Is it wafe to let users upload their own CSS?

nassau · #1 (**permalink**) 01-07-06, 01:07 AM

I'm building a community website and cosidering letting users upload their own CSS so they can modify their personal space.

Will this impose a risk for the website? Can an evil user exploit this to upload malicious code? Is there a way to allow this without risks?

thanks

Christian · #2 (**permalink**) 01-07-06, 01:18 AM

It might become a problem, so what I would do is store the infomation in a mysql database. Just my $.02.

MadDog · #3 (**permalink**) 01-07-06, 02:11 AM

The only problem i can see with CSS (and i see it a lot) is they can code CSS to overlap a image over the entire site so all they see is the image.

There are some turkish hackers that do this to ASP forums (that dont update to latest versions) and they call it hacking, but i call them a bunch of 10 year old noobs.

Keith · #4 (**permalink**) 01-07-06, 02:34 AM

Explorer and a few other inept browsers will also allow JavaScript to be run inside CSS url() elements. This was the basis of the recent MySpace "worm".

If you're going to allow them to upload their own files, pull the file's contents and strip unwanted tags or entities before display rather than just linking to the file.

MadDog · #5 (**permalink**) 01-07-06, 02:18 PM

Is that the latest version of Explorer or an older version?

I guess i missed the news about that bug...

Keith · #6 (**permalink**) 01-07-06, 04:17 PM

Yes, Explorer 6 allows it to be executed.

nassau · #7 (**permalink**) 01-11-06, 06:34 AM

to clarify, i would store their css in the database, not let them upload actual files.

in this case i'm mostly worried about hackers using it to hack into the site etc, not ruin the appearance, since my users can only modify their "own" space - not the public space.

is there a good script available that strips unwanted tags and/or javascript from css?