Page 1 of 1
css security?
Posted: Mon Sep 02, 2002 9:25 pm
by samscripts
Sorry if this is a silly question, but is there any way a user could add dodgy javascript or anything like that to a css definition?
Basically, is it safe to let users edit their own stylesheets for my site, which will be included with <link> tag in the <head> of each page?
thanks for your help, sam
Posted: Mon Sep 02, 2002 10:19 pm
by volka
what's found in this file referenced by <link rel="stylesheet" TYPE="text/css" HREF=.... is considered to be css-only.
But for Internet Explorer you may define a
behaviour-property.
And the file referenced by it can contain script-code
Posted: Tue Sep 03, 2002 6:55 am
by samscripts
thanks Volka, still not quite clear:
basically if I let my site's users create their own style sheet through a form with an input field for each style ie:
Code: Select all
<b>body:</b><input type="text" name="body"><br>
<b>td:</b><input type="text" name="td"><br>
etc...
which I then add nto the style sheet like this:
Code: Select all
$styles = array("td", "body",...);
$css = "";
for( $i =0;$i < count($styles); $i++){
$css .= $stylesї$i] .' { '.str_replace('}', '', $_POSTї$stylesї$i]]).'}';
}
// save $css into a file called $username.css
would anyone be able to add any script or calls to external scripts / styles that would present any kind of security risk? I'm not concerned about them messing up display of the page for themselves

, and only the user who creates the style sheet will be able to use it.
thanks for your help, sam
Posted: Fri Sep 20, 2002 6:54 am
by CodeEye
you can do some damage with css such as
"body{
display:none;
}
"