MysterySword Posted July 8, 2008 Share Posted July 8, 2008 Well, I made a system where users can use CSS to change the look of their profiles. However, I'm worried about vulnerabilities in the submitted CSS code. Here's the code in the profiles that run the custom CSS: echo "<STYLE type=\"text/css\">".$user_data['user_css']."</STYLE>\n"; I'm free from MySQL errors, because of a command that strips input, but I'm talking about when that code is activated in the profile. I believe JavaScript can run within CSS, so is it possible to disable that? Quote Link to comment Share on other sites More sharing options...
maexus Posted July 8, 2008 Share Posted July 8, 2008 You will most likely need to import the contents of the css file in PHP, regex the javascript out and then display the css as inline vs linking to it. Quote Link to comment Share on other sites More sharing options...
MysterySword Posted July 8, 2008 Author Share Posted July 8, 2008 Ouch. That seems like a lot. Oh well, as it's said, "better to be safe than sorry". EDIT: Nevermind, I forgot there was already a function that striped JavaScript so it wouldn't run. Thanks for your help, anyway. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.