css security?

JavaScript and client side scripting.

Moderator: General Moderators

Post Reply
samscripts
Forum Commoner
Posts: 57
Joined: Tue Apr 23, 2002 4:34 pm
Location: London, UK

css security?

Post by samscripts »

Sorry if this is a silly question, but is there any way a user could add dodgy javascript or anything like that to a css definition?

Basically, is it safe to let users edit their own stylesheets for my site, which will be included with <link> tag in the <head> of each page?

thanks for your help, sam
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

what's found in this file referenced by <link rel="stylesheet" TYPE="text/css" HREF=.... is considered to be css-only.

But for Internet Explorer you may define a behaviour-property.
And the file referenced by it can contain script-code
samscripts
Forum Commoner
Posts: 57
Joined: Tue Apr 23, 2002 4:34 pm
Location: London, UK

Post by samscripts »

thanks Volka, still not quite clear:

basically if I let my site's users create their own style sheet through a form with an input field for each style ie:

Code: Select all

&lt;b&gt;body:&lt;/b&gt;&lt;input type="text" name="body"&gt;&lt;br&gt;
&lt;b&gt;td:&lt;/b&gt;&lt;input type="text" name="td"&gt;&lt;br&gt;

etc...
which I then add nto the style sheet like this:

Code: Select all

$styles = array("td", "body",...);
$css = "";
for( $i =0;$i &lt; count($styles); $i++){
   $css .= $styles&#1111;$i] .' { '.str_replace('}', '', $_POST&#1111;$styles&#1111;$i]]).'}';
}

// save $css into a file called $username.css
would anyone be able to add any script or calls to external scripts / styles that would present any kind of security risk? I'm not concerned about them messing up display of the page for themselves :lol: , and only the user who creates the style sheet will be able to use it.

thanks for your help, sam
CodeEye
Forum Commoner
Posts: 25
Joined: Fri Jul 05, 2002 7:19 am

Post by CodeEye »

you can do some damage with css such as
"body{
display:none;
}
"
Post Reply