2

We allow the use of @import via a custom CSS editor in our CMS, but I want to know if we've opened ourselves up to potential security risks by doing that, can it be used to XSS?

If so, how would that work, and further, how do we go about protecting ourselves against such an attack?

FYI, we don't actually leave the @import statements in the custom CSS when it's served, they are stripped out via preg_replace_callback() and replaced with their actual target content via file_get_contents(). This is so the CSS can still be cached and not block page loading, but potentially gives us an opportunity to filter the URL's that are used, or even the content that's returned.

EDIT:

After the quick education from @duskwuff it's obvious there are lots of potential problems with offering the service, but it looks like a similar question and answer (here: https://stackoverflow.com/a/5209050/1058733) shows that it can be done pretty safely using HTMLPurifier + CSSTidy to sanitize CSS input which would fit perfectly in our script after file_get_contents() and before caching, and additionally during the save object process for good measure.

Community
  • 1
  • 1
oucil
  • 4,211
  • 2
  • 37
  • 53
  • wow! I don't have the answer for that..but if you're so worried about that, you should've probably asked first... – Leonardo Dec 09 '13 at 19:36
  • For what it's worth, someone could just put an actual `@import` statement in the file served up over HTTP. You could be replacing `@import` with something else malicious. – Brad Dec 09 '13 at 19:36
  • @Leonardo, @Brad FWIW, I did mention in the FYI, that we have an opportunity to filter/validate the returned code. Also not that this is a defence, as they're not my choice of benchmark, but you can do the same in Wordpress via their custom css editor, so it's not like I'm reinventing new ways to screw myself. In fact, our opportunity to filter and validate due to the `file_get_contents()` is quite unique. – oucil Dec 09 '13 at 19:41

1 Answers1

3

Yes. CSS is, in general, not safe - there are a number of ways that it can be used to inject Javascript code, including but not limited to:

Depending on the nature of your site, unrestricted CSS may also be used to steal passwords from your users by reformatting page content to appear like a password prompt, or to deny access to the site by reformatting or hiding vital components of the page (e.g, hiding a "log in" link).

Do not allow users to enter CSS that will be used on your site unless you're prepared to fully parse it and validate it against a whitelist of approved properties and selectors.

  • Thanks for the quick education and links! I've found a previous question that provides examples using HTMLPurifier + CSSTidy to sanitize CSS which looks to be pretty thorough: http://stackoverflow.com/a/5209050/1058733 – oucil Dec 09 '13 at 20:13