CSS uploaded by user - security risks?

If a user can upload their own css for their personal page (say, a profile), are there any CSS based vulnerabilities I should look out for? This would be stored on my server in example.com/user/profile/css/usercss.css (or something like that).

This is not really a CSS question as such but a question so I’ll move the thread.

There could be an issue with IE where expressions are used in css which could run javascript to cause some problems.

At the very least styles could be uploaded to change the look of your site using !important over-rides etc so should always sanitize input that you receive.

Thanks. That’s a good start. I was thinking that urls that were specified (say, for background images) might pose a security risk as well for xss attacks, but I am not familiar enough to say how this might occur.

I should also point out I don’t care how the user makes a page look. They could display:none everything, and it wouldn’t matter to me. I am more worried about security holes, like malicious code or something like that, taking place.

I would read up on myspace before trying this.

Given @import and the half-dozen other ways to arbitrarily load content from untrusted URLs I’m sure someone could find a hole somewhere. Fonts is another interesting angle – there are lots of OS-level exploits based around font loading. The other issue is you are going down a slippery slope – how long until users want to submit their own javascript?

A much better model is to setup some templating system and let users specify safe changes to the look and feel of their pages while retaining some sort of control.

You are right, but it would just be for CSS. Never javascript. Myspace does seem to be at the forefront of this, surprisingly. I will give them a check and try to come up with a list of things to worry about. Thanks for mentioning fonts as well.

Doesn’t matter – if you request something from my evil server, I can do lots of things. And I can probably find a way to include my evil script.

MySpace was at the forefront, but doing this ultimately hamstrung them as they could not upgrade things without breaking a key part of user experience. That and horrible security issues.

I won’t be requesting it from another server or pointing to anything off site, but instead allowing users to upload their own css files.

So they could point to a mal-script?

That’s the idea, actually - find out whatever attributes could allow them to do something bad, like point to a bad script, and reject any document that has them.

For some reason I’m thinking there are others, but for certain anything that has “url” eg. background images, cursor, list-style-image.

url is all I could think of as well. I will need to do a review of all attributes and see if anything else allows pointing to an offsite file.