSS file (though, this isn't default behavior on servers I know).

Kobi 2009-09-21 09:12:16

Answer 4

+2 A:

Short answer: no. First bad things that come to mind are MSIE expressions.

n1313 2009-09-21 09:14:11

Answer 5

+3 A:

Hi,

I wouldn't do it because CSS can show an image that could exploit some OS vulnerability in example.

Regards.

ATorras 2009-09-21 09:14:58

Far less of an issue than scripting.

Sam152 2009-10-03 13:49:52

Answer 6

+2 A:

If these CSS files are available to all site users, and not just the person who uploaded, then there's a possible XSRF vector - you could include links to offsite resources in the CSS which perform "undesirable" effects to the user requesting them.

Paul Dixon 2009-09-21 09:15:36

You can preform XSRF much easier by embedding images which is far more common for websites to allow.

Sam152 2009-09-21 11:06:15

Answer 7

+6 A:

Short answer: no it isn't. HTC in IE and XBL in Mozilla are both potential attack vectors. A hack of this nature was used to steal 30,000 MySpace passwords a while back.

Source: Simon Willison, Web Security Horror Stories

jammycakes 2009-09-21 09:20:32

ansaurus

tags:

views:

answers:

Is it safe to allow users to edit css?

related questions