0

I'm creating a website that allows users to create their own subchannels. Sorts of like subreddits (if you're familiar with reddit).

And I want to make it so that subchannel administrators are allowed to upload their own CSS files (with a max filesize) that would override the default styles for their subchannels. (Users would also be able to opt out of custom styles.)

I've only heard of a few websites doing this so it's kind of hard to get info on the risks involved. Would there be any potential security risks?

I would be doing this with Laravel, for reference.

jahantaila
  • 840
  • 5
  • 26
Felix
  • 2,532
  • 5
  • 37
  • 75
  • That could be a vector for XSS (I'm not very strong with CSS). If a CSS rule caused the download of a file, it could allow an attacker to run JavaScript on browsers that visit the site. – Carcigenicate May 19 '21 at 21:27
  • [This](https://stackoverflow.com/questions/3607894/cross-site-scripting-in-css-stylesheets) would be worth reading. If the stylesheet only applies to the single person that wrote the document, I don't think you could do much damage. If it's shown to other people though, it could be used to steal session cookies. – Carcigenicate May 19 '21 at 21:30

1 Answers1

1

Javascript can be executed in CSS, you have to make sure that you are using some filtering.

I have also seen incidents where someone has covered the entire page on a microsoft controlled site with a transparent pixel, linking to a malicious site. Clicking anywhere triggered the attackers site to appear.

This could however be safe if the user only sees his or her own CSS, and they would have no way of someone else viewing what they have done. Otherwise some sort of whitelist or markdown would work.

There is also the potential that the user CSS could break your site, for example making the navigation menu 0x0 pixels or moving it offscreen to -1000, -1000. Or the CSS itself could reference images from other sites, which you can't guarantee will continue to stay up.

jahantaila
  • 840
  • 5
  • 26