Hello all,

My website has a feature in which I can turn on/off a feature which allows members to add their own CSS code for their profile design!

If possible I want to allow this as it would mean a much better platform for my members but I wanted to know what risk I would be causing if I have this feature turned on. Here is the code that processes and checks the code:

// IF NEW
if($task == "dosave") {
  $style_profile = addslashes(str_replace("-moz-binding", "", strip_tags(htmlspecialchars_decode($_POST['style_profile'], ENT_QUOTES))));
  $style_profile_sample = $_POST['style_profile_sample'];

  // SET STYLE TO NOTHING IF NEDED
  if($user->level_info[level_profile_style] == 0 && $user->level_info[level_profile_style_sample] == 0) {
    $style_profile = ""; 
    $style_profile_sample = 0;

  // SET STYLE TO OPTIONAL IF NEEDED
  } elseif($user->level_info[level_profile_style] == 0 && $user->level_info[level_profile_style_sample] != 0) {
    $style_profile = addslashes(str_replace("-moz-binding", "", strip_tags($sample[$style_profile_sample])));
  }

As you can see the code does check with the addslahes and strip tags but is this enough to protect the entire website? This is of course only CSS and design changes so I wasnt sure if users could inject any dodgy code or not.

Any advice would be appreciated

Justin

Heya.... erm how do you mean exactly?

What if I had 50,000 members (i wish) and they all wanted different designs? Wouldnt this stop that from happening by having a separate .css file?

Currently its stored into the database so if I switch the option on to allow for custom profile design then they can type their own custom css in a text box and submit it!

My website uses quite a complicated system with tons of functions and classes and already has loads of .css templates.

Is this not an adequate way then?

Thanks

Justin

You really need to make a HTML structure and then give them an input box to change the value of the CSS color: <this>; .

Got to http://bebo.com/ and try creating a skin and that will give you a little idea on what might be safe. (You might have to sign up :/)

Hi.

If you do allow them to use their own CSS, be careful not to let them use url() values, as that could make your users vulnerable to XSS attacks.
(As well as any other style that would allow loading of external resources... can't think of any more of them at the moment)

Hi.

If you do allow them to use their own CSS, be careful not to let them use url() values, as that could make your users vulnerable to XSS attacks.
(As well as any other style that would allow loading of external resources... can't think of any more of them at the moment)

Yes, there are a number of them. There have been a a lot of reports of worms in sites that allow CSS from users (myspace worm). I'm sure it will be hard if not impossible to clean your CSS.

http://www.thespanner.co.uk/category/css/

Funny thing is you can't really search for "css xss" since CSS is another acronym for XSS.

This article has been dead for over six months. Start a new discussion instead.