Is it not secure to enable user to add his own rules of CSS to his personal page, in (for example) a social website ?

It is not secure. There are multiple ways to embed JavaScript in CSS such that it gets executed by at least some browsers. Google "XSS CSS" and look through the top hits. Don't do this unless you're willing to do hardcore sanitization of the CSS, and to clean up the mess when your sanitization is inevitably bypassed and your users' cookies are compromised.

Is there a security threat if I enable a user to add CSS?

1 Answers

It is not secure. There are multiple ways to embed JavaScript in CSS such that it gets executed by at least some browsers. Google "XSS CSS" and look through the top hits.

Don't do this unless you're willing to do hardcore sanitization of the CSS, and to clean up the mess when your sanitization is inevitably bypassed and your users' cookies are compromised.

108

answered Jan 11 '23 06:01

grahamparks

Recent Activity
Apple Pay - authorize.net returns error 153 only when live, sandbox works
How to continue cursor loop even error occured in the loop
python find all neighbours of a given node in a list of lists
Fatal error: Call to a member function setColumn() on a non-object in Magento
Count how many of each value from a field with MySQL and PHP
Python 32-bit development on 64-bit Windows [closed]

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!

Donate Us With

Is there a security threat if I enable a user to add CSS?

Tags:

css

security

Emad Elsaid

1 Answers

grahamparks

Recent Activity

Donate For Us

Is there a security threat if I enable a user to add CSS?

Tags:

css

security

Emad Elsaid

1 Answers

grahamparks

Related questions

Recent Activity

Donate For Us