Hi guys,
I am thinking to let the users upload a css file and control the colour scheme and other things of the site as per their own configuration.
So before building it i would like to know what things i should take care?
Hi guys,
I am thinking to let the users upload a css file and control the colour scheme and other things of the site as per their own configuration.
So before building it i would like to know what things i should take care?
Security: The so-called "CSS Expressions" allow JavaScript code in CSS. Although they are now deprecated, they still work in IE5-7, and in IE's compatibility modes.
I recommend stripping out any expression()
rule from the stylesheet. It serves no real purpose, doesn't work in normal browsers and in IE it introduces executable code to CSS.
A CSS injection is nearly as good as script injection. You've got expression()
in IE6-7 (and later in compatibility view), you've got behavior:
(HTC) in IE, you've got -moz-binding:
in Firefox, you've got content:
to inject text, and occasionally, mostly in older browsers that don't block it, you've got url(javascript:...)
. Even without these you've got a fair amount of risk just from visual UI spoofing.
As long as a user stylesheet is limited to the user that made it, a user can only compromise themselves. The problem comes when users start sharing stylesheets. You might perhaps disallow users from picking the same external stylesheet address as another user to discourage this.