I want to allow users to use their own stylesheets for thei profiles on my forum, but I'm afraid of possible security vulnerabilities. Does anyone have any tips for sanitizing CSS?
Basic process: User enters CSS into form -> Save to DB -> Output as inline CSS
I don't see how this could possibly create security vulnerabilities, unless the profiles are shared with other users.
If they're shared, CSRF vulnerabilities could come up (since CSS can generate GET requests to include images, fonts, other stylesheets etc). They could also use content to trick users into clicking some places, hide important functionality, etc. And, of course, you would have to escape <, >, and possibly & to prevent XSS (if the CSS is embedded in the HTML).
As to libraries to do the sanitation, I'm not aware of any (maybe tidy).
Define the classes yourself, and make a GUI to apply color and other properties to each class, use the same approach twitter does for that.
Of course, this would only work if your layout is fixed and defined by the admin, not the user.