Is it a bad idea to let users add their own stylesheet?

Question

I'm new at php and I'm trying to figure out of this is a bad idea or a security risk.

I have a table of data that I provide to a user, it has a default stylesheet that it loads, but if the user wants to include their own, I've made it so they can just point to their stylesheet instead:

http://www.mysite.com/info.php?css=http://www.someothersite.com/mystylesheet.css

I've tried adding closing style tags and javascript in the css file, but the DOM seems to just load it as CSS that it isn't able to process.

I've never seen any other site allow this method of adding stylesheets, so, is this a good idea or bad idea? I was thinking that I could have the script load the file and look for key words used in javascript, but with my testing, I'm not sure that I need to do it.

---

Update: I'm adding the CSS as follows:

<link href="<?php echo (isset($_GET['css'])) ? $_GET['css'] : 'default.css'; ?>" rel="stylesheet" type="text/css" />

Answer 1

So long as the stylesheet is used for their own account, and no one else's, then I'd let them do it. However, because it could be used to session-hijack someone (if they didn't logout) I would require the user's password to change the stylesheet. I also would force it to be stored locally.

Without a password all a hijacker need do is:

#selector:before {
  content: expression(getCookie('phpsessid'));
}

Obviously if you don't have a function called getCookie then they'll need to do more legwork, but it is still too easy for them to get the cookie data. This is why password protection of the custom stylesheet is essential.

If you don't include a field per-user, and use the $_GET['css'] route, then remember that it would be trivial to redirect a user from an external site (say MySpace) to their page with a route to a harmful CSS file for a hijacking attack. If there's no authentication that protects the changing of the CSS file, which should be password protected even when logged in, then your software is very, very vulnerable indeed.

Answer 2

It depends upon how it is used. If it is possible for one user to see your site using someone else's stylesheet, then you're setting yourself up for abuse.

Answer 3

It appears that XSS and presumably clickjacking can be done through CSS. You should certainly be careful that the CSS URL cannot be set with a CSRF attack.

If your server is making the request to load the original CSS file, then you mgiht want to be concerned about that outgoing (or perhaps local) connection. If the client is doing it, then you might want to be concerned about leaking information in URL (fortunately sessions by URL rewriting is no longer popular).

Answer 4

Yes.

It is a bad idea.

What others have said is exactly correct but one very important additional point is that if ANYONE besides the user updating the css EVER views their css then that user can execute any javascript they want in the context of the user viewing their page. The worst case scenario here being user updates their own page with malicious xss, you view their page (logged in as admin), user steals your password and logs in as you and takes over the site.

Depending on what other security issues you have in your site stored cross-site scripting such as this could lead to an xss worm like the myspace samy worm.

Here is a decent link about some variations on css-based xss, http://www.thespanner.co.uk/2007/11/26/ultimate-xss-css-injection/