如何确保用户输入是CSS而不是恶意代码？ [英] How do I ensure user input is CSS and not malicious code?

问题描述

在我的网站上，我想包括一个文本框，将允许成员更改任何他们想要css明智在他们的个人资料....但我不想醒来一个早晨，以找到我的网站已被黑客或者有人打印和破坏了一切或访问的东西，他们不应该。

On my website I want to include a text box that will allow the members to change anything they want css wise on their profiles....but I don't want to wake up one morning to find my site has been hacked or someone typoed and destroyed everything or accessed things they shouldn't.

有没有简单的方法来验证他们输入的文本是否只是CSS？我看到另一个问题在这里是相似的，它有XSS的备忘单和提示为什么禁用（<和]]和<！[），但我不知道这是否足够。

Is there any easy way to verify that the text they input is css only? I saw another question on here that was similar, it had XSS cheat sheet and tips for what to disable (< and ]]> and < ![), but I don't know if that will be enough. I will definitely use that info though.

基本上我想让PHP调用任何自定义css，并在用户配置文件的脚本标签之间插入它。我想允许尽可能多的css。这是最好的办法吗？我不知道如何组成一个系统来生成安全的文件，或者耐心地组成一个选项的整个部分（特别是因为我想给成员更多的自由与他们的个人资料）。

Essentially I want to just make PHP call any custom css and insert it between script tags for the users profile. I want to allow as much css as possible. Is this the best way to go about it? I don't have the know how to make up a system to generate safe files, or the patience to make up an entire section with options (especially since I want to give members more freedom with their profiles).

任何建议是赞赏，如果有人知道一些脚本，这已经可以摇滚，帮助我找出该做什么：D。

Any advice is appreciated, and if anyone knows of some script that does this already that would rock too and help me figure out what to do :D.

推荐答案

当用户登录时，为该用户添加一个单独的< link> 元素。 href可以指向为用户生成css的脚本，例如 customcss.php？userid = 1234& version = 2 *）。脚本只需要返回用户先前输入的所有内容。因为你把它作为一个单独的CSS文件，浏览器将总是这样处理，永远不会运行任何脚本。任何HTML或JavaScript只是作为无效的CSS处理。

When a user is logged in, add a separate <link> element for that user. The href can point to a script that generates the css for the user, for instance customcss.php?userid=1234&version=2 *). The script only needs to return everything the user has entered before. Because you enclose it as a separate CSS file, the browser will always treat it as such and will never run any scripts. Any HTML or Javascript is just treated as invalid CSS.

但是，请注意，包含脚本的问题很少，因为它们只会在浏览器中运行登录的用户，因此他们只能hack自己的视图您的网站。如果他们想要注入JavaScript，他们仍然可以通过编写自己的浏览器插件来做到这一点，所以你不会打开以前没有的可能性。

Note however, that there's little harm anyway in including scripts for that matter, because they will only run in the browser of the logged in user, so they can only hack their own view of your site. If they want to inject Javascript, they can still do that by writing their own browser plugins, so you won't open up a possibility that wasn't there before.

需要担心的主要事情是

The main thing you need to worry about are

• 可用性。如果用户犯了错误并意外隐藏了Body元素，该怎么办？他们将如何重置？


• SQL注入。无论您做什么或不允许，请务必确保您的输入已经过滤。


• PHP注入。不要执行（eval）用户内容。


• 隐藏用户信息。向customcss.php网址添加代码，以防止其他用户猜测用户ID，从而深入了解其他用户的自定义设置。

• Usability. What if the user makes a mistake and accidentally hides the Body element. How will they be able to reset it?
• SQL injection. No matter what you do or do not allow, always make sure your input is sanatized.
• PHP injection. Don't execute (eval) user content. Ever.
• Hiding user information. Add a code to the customcss.php url to prevent other users from guessing a user id, gaining insight into the customizations of other users.

*）我已经添加了一个版本号到CSS url，你应该在数据库中更新每次用户更新他们的CSS。如果你不这样做，浏览器将缓存旧的CSS，用户将开始向你抱怨，因为他们的更改不会显示。

*) I've added a version number to the CSS url, which you should update in the database each time a user updates their CSS. If you don't do that, the browsers will cache the old CSS and users will start complaining to you, because their changes won't become visible.

这篇关于如何确保用户输入是CSS而不是恶意代码？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！