CSS user input ..is it a security threat to database and website?

Hello all,

My website has a feature in which I can turn on/off a feature which allows members to add their own CSS code for their profile design!

If possible I want to allow this as it would mean a much better platform for my members but I wanted to know what risk I would be causing if I have this feature turned on. Here is the code that processes and checks the code:

// IF NEW
if($task == "dosave") {
  $style_profile = addslashes(str_replace("-moz-binding", "", strip_tags(htmlspecialchars_decode($_POST['style_profile'], ENT_QUOTES))));
  $style_profile_sample = $_POST['style_profile_sample'];

  // SET STYLE TO NOTHING IF NEDED
  if($user->level_info[level_profile_style] == 0 && $user->level_info[level_profile_style_sample] == 0) {
    $style_profile = ""; 
    $style_profile_sample = 0;

  // SET STYLE TO OPTIONAL IF NEEDED
  } elseif($user->level_info[level_profile_style] == 0 && $user->level_info[level_profile_style_sample] != 0) {
    $style_profile = addslashes(str_replace("-moz-binding", "", strip_tags($sample[$style_profile_sample])));
  }

As you can see the code does check with the addslahes and strip tags but is this enough to protect the entire website? This is of course only CSS and design changes so I wasnt sure if users could inject any dodgy code or not.

Any advice would be appreciated

Justin

justted

Junior Poster

140 posts since Dec 2007

Reputation Points: 10

Solved Threads: 2

2 Years Ago

Why not just write a .css file for the portion of the site they can edit (you can do so with PHP), then import the CSS file.

Also: http://us2.php.net/manual/en/function.mysql-real-escape-string.php

Andrieux

Junior Poster in Training

61 posts since Jan 2009

Reputation Points: 10

Solved Threads: 4

2 Years Ago

Heya.... erm how do you mean exactly?

What if I had 50,000 members (i wish) and they all wanted different designs? Wouldnt this stop that from happening by having a separate .css file?

Currently its stored into the database so if I switch the option on to allow for custom profile design then they can type their own custom css in a text box and submit it!

My website uses quite a complicated system with tons of functions and classes and already has loads of .css templates.

Is this not an adequate way then?

Thanks

Justin

justted

Junior Poster

140 posts since Dec 2007

Reputation Points: 10

Solved Threads: 2

2 Years Ago

You really need to make a HTML structure and then give them an input box to change the value of the CSS color: <this>; .

Got to http://bebo.com/ and try creating a skin and that will give you a little idea on what might be safe. (You might have to sign up :/)

Josh Connerty

Posting Whiz

342 posts since Apr 2009

Reputation Points: 31

Solved Threads: 27

2 Years Ago

Hi.

If you do allow them to use their own CSS, be careful not to let them use url() values, as that could make your users vulnerable to XSS attacks.(As well as any other style that would allow loading of external resources... can't think of any more of them at the moment)

Atli

Posting Pro

540 posts since May 2007

Reputation Points: 93

Solved Threads: 70

2 Years Ago

Hi.

If you do allow them to use their own CSS, be careful not to let them use url() values, as that could make your users vulnerable to XSS attacks.(As well as any other style that would allow loading of external resources... can't think of any more of them at the moment)

Yes, there are a number of them. There have been a a lot of reports of worms in sites that allow CSS from users (myspace worm). I'm sure it will be hard if not impossible to clean your CSS. http://www.thespanner.co.uk/category/css/

Funny thing is you can't really search for "css xss" since CSS is another acronym for XSS.

digital-ether

Nearly a Posting Virtuoso

Moderator

1,293 posts since Sep 2005

Reputation Points: 461

Solved Threads: 101

This article has been dead for over three months

You