允许用户编辑css是否安全？ [英] Is it safe to allow users to edit css?

问题描述

我有一个网络应用程序，我想允许最终用户通过上传自己的css文件来自定义网站的外观。

I have a web application where I would like to allow end users to customise the look of the web site by uploading their own css file.

有任何安全这个问题？我看不到任何明显的东西，但我认为我会问，如果有什么我会错过。

Are there any security issues with this? I can't see anything obvious but thought I'd ask in case there was anything I'd missed.

推荐答案

在CSS中执行，您必须确保您正在使用一些过滤。

Javascript can be executed in CSS, you have to make sure that you are using some filtering.

我也看到有人在微软控制的网站上覆盖整个页面的事件透明像素，链接到恶意网站。点击任何地方可触发攻击者网站。

I have also seen incidents where someone has covered the entire page on a microsoft controlled site with a transparent pixel, linking to a malicious site. Clicking anywhere triggered the attackers site to appear.

但是，如果用户只看到自己的CSS，他们就无法查看他们做了什么。否则，某些类型的白名单或降价会工作。

This could however be safe if the user only sees his or her own CSS, and they would have no way of someone else viewing what they have done. Otherwise some sort of whitelist or markdown would work.

这篇关于允许用户编辑css是否安全？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！