Page 1 of 1

css security?

Posted: Mon Sep 02, 2002 9:25 pm
by samscripts
Sorry if this is a silly question, but is there any way a user could add dodgy javascript or anything like that to a css definition?

Basically, is it safe to let users edit their own stylesheets for my site, which will be included with <link> tag in the <head> of each page?

thanks for your help, sam

Posted: Mon Sep 02, 2002 10:19 pm
by volka
what's found in this file referenced by <link rel="stylesheet" TYPE="text/css" HREF=.... is considered to be css-only.

But for Internet Explorer you may define a behaviour-property.
And the file referenced by it can contain script-code

Posted: Tue Sep 03, 2002 6:55 am
by samscripts
thanks Volka, still not quite clear:

basically if I let my site's users create their own style sheet through a form with an input field for each style ie:

Code: Select all

&lt;b&gt;body:&lt;/b&gt;&lt;input type="text" name="body"&gt;&lt;br&gt;
&lt;b&gt;td:&lt;/b&gt;&lt;input type="text" name="td"&gt;&lt;br&gt;

etc...
which I then add nto the style sheet like this:

Code: Select all

$styles = array("td", "body",...);
$css = "";
for( $i =0;$i &lt; count($styles); $i++){
   $css .= $styles&#1111;$i] .' { '.str_replace('}', '', $_POST&#1111;$styles&#1111;$i]]).'}';
}

// save $css into a file called $username.css
would anyone be able to add any script or calls to external scripts / styles that would present any kind of security risk? I'm not concerned about them messing up display of the page for themselves :lol: , and only the user who creates the style sheet will be able to use it.

thanks for your help, sam

Posted: Fri Sep 20, 2002 6:54 am
by CodeEye
you can do some damage with css such as
"body{
display:none;
}
"