2

I want to allow my users to upload their own CSS to customize the look, but CSS can be used to run javascript. What is the best way to sanitize it with Python?

I found some answers on other langugages: Sanitizing CSS in Rails, Sanitize CSS Using Java, Sanitize user defined CSS in PHP but found nothing on python.

I did find https://pythonhosted.org/feedparser/html-sanitization.html#css-sanitization but this is a bit too limiting, i.e. not allowing url at all.

Improve this question
1
  • You could scan for url and expression property values: stackoverflow.com/a/482088/2653390 since those appear to be the only two ways to inject JS with CSS Commented Apr 29, 2015 at 5:42

1 Answer 1

Reset to default
0

From your links, it looks like you would either have to whitelist or blacklist some stuff. Personally, if you are informed enough, try blacklisting unwanted components. As for parsing, have you looked into CSSUtils for Python ?

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.