危害用户css [英] dangers to user css

问题描述

允许用户css存在任何危险或安全风险？

Are there any dangers or security risks in allowing user css?

对于非特定问题，抱歉。可能的实现：有一个textarea用户输入自定义css，然后采取css并将其放入一个样式元素：< style type =text / css>< / style> / code>与js。

Sorry for unspecific question. Possible implementation: having a textarea for users to input custom css, and then taking that css and putting it into a style element: <style type="text/css"></style> with js.

推荐答案

是的，有很多潜在的XSS攻击，背景图像和whatnot。例如，在 XSS备忘单中搜索样式。

Yes, there are many potential XSS attacks, mostly through putting JavaScript in urls for background-image and whatnot. Search for "style" in the XSS Cheat Sheet for some examples.

用户CSS也可能会破坏您的网站，例如使导航菜单为0x0像素或将其从屏幕移动到-1000，-1000。或者CSS本身可以引用来自其他网站的图片，您不能保证将继续保持。

There is also the potential that the user CSS could break your site, for example making the navigation menu 0x0 pixels or moving it offscreen to -1000, -1000. Or the CSS itself could reference images from other sites, which you can't guarantee will continue to stay up.

这篇关于危害用户css的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！