1

I want to allow my users to upload their own CSS to customize the look, but CSS can be used to run javascript. What is the best way to sanitize it with Python?

I found some answers on other langugages: Sanitizing CSS in Rails, Sanitize CSS Using Java, Sanitize user defined CSS in PHP but found nothing on python.

I did find https://pythonhosted.org/feedparser/html-sanitization.html#css-sanitization but this is a bit too limiting, i.e. not allowing url at all.

Community
  • 1
  • 1
dasony
  • 3,708
  • 2
  • 22
  • 20
  • You could scan for url and expression property values: http://stackoverflow.com/a/482088/2653390 since those appear to be the only two ways to inject JS with CSS – Shashank Apr 29 '15 at 05:42

1 Answers1

0

From your links, it looks like you would either have to whitelist or blacklist some stuff. Personally, if you are informed enough, try blacklisting unwanted components. As for parsing, have you looked into CSSUtils for Python ?

Stephen Rodriguez
  • 1,037
  • 1
  • 12
  • 22