Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Is it a bad idea to let users add their own stylesheet?

Tags:

security

php

stylesheet

I'm new at php and I'm trying to figure out of this is a bad idea or a security risk.

I have a table of data that I provide to a user, it has a default stylesheet that it loads, but if the user wants to include their own, I've made it so they can just point to their stylesheet instead:

http://www.mysite.com/info.php?css=http://www.someothersite.com/mystylesheet.css

I've tried adding closing style tags and javascript in the css file, but the DOM seems to just load it as CSS that it isn't able to process.

I've never seen any other site allow this method of adding stylesheets, so, is this a good idea or bad idea? I was thinking that I could have the script load the file and look for key words used in javascript, but with my testing, I'm not sure that I need to do it.

Update: I'm adding the CSS as follows:

<link href="<?php echo (isset($_GET['css'])) ? $_GET['css'] : 'default.css'; ?>" rel="stylesheet" type="text/css" />
like image 930
Mottie Avatar asked Dec 14 '22 02:12

Mottie

1 Answers

So long as the stylesheet is used for their own account, and no one else's, then I'd let them do it. However, because it could be used to session-hijack someone (if they didn't logout) I would require the user's password to change the stylesheet. I also would force it to be stored locally.

Without a password all a hijacker need do is:

#selector:before {
  content: expression(getCookie('phpsessid'));
}

Obviously if you don't have a function called getCookie then they'll need to do more legwork, but it is still too easy for them to get the cookie data. This is why password protection of the custom stylesheet is essential.

If you don't include a field per-user, and use the $_GET['css'] route, then remember that it would be trivial to redirect a user from an external site (say MySpace) to their page with a route to a harmful CSS file for a hijacking attack. If there's no authentication that protects the changing of the CSS file, which should be password protected even when logged in, then your software is very, very vulnerable indeed.

like image 179
Robert K Avatar answered Dec 26 '22 18:12

Robert K
Sign in to Comment

Related questions

Cross Domain Ajax Request with JQuery/PHP
MySQL Query Logging in CakePHP
How to make a Linux Service that Accepts Commands via Web Server?
Wamp PHP CLI
Get file encoding [duplicate]
zip_open(); undefined on PHP 5.2.8
how do you show page load time in php?
Problem displaying the entire string in input box (in php)
Variable persistence in PHP
Count line breaks in a field and order by
How to remove a specific $_GET variable from a URL
How useful would be a Smalltalk source code browser for other programming languages?
How can improve myself in web development?
Regexp to add attribute in any xml tags
URL Shortening Site
Howto chain objects in PHP5: $this->foo->bar->baz()
Increase PHP Memory limit (Apache, Drupal6)
How can I cycle through hex color codes in PHP?
How to use Constant Contact API?
How to use our own fonts in web sites, which is compatible with all users?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!