I'm new at php and I'm trying to figure out of this is a bad idea or a security risk.
I have a table of data that I provide to a user, it has a default stylesheet that it loads, but if the user wants to include their own, I've made it so they can just point to their stylesheet instead:
http://www.mysite.com/info.php?css=http://www.someothersite.com/mystylesheet.css
I've tried adding closing style tags and javascript in the css file, but the DOM seems to just load it as CSS that it isn't able to process.
I've never seen any other site allow this method of adding stylesheets, so, is this a good idea or bad idea? I was thinking that I could have the script load the file and look for key words used in javascript, but with my testing, I'm not sure that I need to do it.
Update: I'm adding the CSS as follows:
<link href="<?php echo (isset($_GET['css'])) ? $_GET['css'] : 'default.css'; ?>" rel="stylesheet" type="text/css" />
So long as the stylesheet is used for their own account, and no one else's, then I'd let them do it. However, because it could be used to session-hijack someone (if they didn't logout) I would require the user's password to change the stylesheet. I also would force it to be stored locally.
Without a password all a hijacker need do is:
#selector:before {
content: expression(getCookie('phpsessid'));
}
Obviously if you don't have a function called getCookie then they'll need to do more legwork, but it is still too easy for them to get the cookie data. This is why password protection of the custom stylesheet is essential.
If you don't include a field per-user, and use the $_GET['css']
route, then remember that it would be trivial to redirect a user from an external site (say MySpace) to their page with a route to a harmful CSS file for a hijacking attack. If there's no authentication that protects the changing of the CSS file, which should be password protected even when logged in, then your software is very, very vulnerable indeed.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With