[SOLVED] Disabling malicious code in CSS (Cascading Style Sheets)

[MysterySword]

Well, I made a system where users can use CSS to change the look of their profiles. However, I'm worried about vulnerabilities in the submitted CSS code.

 

Here's the code in the profiles that run the custom CSS:

echo "<STYLE type=\"text/css\">".$user_data['user_css']."</STYLE>\n";

 

I'm free from MySQL errors, because of a command that strips input, but I'm talking about when that code is activated in the profile. I believe JavaScript can run within CSS, so is it possible to disable that?

 

[maexus]

You will most likely need to import the contents of the css file in PHP, regex the javascript out and then display the css as inline vs linking to it.

[MysterySword]

Ouch. That seems like a lot. Oh well, as it's said, "better to be safe than sorry".

 

EDIT: Nevermind, I forgot there was already a function that striped JavaScript so it wouldn't run. Thanks for your help, anyway.