941,506 Members | Top Members by Rank

Web Development > PHP > CSS user input ..is it a security threat to database and website?
Ad:
  • PHP Discussion Thread
  • Unsolved
  • Views: 1052
  • PHP RSS
Permalink
Jun 10th, 2009
0

CSS user input ..is it a security threat to database and website?

Expand Post »
Hello all,

My website has a feature in which I can turn on/off a feature which allows members to add their own CSS code for their profile design!

If possible I want to allow this as it would mean a much better platform for my members but I wanted to know what risk I would be causing if I have this feature turned on. Here is the code that processes and checks the code:

PHP Syntax (Toggle Plain Text)
  1. // IF NEW
  2. if($task == "dosave") {
  3.   $style_profile = addslashes(str_replace("-moz-binding", "", strip_tags(htmlspecialchars_decode($_POST['style_profile'], ENT_QUOTES))));
  4.   $style_profile_sample = $_POST['style_profile_sample'];
  5.  
  6.   // SET STYLE TO NOTHING IF NEDED
  7.   if($user->level_info[level_profile_style] == 0 && $user->level_info[level_profile_style_sample] == 0) {
  8.     $style_profile = ""; 
  9.     $style_profile_sample = 0;
  10.  
  11.   // SET STYLE TO OPTIONAL IF NEEDED
  12.   } elseif($user->level_info[level_profile_style] == 0 && $user->level_info[level_profile_style_sample] != 0) {
  13.     $style_profile = addslashes(str_replace("-moz-binding", "", strip_tags($sample[$style_profile_sample])));
  14.   }


As you can see the code does check with the addslahes and strip tags but is this enough to protect the entire website? This is of course only CSS and design changes so I wasnt sure if users could inject any dodgy code or not.

Any advice would be appreciated

Justin
Reputation Points: 10
Solved Threads: 2
Junior Poster
justted is offline Offline
140 posts
since Dec 2007
Permalink
Jun 10th, 2009
0

Re: CSS user input ..is it a security threat to database and website?

Why not just write a .css file for the portion of the site they can edit (you can do so with PHP), then import the CSS file.

Also: http://us2.php.net/manual/en/functio...ape-string.php
Reputation Points: 10
Solved Threads: 4
Junior Poster in Training
Andrieux is offline Offline
60 posts
since Jan 2009
Permalink
Jun 10th, 2009
0

Re: CSS user input ..is it a security threat to database and website?

Heya.... erm how do you mean exactly?

What if I had 50,000 members (i wish) and they all wanted different designs? Wouldnt this stop that from happening by having a separate .css file?

Currently its stored into the database so if I switch the option on to allow for custom profile design then they can type their own custom css in a text box and submit it!

My website uses quite a complicated system with tons of functions and classes and already has loads of .css templates.

Is this not an adequate way then?

Thanks

Justin
Reputation Points: 10
Solved Threads: 2
Junior Poster
justted is offline Offline
140 posts
since Dec 2007
Permalink
Jun 11th, 2009
0

Re: CSS user input ..is it a security threat to database and website?

You really need to make a HTML structure and then give them an input box to change the value of the CSS color: <this>; .

Got to http://bebo.com/ and try creating a skin and that will give you a little idea on what might be safe. (You might have to sign up :/)
Reputation Points: 31
Solved Threads: 27
Unverified User
Josh Connerty is offline Offline
342 posts
since Apr 2009
Permalink
Jun 11th, 2009
0

Re: CSS user input ..is it a security threat to database and website?

Hi.

If you do allow them to use their own CSS, be careful not to let them use url() values, as that could make your users vulnerable to XSS attacks.
(As well as any other style that would allow loading of external resources... can't think of any more of them at the moment)
Reputation Points: 93
Solved Threads: 70
Posting Pro
Atli is offline Offline
526 posts
since May 2007
Permalink
Jun 12th, 2009
0

Re: CSS user input ..is it a security threat to database and website?

Click to Expand / Collapse  Quote originally posted by Atli ...
Hi.

If you do allow them to use their own CSS, be careful not to let them use url() values, as that could make your users vulnerable to XSS attacks.
(As well as any other style that would allow loading of external resources... can't think of any more of them at the moment)
Yes, there are a number of them. There have been a a lot of reports of worms in sites that allow CSS from users (myspace worm). I'm sure it will be hard if not impossible to clean your CSS.

http://www.thespanner.co.uk/category/css/

Funny thing is you can't really search for "css xss" since CSS is another acronym for XSS.
Last edited by digital-ether; Jun 12th, 2009 at 7:00 pm.
Moderator
Reputation Points: 457
Solved Threads: 101
Nearly a Posting Virtuoso
digital-ether is offline Offline
1,250 posts
since Sep 2005

This thread is more than three months old

No one has posted to this discussion for at least three months. Please let old threads die and do not reply to them unless you feel you have something new and valuable to contribute that absolutely must be added to make the discussion complete. Otherwise, please start a new thread in this forum instead.
Message:
Previous Thread in PHP Forum Timeline: How to get response of a url.?
Next Thread in PHP Forum Timeline: What does this expression means "$this->$sometexe()"?





About Us | Contact Us | Advertise | Acceptable Use Policy
Forum Index | Build Custom RSS Feed


Follow us on Twitter


© 2011 DaniWeb® LLC