Ruud Hermans Posted October 31, 2006 Share Posted October 31, 2006 I was wondering if it's a security risk that can be exploited to allow visitors of your website to edit the CSS file that display's a certain page?Ruud Hermans Link to comment Share on other sites More sharing options...
shiftJIS Posted October 31, 2006 Share Posted October 31, 2006 Depends what you mean by security risk. I can't think of any way which doing so would compromise the system. As long as whatever method you use to change the CSS only affects the file itself.The thing is, not only can they change the layout, but certain browsers allows the insertion of content through CSS. This means they can alter input fields (to spoof-steal passwords from any login-forms you might have).It also depends on how the CSS is attached to the page. If it's included inline dynamically, I can see where that might cause some problems. It'll be safer to @import it. This point is moot if the user-defined CSS only applies to his/her own session though (no point in spoofing your own passwords).The Css Zen Garden takes user submissions for CSS files. They do go through a moderation process, but you can fudge with the URL to include your own CSS. It seems safe enough for them. Link to comment Share on other sites More sharing options...
Ruud Hermans Posted October 31, 2006 Author Share Posted October 31, 2006 mmm.Would it be possible to store css files of every individual in a mysql database and extract them when a user logs in using his her password?Would this also be a safe way?Ruud Hermans Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now