DaniWeb Forum Index > Web Development > PHP

CSS user input ..is it a security threat to database and website?

Please support our PHP advertiser: PostgreSQL or MySQL? Compare and contrast the two most popular open source databases

•

Join Date: Dec 2007

Posts: 136

Reputation: justted is an unknown quantity at this point

Solved Threads: 2

justted

Offline

Junior Poster

CSS user input ..is it a security threat to database and website?

Jun 10th, 2009

Hello all,

My website has a feature in which I can turn on/off a feature which allows members to add their own CSS code for their profile design!

If possible I want to allow this as it would mean a much better platform for my members but I wanted to know what risk I would be causing if I have this feature turned on. Here is the code that processes and checks the code:

 Help with Code Tags 
 PHP Syntax (Toggle Plain Text) 
// IF NEW
if($task == "dosave") {
  $style_profile = addslashes(str_replace("-moz-binding", "", strip_tags(htmlspecialchars_decode($_POST['style_profile'], ENT_QUOTES))));
  $style_profile_sample = $_POST['style_profile_sample'];
 
  // SET STYLE TO NOTHING IF NEDED
  if($user->level_info[level_profile_style] == 0 && $user->level_info[level_profile_style_sample] == 0) {
    $style_profile = ""; 
    $style_profile_sample = 0;
 
  // SET STYLE TO OPTIONAL IF NEEDED
  } elseif($user->level_info[level_profile_style] == 0 && $user->level_info[level_profile_style_sample] != 0) {
    $style_profile = addslashes(str_replace("-moz-binding", "", strip_tags($sample[$style_profile_sample])));
  }
// IF NEW
if($task == "dosave") {
  $style_profile = addslashes(str_replace("-moz-binding", "", strip_tags(htmlspecialchars_decode($_POST['style_profile'], ENT_QUOTES))));
  $style_profile_sample = $_POST['style_profile_sample'];

  // SET STYLE TO NOTHING IF NEDED
  if($user->level_info[level_profile_style] == 0 && $user->level_info[level_profile_style_sample] == 0) {
    $style_profile = ""; 
    $style_profile_sample = 0;

  // SET STYLE TO OPTIONAL IF NEEDED
  } elseif($user->level_info[level_profile_style] == 0 && $user->level_info[level_profile_style_sample] != 0) {
    $style_profile = addslashes(str_replace("-moz-binding", "", strip_tags($sample[$style_profile_sample])));
  }

As you can see the code does check with the addslahes and strip tags but is this enough to protect the entire website? This is of course only CSS and design changes so I wasnt sure if users could inject any dodgy code or not.

Any advice would be appreciated

Justin

•

Join Date: Jan 2009

Posts: 60

Reputation: Andrieux is an unknown quantity at this point

Solved Threads: 4

Andrieux

Offline

Junior Poster in Training

Re: CSS user input ..is it a security threat to database and website?

Jun 10th, 2009

Why not just write a .css file for the portion of the site they can edit (you can do so with PHP), then import the CSS file.

Also: http://us2.php.net/manual/en/functio...ape-string.php

•

Join Date: Dec 2007

Posts: 136

Reputation: justted is an unknown quantity at this point

Solved Threads: 2

justted

Offline

Junior Poster

Re: CSS user input ..is it a security threat to database and website?

Jun 10th, 2009

Heya.... erm how do you mean exactly?

What if I had 50,000 members (i wish) and they all wanted different designs? Wouldnt this stop that from happening by having a separate .css file?

Currently its stored into the database so if I switch the option on to allow for custom profile design then they can type their own custom css in a text box and submit it!

My website uses quite a complicated system with tons of functions and classes and already has loads of .css templates.

Is this not an adequate way then?

Thanks

Justin

•

Join Date: Apr 2009

Posts: 340

Reputation: Josh Connerty is an unknown quantity at this point

Solved Threads: 26

Josh Connerty Josh Connerty is offline

Offline

Posting Whiz

Re: CSS user input ..is it a security threat to database and website?

Jun 11th, 2009

You really need to make a HTML structure and then give them an input box to change the value of the CSS color: <this>; .

Got to http://bebo.com/ and try creating a skin and that will give you a little idea on what might be safe. (You might have to sign up :/)

Posts should be like mini-skirts, long enough to cover enough, but not too long that you cover too much.

My Liveperson: http://liveperson.com/josh-connerty/

•

Join Date: May 2007

Posts: 431

Reputation: Atli is on a distinguished road

Solved Threads: 55

Atli

Offline

Posting Pro in Training

Re: CSS user input ..is it a security threat to database and website?

Jun 11th, 2009

Hi.

If you do allow them to use their own CSS, be careful not to let them use url() values, as that could make your users vulnerable to XSS attacks.
(As well as any other style that would allow loading of external resources... can't think of any more of them at the moment)

•

Join Date: Sep 2005

Posts: 1,073

Reputation: digital-ether is just really nice

Solved Threads: 66

digital-ether digital-ether is offline

Offline

Veteran Poster

Re: CSS user input ..is it a security threat to database and website?

Jun 12th, 2009

•

Originally Posted by Atli

Hi.

If you do allow them to use their own CSS, be careful not to let them use url() values, as that could make your users vulnerable to XSS attacks.
(As well as any other style that would allow loading of external resources... can't think of any more of them at the moment)

Yes, there are a number of them. There have been a a lot of reports of worms in sites that allow CSS from users (myspace worm). I'm sure it will be hard if not impossible to clean your CSS.

http://www.thespanner.co.uk/category/css/

Funny thing is you can't really search for "css xss" since CSS is another acronym for XSS.

Last edited by digital-ether; Jun 12th, 2009 at 7:00 pm.

www.fijiwebdesign.com - web design and development and fun
Cpanel Email - Let users Register email accounts on your website upon registration
Ajax Chat - Fully browser based chat!