I want to allow the users of a web app that I'm building to write their own CSS in order to customize their profile page.
However I am aware of this opening up for many security risks, i e background: url('javascript:alert("Got your cookies! " + document.cookies').
Hence I am looking for a solution to sanitize the CSS while still allowing as much CSS functionality as possible for my users.
So my questions if anyone anyone knows of a gem or a plugin to handles this? I've googled my brains out already so any tips would be really appreciated!
Rails has a built-in css sanitizer
See http://apidock.com/rails/ActionView/Helpers/SanitizeHelper/sanitize_css and its parent http://apidock.com/rails/ActionView/Helpers/SanitizeHelper/sanitize
> ActionController::Base.helpers.sanitize_css('background:#fff')
=> "background: #fff;"
> ActionController::Base.helpers.sanitize_css('javascript:alert("garr");')
=> ""
There's also some code called css_file_sanitize: https://github.com/courtenay/css_file_sanitize
Comparing it to the Rails sanitize
command I find that both use regular expressions to strip out undesirable portions of the CSS.
Here's the source for css_file_sanitize: https://github.com/courtenay/css_file_sanitize/blob/master/lib/css_sanitize.rb
Here's the source for Rails sanitize
: https://github.com/rails/rails/blob/master/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With