Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 8 of 8
  1. #1
    Regular Coder
    Join Date
    Oct 2005
    Posts
    127
    Thanks
    0
    Thanked 0 Times in 0 Posts

    user customized css file and security

    hi, i would like to take a <textarea name="css></textarea>

    and create a .css file with it.

    kind of like a myspace user customisation.

    what do i need to do with $_POST['css']
    before i can write a file with it, to prevent malicious scripts?

    one the file is written its contents will be called with 'file_get_contents', assigned to $get_css and then put into the template file just before the end of the default css.

    like:

    $css
    -->
    </style>


    so how can i secure this?

    I have read some articles, but I wont know whats not 100% safe until i get hacked!!!!

  • #2
    raf
    raf is offline
    Master Coder
    Join Date
    Jul 2002
    Posts
    6,589
    Thanks
    0
    Thanked 0 Times in 0 Posts
    first off: "100% safe" is a myth, invented by some drunken manager.

    about your css --> is the posted css at the end just added to a html-header? if so, then it's vulnerable to all XSS exploits so you should probably only be safe if you completely remove all html tags.
    but i see no reason for you to not just add the posted css to an external css file. then the only exploit i can think you need to take care of, is the @import exploit for IE users (IE allows non-valid css to be imported, so an attacker could slip in html). Easiest sollution is depend on your users to have a patched browser, and alternatively, you can still strip of all html-tags that are in the posted text. or simply don't proces posted text that contains html-tags.
    Posting guidelines I use to see if I will spend time to answer your question : http://www.catb.org/~esr/faqs/smart-questions.html

  • #3
    Regular Coder
    Join Date
    Oct 2005
    Posts
    127
    Thanks
    0
    Thanked 0 Times in 0 Posts
    k, let me explain some more then so i can figure this out a bit more.

    the css will be stored in an external file, which i was going to call in a php header file using file_get_content and then assign to the template file.

    is there a more secure way of calling the css file??

    like could i use php to assign the file name and then do a html link in the template file, not exactly sure of the code, but i know u can call css files using html. the point is, is this more secure?

    so thats calling the file more securely, but how do i strip html tags before the <textarea> is saved to file??

    the file is only meant to contain css, so i guess i could run a preg_match_all and make sure it only contains:
    a-z, A-Z, 0-9, #, ', (, ), -, _

    would this prevent all malicious code and still allow enough css to be done?

  • #4
    Regular Coder
    Join Date
    Oct 2005
    Posts
    127
    Thanks
    0
    Thanked 0 Times in 0 Posts
    *bump*

  • #5
    raf
    raf is offline
    Master Coder
    Join Date
    Jul 2002
    Posts
    6,589
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by fatrat View Post
    is there a more secure way of calling the css file??
    sure, just link to an external css file in the header.
    for firefox/opera, this will allready solve all securityproblems. for IE, you still have the problem that it will proces a non-valid css (like a css-file that contains html).

    Quote Originally Posted by fatrat View Post
    but how do i strip html tags before the <textarea> is saved to file??

    the file is only meant to contain css, so i guess i could run a preg_match_all and make sure it only contains:
    a-z, A-Z, 0-9, #, ', (, ), -, _

    would this prevent all malicious code and still allow enough css to be done?
    you can just as well check that the posted value doesn't contain "<". like
    PHP Code:
    if (strpos($_POST['my_posted_css'], '<') !== False){
       die(
    'Invalid css posted');
    }else{
    //the saving to file etc

    Posting guidelines I use to see if I will spend time to answer your question : http://www.catb.org/~esr/faqs/smart-questions.html

  • #6
    Regular Coder
    Join Date
    Oct 2005
    Posts
    127
    Thanks
    0
    Thanked 0 Times in 0 Posts
    $css = htmlspecialchars(stripslashes($HTTP_POST_VARS[$css]));

    if ( strpos($css, '<') )
    {
    $error = TRUE;
    $error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . 'CSS must not contain any html';
    }

    will that do?

    what about javascript?

    http://alistapart.com/articles/secureyourcode

    The threat
    Malicious JavaScript injections are a threat at many levels. Using a full-fledged injection, an attacker could:

    * Change the presentation of the attacker’s personal pages in a forbidden way (this is the lowest level of severity, but could produce a misleading or confusing experience for other users).
    * Execute an action whenever a user enters the attacker’s page, such as voting for the attacker in a poll or adding the attacker to a buddy or “trusted” list.
    * Infect the personal pages of users who visit the attacker’s page, creating a spreading virus that might, in turn, execute malicious code or propagate spyware /viruses that exploit security flaws in popular browsers.

    These are just three examples of what an attacker might do, but two things are already clear:

    1. XSS is a real threat. MySpace and many other community sites have already been attacked or compromised.
    2. Webmasters should, therefore, make sure that their sites are properly protected.
    IE, CSS, and JavaScript

    Thanks to IE’s predilection for executing JavaScript, many communities are left vulnerable. IE will accept and execute the following code:

    […] style="background:url(javascript:alert(document.cookie))” […]

    It’s bad if a browser executes JavaScript from style tags, because many communities don’t validate this input—they simply take the input, strip single and double quotes, and print it out. This, for example:

    [color=black; background:url(javascript:alert(document.cookie));]
    [/color]

    Would be translated into this:

    <font style=”color: black; background:url(javascript:alert
    (document.cookie));”></font>

    By blocking the word “JavaScript,” many of us feel safe, but we are still vulnerable since the following example is perfectly valid as far as Internet Explorer is concerned:

    <font style="background:url(jav
    ascr
    ipt:alert(document.cookie))"></font>

    If I were to inject this into a community that blocks “JavaScript,” I would simply use:

    [color=black; background:url(jav
    ascr
    ipt:alert(document.cookie));][/color]
    Last edited by fatrat; 11-27-2006 at 07:29 AM.

  • #7
    raf
    raf is offline
    Master Coder
    Join Date
    Jul 2002
    Posts
    6,589
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by fatrat View Post
    $css = htmlspecialchars(stripslashes($HTTP_POST_VARS[$css]));

    if ( strpos($css, '<') )
    {
    $error = TRUE;
    $error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . 'CSS must not contain any html';
    }

    will that do?
    try it out, if you specifically want to use your own version of my code for whatever reason that escapes me.

    my educated guess is that it wount work since
    PHP Code:
    $css='<blabla>';
    if ( 
    strpos($css'<') ){
      echo 
    'css contains <';
    }else{
      echo 
    'css does not contain <';

    would print 'css does not contain <' which is of course incorrect. this is because 0 (==> for the first position of <blabla> where < is found) evaluates to False instead of the True that you would expect.
    Quote Originally Posted by fatrat View Post
    what about javascript?
    what about it? i already told you twice to use an external css file so that you don't have inline css.
    if you want to make completely sure that even IE -users that allow javascript wount be at risk, then just create a version of $css where you remove all linebreaks and then check if it contains "javascript". if it doesn't, then you store the original $css.
    Posting guidelines I use to see if I will spend time to answer your question : http://www.catb.org/~esr/faqs/smart-questions.html

  • #8
    Regular Coder
    Join Date
    Oct 2005
    Posts
    127
    Thanks
    0
    Thanked 0 Times in 0 Posts
    $css = htmlspecialchars(stripslashes($HTTP_POST_VARS[$css]));

    if ( strpos($css, '<') !== False )
    {
    $error = TRUE;
    $error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . 'CSS must not contain any html';
    }

    k, i added the !==False, ty for that info, there are probably other parts of my code I will now change coz I had done that wrong.

    so tyvm for that

    I do intend to create the file and import it as an external script using:

    <link rel="stylesheet" type="text/css" href="/path/yourfile.css">

    so that will hopefully stop a lot of misuses, now I will write a short code to remove linebreaks and check for 'javascript', ill post later.

    ty


    this code seems far to easy to handle this:

    http://namb.la/popular/tech.html


    having said that, if divs arent allowed, does that mean that kind of script wouldnt work?
    but are there ways around that?
    Last edited by fatrat; 11-27-2006 at 05:28 PM.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •