危害用户css [英] dangers to user css
问题描述
允许用户css存在任何危险或安全风险?
Are there any dangers or security risks in allowing user css?
对于非特定问题,抱歉。可能的实现:有一个textarea用户输入自定义css,然后采取css并将其放入一个样式元素:< style type =text / css>< / style> / code>与js。
Sorry for unspecific question. Possible implementation: having a textarea for users to input custom css, and then taking that css and putting it into a style element: <style type="text/css"></style>
with js.
推荐答案
是的,有很多潜在的XSS攻击,背景图像和whatnot。例如,在 XSS备忘单中搜索样式。
Yes, there are many potential XSS attacks, mostly through putting JavaScript in urls for background-image and whatnot. Search for "style" in the XSS Cheat Sheet for some examples.
用户CSS也可能会破坏您的网站,例如使导航菜单为0x0像素或将其从屏幕移动到-1000,-1000。或者CSS本身可以引用来自其他网站的图片,您不能保证将继续保持。
There is also the potential that the user CSS could break your site, for example making the navigation menu 0x0 pixels or moving it offscreen to -1000, -1000. Or the CSS itself could reference images from other sites, which you can't guarantee will continue to stay up.
这篇关于危害用户css的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!