Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Are there any dangers or security risks in allowing user css?
Sorry for unspecific question. Possible implementation: having a textarea for users to input custom css, and then taking that css and putting it into a style element: <style type="text/css"></style> with js.
Yes, there are many potential XSS attacks, mostly through putting JavaScript in urls for background-image and whatnot. Search for “style” in the XSS Cheat Sheet for some examples.
There is also the potential that the user CSS could break your site, for example making the navigation menu 0x0 pixels or moving it offscreen to -1000, -1000. Or the CSS itself could reference images from other sites, which you can’t guarantee will continue to stay up.