I am thinking to let the users upload a css file and control the colour scheme and other things of the site as per their own configuration.
So before building it i would like to know what things i should take care?
Share
Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I am thinking to let the users upload a css file and control the colour scheme and other things of the site as per their own configuration.
So before building it i would like to know what things i should take care?
A CSS injection is nearly as good as script injection. You’ve got
expression()in IE6-7 (and later in compatibility view), you’ve gotbehavior:(HTC) in IE, you’ve got-moz-binding:in Firefox, you’ve gotcontent:to inject text, and occasionally, mostly in older browsers that don’t block it, you’ve goturl(javascript:...). Even without these you’ve got a fair amount of risk just from visual UI spoofing.As long as a user stylesheet is limited to the user that made it, a user can only compromise themselves. The problem comes when users start sharing stylesheets. You might perhaps disallow users from picking the same external stylesheet address as another user to discourage this.