如果允许用户添加CSS，是否存在安全威胁? [英] Is there a security threat if I enable a user to add CSS?

问题描述

在社交网站(例如，社交网站)中，使用户向自己的个人页面添加CSS规则是否不安全?

Is it not secure to enable user to add his own rules of CSS to his personal page, in (for example) a social website ?

推荐答案

不安全.有多种方法可以将JavaScript嵌入CSS，以便至少某些浏览器可以执行它.Google"XSS CSS"，然后浏览热门歌曲.

It is not secure. There are multiple ways to embed JavaScript in CSS such that it gets executed by at least some browsers. Google "XSS CSS" and look through the top hits.

除非您愿意对CSS进行彻底的清理，并且在不可避免地绕过清理而用户的cookie遭到破坏时清理混乱，否则请不要这样做.

Don't do this unless you're willing to do hardcore sanitization of the CSS, and to clean up the mess when your sanitization is inevitably bypassed and your users' cookies are compromised.

这篇关于如果允许用户添加CSS，是否存在安全威胁?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！