Security question

[Ruud Hermans]

I was wondering if it's a security risk that can be exploited to allow visitors of your website to edit the CSS file that display's a certain page?Ruud Hermans

[shiftJIS]

Depends what you mean by security risk. I can't think of any way which doing so would compromise the system. As long as whatever method you use to change the CSS only affects the file itself.The thing is, not only can they change the layout, but certain browsers allows the insertion of content through CSS. This means they can alter input fields (to spoof-steal passwords from any login-forms you might have).It also depends on how the CSS is attached to the page. If it's included inline dynamically, I can see where that might cause some problems. It'll be safer to @import it. This point is moot if the user-defined CSS only applies to his/her own session though (no point in spoofing your own passwords).The Css Zen Garden takes user submissions for CSS files. They do go through a moderation process, but you can fudge with the URL to include your own CSS. It seems safe enough for them.

[Ruud Hermans]

mmm.Would it be possible to store css files of every individual in a mysql database and extract them when a user logs in using his her password?Would this also be a safe way?Ruud Hermans