In my application I am allowing users to upload their css style sheets so they can applied to templates. The css is written as an internal style sheet, because at this time I would not like to expose the css style sheet to other users.
That creates room for users to include malicious code into the css file. Initially my plan was to convert all ‘<‘ and ‘>’, but that is needed in the css syntax. I am after a white list solution, since it won’t be feasible to exhaustively eliminate unwanted characters.
Any suggestions for implementing security measures to this scenario?
You should definitely also filter out at least IE expressions and FF -moz-binding properties… both can be used to run (potentionally malicious) javascript using css.
This cheat sheet contains the most obvious XSS tactics, including some CSS ones.
The safest solution would probably be whitelisting as you suggested (if it is acceptable to limit users to only use whitelisted properties).