Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

User Uploaded CSS safe?

Tags:

css

security

Is there anything tricky someone could do with user-uploaded CSS to harm a site? If I wanted to allow users to upload/share their own CSS themes to a site, is there anything I should look for or disallow?

EDIT: Assume I know how to check if it's a valid CSS file etc. I'm looking for CSS specific exploits I need to avoid.

like image 616
Brent Avatar asked Jul 01 '11 22:07

Brent

4 Answers

I believe standard CSS, parsed in a standard way is safe. However, through various non-standard extensions CSS is unsafe.

It's not just CSS that is unsafe, due to the fact that some browsers ignore RFC 2616 and sniff the content type instead of respecting the Content-Type header, it is possible to trick some browsers into embedding JavaScript hidden within static image files.

Even if you work around these particular issues, there's nothing stopping browser vendors from screwing you over in other ways without you realising.

As a general rule, I would not allow untrusted users to upload files unless I gave each user their own subdomain and ensured that any cookies on the main site were limited to the www host. This makes it look to the browser that each user has their own separate site with their own separate security context, so even if they manage to execute code, it doesn't compromise anything.

like image 109
Jim Avatar answered Oct 19 '22 18:10

Jim

Even if you parse the file for valid CSS a hacker could still be malicious by using something like :before and :after. To ensure security you will want to whitelist a subset of css properties & selectors in your validation.

like image 27
Mike Neumegen Avatar answered Oct 19 '22 18:10

Mike Neumegen

They can include an .htc file which is essentially Javascript. Actually, it doesn't even need to be in .htc file, you can write Javascript in CSS using expression(). And also (although this is given), they can mess with your site by hiding/showing stuff inappropriately.

like image 43
pixelfreak Avatar answered Oct 19 '22 18:10

pixelfreak

You primarily need to be careful on what is being uploaded. If you do some kind of sanity check, that it is valid CSS, you should be fine, but if you just allow any old file to be uploaded, someone could sneak in some java script or other malicious code.

The actual type is not harmful, but the whole upload concept is the problem as it allows attackers to deliver a payload you wouldn't expect.

But I would say as long as you check off your security checklist and validate your content to be at least some css, you should be fine.

like image 1
Jakub Avatar answered Oct 19 '22 18:10

Jakub
Sign in to Comment

Related questions

HTML5 Form Text Placeholders - Do they have a CSS pseudo-class?
CSS Horizontal scroll problem
CSS immediate child selector
mouse cursor change based on event
css margin-top property only works if border is declared [duplicate]
Using HTML in CSS After Tag for Hover State
-moz-background-clip: *text* in Mozilla
Style legend tag as block
Change 'src' value by css for input tag with type="image"
Do additional, unused CSS definitions slow down browsers?
Text label next to jQuery UI slider
Positioning an image behind a centered div
How to create a texture paper background using CSS without image [closed]
Get rid of "Show Quoted Text" in Gmail
Spacing in HTML emails
Using CSS Sprites on anchor tags
<h:inputText> enabled/disabled - change background color
Can jQuery-UI safely be used without the CSS assets?
How can I ensure two floated items stay side-by-side even if there isn’t enough width for both of them?
ie 7 doesn't work with CSS inline-block or fixes

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!