shinve — 2011-11-26T22:04:55-05:00 — #1
If a user can upload their own css for their personal page (say, a profile), are there any CSS based vulnerabilities I should look out for? This would be stored on my server in example.com/user/profile/css/usercss.css (or something like that).
paulob — 2011-11-27T07:33:03-05:00 — #2
This is not really a CSS question as such but a question so I'll move the thread.
At the very least styles could be uploaded to change the look of your site using !important over-rides etc so should always sanitize input that you receive.
shinve — 2011-11-27T19:20:58-05:00 — #3
Thanks. That's a good start. I was thinking that urls that were specified (say, for background images) might pose a security risk as well for xss attacks, but I am not familiar enough to say how this might occur.
shinve — 2011-11-27T21:26:21-05:00 — #4
I should also point out I don't care how the user makes a page look. They could display:none everything, and it wouldn't matter to me. I am more worried about security holes, like malicious code or something like that, taking place.
wwb_99 — 2011-11-28T12:49:00-05:00 — #5
I would read up on myspace before trying this.
A much better model is to setup some templating system and let users specify safe changes to the look and feel of their pages while retaining some sort of control.
shinve — 2011-11-30T22:05:23-05:00 — #6
wwb_99 — 2011-12-02T07:01:54-05:00 — #7
Doesn't matter -- if you request something from my evil server, I can do lots of things. And I can probably find a way to include my evil script.
MySpace was at the forefront, but doing this ultimately hamstrung them as they could not upgrade things without breaking a key part of user experience. That and horrible security issues.
shinve — 2011-12-03T04:05:48-05:00 — #8
I won't be requesting it from another server or pointing to anything off site, but instead allowing users to upload their own css files.
mittineague — 2011-12-04T07:28:56-05:00 — #9
So they could point to a mal-script?
shinve — 2011-12-06T16:43:27-05:00 — #10
That's the idea, actually - find out whatever attributes could allow them to do something bad, like point to a bad script, and reject any document that has them.
mittineague — 2011-12-07T18:39:46-05:00 — #11
For some reason I'm thinking there are others, but for certain anything that has "url" eg. background images, cursor, list-style-image.
shinve — 2011-12-07T22:35:17-05:00 — #12
url is all I could think of as well. I will need to do a review of all attributes and see if anything else allows pointing to an offsite file.