7

On my website I want to include a text box that will allow the members to change anything they want css wise on their profiles....but I don't want to wake up one morning to find my site has been hacked or someone typoed and destroyed everything or accessed things they shouldn't.

Is there any easy way to verify that the text they input is css only? I saw another question on here that was similar, it had XSS cheat sheet and tips for what to disable (< and ]]> and < ![), but I don't know if that will be enough. I will definitely use that info though.

Essentially I want to just make PHP call any custom css and insert it between script tags for the users profile. I want to allow as much css as possible. Is this the best way to go about it? I don't have the know how to make up a system to generate safe files, or the patience to make up an entire section with options (especially since I want to give members more freedom with their profiles).

Any advice is appreciated, and if anyone knows of some script that does this already that would rock too and help me figure out what to do :D.

Improve this question
14
  • 5
    What if your user puts * { font-family: 'Comic Sans' !important; } into their custom stylesheet? It will affect your website components as well. You could parse the stylesheet with PHP and prepend #user-content > to each selector and output a sanitized stylesheet, but that might be difficult. Commented Dec 14, 2012 at 10:37
  • 1
    @Andy because you need to store it in a database for the next time they visit... Commented Dec 14, 2012 at 10:37
  • 1
    @Blender Dear god! Most evil hack evar! O___O;; Commented Dec 14, 2012 at 10:39
  • 1
    Does it have to be pure CSS or could you just let them change some variables instead? I imagine you would still want to have some control on the overall appearance of your website? Commented Dec 14, 2012 at 10:40
  • 2
    @JadeElizabeth: I'm not sure if users would appreciate such an inconsistent website experience, but hey, that's my opinion. Commented Dec 14, 2012 at 11:35

3 Answers 3

Reset to default
6

When a user is logged in, add a separate <link> element for that user. The href can point to a script that generates the css for the user, for instance customcss.php?userid=1234&version=2 *). The script only needs to return everything the user has entered before. Because you enclose it as a separate CSS file, the browser will always treat it as such and will never run any scripts. Any HTML or Javascript is just treated as invalid CSS.

Note however, that there's little harm anyway in including scripts for that matter, because they will only run in the browser of the logged in user, so they can only hack their own view of your site. If they want to inject Javascript, they can still do that by writing their own browser plugins, so you won't open up a possibility that wasn't there before.

The main thing you need to worry about are

  • Usability. What if the user makes a mistake and accidentally hides the Body element. How will they be able to reset it?
  • SQL injection. No matter what you do or do not allow, always make sure your input is sanatized.
  • PHP injection. Don't execute (eval) user content. Ever.
  • Hiding user information. Add a code to the customcss.php url to prevent other users from guessing a user id, gaining insight into the customizations of other users.

*) I've added a version number to the CSS url, which you should update in the database each time a user updates their CSS. If you don't do that, the browsers will cache the old CSS and users will start complaining to you, because their changes won't become visible.

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

So you're saying not to store it in the database and have some sort of file generated for it? How do I sanitize it? How do I not eval it? Since it will only show when viewing the profile and not editing it, it should be easy to fix mistakes that break things ha ha :).
i think this is a good method of getting what you need however be VERY carefull when you are creating php files from user input as malicious code can be inserted. so instead i would create a new css file every time a user changes something and remove the old files and then <link> to the new css file other than that this is a good answer
@JadeElizabeth Do store it in the database. The PHP file is only used to extract the specific user info and feed it as if it were a separate file. The PHP file I mentioned only needs to query the CSS, set a right header and echo the CSS. For SQL injection, there's a lot written about it. Search for prepared statements and PDO. If you just store the CSS in a database and output it using echo or something, you don't eval it and you're safe. If it will show when viewing the profile, they must still be able to find the edit page from there. :)
@EyalAlsheich I didn't mean to create PHP files. I meant to create a single PHP file that feeds the custom CSS as if it were a static CSS file. Writing a PHP file means executing user committed code, which is exactly what I warned against.
yes i agree, what i am suggesting is that you can write individual css files for each user instead of keeping it in a database but thats a matter of which way is more convinient for you to work with
3

I guess this should be enough 

$style = $_POST['style'];

$style = strip_tags($style);

    $forbiddenStuff = array(
        '-moz-binding',
        'expression',
        'javascript:',
        'behaviour:',
        'vbscript:',
        'mocha:',
        'livescript:',
    );

    $style = str_ireplace($forbiddenStuff, '', $style);

store $style in db , and render on user profile.

Please note that this solution is copied from a well known software and which has a big community, so i hope this should be perfect.

Improve this answer

6 Comments

Won't this allow an attacker to just capitalize the attribute name and bypass the filter?
That sounds like a good idea for sure, especially if it's not case sensitive :).
Is there any way I can use a regex mask? If I create the the field with the community software I'm using I have the option to use a regex mask to validate the input. I just have no idea how to write one! I feel like such a noob here, you guys are awesome and I wish I could give back as much as you guys give me!
If you want to validate css via regex please refer to stackoverflow.com/questions/7569853/verify-css-is-valid-syntax
Not such a good solution: foo:expresexpressionsion(…) will result in foo:expression(…).
|
-4

O hai MySpace…

Just give users the ability to specify colours and images from a web form, and construct a user-specific style sheet from that. Allowing users to specify their own CSS in its entirety will just lead to ugly, ugly pages. See: MySpace 1.0.

Improve this answer

2 Comments

No I don't want to do that because there are too many options to cover.
Enjoy never ending security concerns and ugly user-generated pages then!

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.