Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is it a bad idea to let users add their own stylesheet?

I'm new at php and I'm trying to figure out of this is a bad idea or a security risk.

I have a table of data that I provide to a user, it has a default stylesheet that it loads, but if the user wants to include their own, I've made it so they can just point to their stylesheet instead:

http://www.mysite.com/info.php?css=http://www.someothersite.com/mystylesheet.css

I've tried adding closing style tags and javascript in the css file, but the DOM seems to just load it as CSS that it isn't able to process.

I've never seen any other site allow this method of adding stylesheets, so, is this a good idea or bad idea? I was thinking that I could have the script load the file and look for key words used in javascript, but with my testing, I'm not sure that I need to do it.


Update: I'm adding the CSS as follows:

<link href="<?php echo (isset($_GET['css'])) ? $_GET['css'] : 'default.css'; ?>" rel="stylesheet" type="text/css" />
like image 930
Mottie Avatar asked Dec 14 '22 02:12

Mottie


1 Answers

So long as the stylesheet is used for their own account, and no one else's, then I'd let them do it. However, because it could be used to session-hijack someone (if they didn't logout) I would require the user's password to change the stylesheet. I also would force it to be stored locally.

Without a password all a hijacker need do is:

#selector:before {
  content: expression(getCookie('phpsessid'));
}

Obviously if you don't have a function called getCookie then they'll need to do more legwork, but it is still too easy for them to get the cookie data. This is why password protection of the custom stylesheet is essential.

If you don't include a field per-user, and use the $_GET['css'] route, then remember that it would be trivial to redirect a user from an external site (say MySpace) to their page with a route to a harmful CSS file for a hijacking attack. If there's no authentication that protects the changing of the CSS file, which should be password protected even when logged in, then your software is very, very vulnerable indeed.

like image 179
Robert K Avatar answered Dec 26 '22 18:12

Robert K