Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to preform whitelist-based CSS filtering in PHP

Tags:

css

validation

php

user-input

I am working on a site and I would like to make a user able to enter custom CSS into that will be publicly displayed.

However, seeing as a good deal of XSS attacks can be preformed through CSS, I would like to be able to find a way to "clean" the CSS output, similar to how HTML Purifier works, by parsing the CSS, running the parsed CSS against a whitelist, and then outputting a new stylesheet based on the parsed and whitelisted CSS.

Is there already a library like this out there? If not, is there a CSS parsing library that can be used to create a custom implementation?

like image 291
MiffTheFox Avatar asked Sep 01 '09 19:09

MiffTheFox

People also ask

What is the protection against XSS in PHP?

Using htmlspecialchars() function – The htmlspecialchars() function converts special characters to HTML entities. For a majority of web-apps, we can use this method and this is one of the most popular methods to prevent XSS. This process is also known as HTML Escaping.

What is XSS filtering?

Cross-site scripting (XSS) is a computer security vulnerability that allows malicious attackers to inject client-side script into web pages viewed by other users. You can use the Cross-site Scripting Filter setting to check all HTTP GET requests sent to IBM® OpenPages® with Watson™.

Which function is used to provide prevention against XSS attack?

Content security policy (CSP) is a browser mechanism that aims to mitigate the impact of cross-site scripting and some other vulnerabilities.

What encoding should be used to protect from XSS and show user data correctly?

A very big portion of web applications are using HTML Entity Encoding to handle untrusted data, and this method is robust enough to protect them from XSS attack for most of the time.

1 Answers

I guess you're going to write your own CSS parser and filter, so here's what I'd consider, although I've never done such a thing:

  • Make a (white) list of acceptable CSS properties that your users can use. Like: color, font-family.
  • I believe it might be better to not allow short-hand forms such as background, at least in the beginning, so that you can easily parse the values. Require that they explicitly write background-color, background-image.
  • If you want URLs, only allow relative URLs, and discard everything that doesn't even closely look like a URL. Log these issues anyway, so that you can improve your parser and validator.
  • Be very strict in your parsing, discard everything that your parser doesn't understand even if it would be valid CSS. In other words, make your own CSS subset.

When parsing, the hardest part would be the parsing of complex CSS selectors. But you can impose your own subset here too.

Here's some (pseudo)code, maybe it will help you somehow:

<?php

function tokenizeCSS() {
    return array(
        array(
            'selector'   => '#foo .bar',
            'properties' => array(
                'background-color' => 'transparent',
                'color'            => '#fff',
            ),
        );
    );
}

function colorValidator($color)
{}

/**
 * This is basically the white list. Keys are accepted CSS properties
 * and values are the validator callbacks.
 */
$propertyValidators = array(
    'background-color' => 'colorValidator',
    'color'            => 'colorValidator',
);

$filteredRules = array();

foreach (tokenizeCSS() as $rule) {
    if (! validSelector($rule['selector'])) {
        continue;
    }

    foreach ($rule['properties'] as $property => $value) {
        /**
         * Check property is in white list
         */
        if (! isset($propertyValidators[$property]) {
            continue;
        }

        /**
         * Check property is valid
         */
        if (! $propertyValidators[$property]($value)) {
            continue;
        }

        /**
         * Valid rule
         */
        $filteredRules[$rule['selector']][$property] = $value;
    }
}
like image 84
Ionuț G. Stan Avatar answered Oct 05 '22 01:10

Ionuț G. Stan
Sign in to Comment

Related questions

PhpStorm take a step back in debugger
Creating function to replace post title not working
Custom shortcode in Wordpress Nav Bar
Get Amazon MWS results to Json or Xml and elaborate them
laravel api subdomain mapping
Passing static classes via Dependancy Injection
IIS 7 Rewrite rule throws HTTP Error 403.14 - Forbidden if folder exists
Externally hosted email and using PHP to send email
How can I use a resource to write line by line but still use Laravel's built in Storage?
How to get the calendar type by locale string
Trigger download dialog right after headers received
Symfony 4 - ClassNotFoundException Kernel
SSOCircle keeps redirecting to Consent page SAML2.0
Symfony custom authentication provider log out on request overlap
Adding clippath information to an image
Permission problem: How to setup permissions on docker for windows for use with Wordpress
How to make custom PSR-7 ResponseInterface to reduce boilerplate?
Is there a better way of writing a git pre-commit hook to check any php file in a commit for parse errors?
Easiest drop-in PHP authentication solution?
How to cast a 32-bit integer from unsigned to signed in MySQL or PHP?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!