If a user can upload their own css for their personal page (say, a profile), are there any CSS based vulnerabilities I should look out for? This would be stored on my server in example.com/user/profile/css/usercss.css (or something like that).
This is not really a CSS question as such but a question so I'll move the thread.
At the very least styles could be uploaded to change the look of your site using !important over-rides etc so should always sanitize input that you receive.
Thanks. That's a good start. I was thinking that urls that were specified (say, for background images) might pose a security risk as well for xss attacks, but I am not familiar enough to say how this might occur.
I should also point out I don't care how the user makes a page look. They could display:none everything, and it wouldn't matter to me. I am more worried about security holes, like malicious code or something like that, taking place.
I would read up on myspace before trying this.
A much better model is to setup some templating system and let users specify safe changes to the look and feel of their pages while retaining some sort of control.
Doesn't matter -- if you request something from my evil server, I can do lots of things. And I can probably find a way to include my evil script.
MySpace was at the forefront, but doing this ultimately hamstrung them as they could not upgrade things without breaking a key part of user experience. That and horrible security issues.
I won't be requesting it from another server or pointing to anything off site, but instead allowing users to upload their own css files.
So they could point to a mal-script?
That's the idea, actually - find out whatever attributes could allow them to do something bad, like point to a bad script, and reject any document that has them.
For some reason I'm thinking there are others, but for certain anything that has "url" eg. background images, cursor, list-style-image.
url is all I could think of as well. I will need to do a review of all attributes and see if anything else allows pointing to an offsite file.