21

I want to allow users to use their own stylesheets for thei profiles on my forum, but I'm afraid of possible security vulnerabilities. Does anyone have any tips for sanitizing CSS?

Basic process: User enters CSS into form -> Save to DB -> Output as inline CSS

Improve this question
6
  • 1
    With the exception of the non-standard behavior property and expressions that IE allows (both of which initiate javascript), I don't see how css could cause any "security vulnerabilities." So if you filter out (or disallow input of) those, I think you would be okay. Commented Jul 13, 2010 at 21:27
  • 7
    moz-bindings. javascript: URLs in everything that accepts url(). Layout hacks to position other content over the top of a login form, @import to bring in an unchecked external file that the author might sabotage later. CSS isn't really that safe. Commented Jul 13, 2010 at 21:52
  • Thanks bobince, I was not aware of some of those dangers. Commented Jul 14, 2010 at 10:26
  • 1
    From sk89q.com/2009/08/definitive-php-security-checklist * Be aware that certain CSS properties such as “position” could be used maliciously (elements overlaying login forms, etcetera). * CSS can also contain escape sequences both inside and outside strings (\34). * CSS files can contain JavaScript. This manifests itself in the form of “CSS expressions” and “behaviors” (Internet Explorer features) or Gecko “bindings.” Commented Jul 14, 2010 at 16:31
  • is your issue was resolved? Commented Oct 6, 2018 at 13:20

4 Answers 4

Reset to default
22

HTMLPurifier with CSSTidy does what you're looking for.

HTMLPurifier is primarily designed for sanitizing HTML, but also has an option to extract style blocks with CSSTidy.

There's an example in the HTMLPurifier docs (but alas, I've used up my two links per post.)

Here's another: 

require_once './htmlpurifier/library/HTMLPurifier.auto.php';
require_once './csstidy/class.csstidy.php';

// define some css
$input_css = "
    body {
        margin: 0px;
        padding: 0px;
        /* JS injection */
        background-image: url(javascript:alert('Injected'));
    }
    a {
        color: #ccc;
        text-decoration: none;
        /* dangerous proprietary IE attribute */
        behavior:url(hilite.htc);
        /* dangerous proprietary FF attribute */
        -moz-binding: url('http://virus.com/htmlBindings.xml');
    }
    .banner {
        /* absolute position can be used for phishing */
        position: absolute;
        top: 0px;
        left: 0px;
    }
";

// Create a new configuration object
$config = HTMLPurifier_Config::createDefault();
$config->set('Filter.ExtractStyleBlocks', TRUE);

// Create a new purifier instance
$purifier = new HTMLPurifier($config);

// Turn off strict warnings (CSSTidy throws some warnings on PHP 5.2+)
$level = error_reporting(E_ALL & ~E_STRICT);

// Wrap our CSS in style tags and pass to purifier. 
// we're not actually interested in the html response though
$html = $purifier->purify('<style>'.$input_css.'</style>');

// Revert error reporting
error_reporting($level);

// The "style" blocks are stored seperately
$output_css = $purifier->context->get('StyleBlocks');

// Get the first style block
echo $output_css[0];

And the output is:

body {
    margin:0;
    padding:0;
}

a {
    color:#ccc;
    text-decoration:none;
}

.banner {
}
Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

Thanks; hopefully no one on my site was hit by a CSRF with my meager RegEx replacements.
This is a fantastic answer that greatly helped me with something I'm doing. Thanks a lot.
this works great! Just one stumbling block: how to configure CSS tidy in the context of HTMLpurifier, with PHP runtime code like shown above? Same question (essentially) as is here: stackoverflow.com/questions/10843600/…
any way to achieve this without using HTMLPurifier with CSSTidy
Can someone pls help me with my question: stackoverflow.com/questions/52677988/…
2

Define the classes yourself, and make a GUI to apply color and other properties to each class, use the same approach twitter does for that.

alt text http://grab.by/grabs/3217158e9c48538eb127fb1678dab6ae.png

Of course, this would only work if your layout is fixed and defined by the admin, not the user.

Improve this answer

3 Comments

I was hoping to give users a little more flexibility by using a blacklist instead of a whitelist.
Blacklists need constantly updating as browsers add new features and bugs in browsers allow things to slip through the cracks. Whitelists are the only sane approach for filtering data for security issues.
Image link is broken.
1

This probably won't fix all sorts of hacks but probably most automated hacks at least:

$css = strip_tags($css);
$css = htmlspecialchars($css, ENT_HTML5 | ENT_NOQUOTES | ENT_SUBSTITUTE, 'utf-8');

Depends on how many users are allowed to use this feature and how big of a threat it could be due to that..

Improve this answer

Comments

0

I don't see how this could possibly create security vulnerabilities, unless the profiles are shared with other users.

If they're shared, CSRF vulnerabilities could come up (since CSS can generate GET requests to include images, fonts, other stylesheets etc). They could also use content to trick users into clicking some places, hide important functionality, etc. And, of course, you would have to escape <, >, and possibly & to prevent XSS (if the CSS is embedded in the HTML).

As to libraries to do the sanitation, I'm not aware of any (maybe tidy).

Improve this answer

1 Comment

They are shared with other users.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.