My goal is to allow partners to style their landing pages with their own look and feel by passing us a link to their stylesheet in a URL parameter. Are there security or browser compatibility concerns with loading third-party CSS via JavaScript?
我的目标是允许合作伙伴通过在URL参数中传递到他们的样式表的链接来使用他们自己的外观和感觉。通过JavaScript加载第三方CSS是否存在安全性或浏览器兼容性问题?
4 个解决方案
#1
13
In CSS Files.
在CSS文件中。
expressions(code), behavior:url(), url(javascript:code), and -moz-binding:url() all have potential security issues.
表达式(代码)、行为:url()、url(javascript:代码)和- mozilla -binding:url()都存在潜在的安全问题。
Behavior can't be cross domain so that removes some threat, but generally speaking you do need to sanitize it somehow.
行为不能跨域以消除某些威胁,但一般来说,您确实需要以某种方式对其进行清理。
If you allow the user to link to CSS on external servers, there isn't a fullproof way to validate. The server could check the CSS file on the server to ensure there is nothing malicious, but what if the user changes the stylesheet? You would have to continuously check the stylesheet. Also the the server could potential feed different info to the servers ip address in attempt to bypass the validation method.
如果允许用户在外部服务器上链接到CSS,就没有一种完整的验证方法。服务器可以检查服务器上的CSS文件,以确保没有恶意,但是如果用户更改样式表怎么办?您必须不断地检查样式表。此外,服务器可能向服务器ip地址提供不同的信息,试图绕过验证方法。
In all honesty I would advise storing the CSS on your own server. Simple run it throw a regex parser that removes the possible malicious code from above.
说实话,我建议把CSS存储在你自己的服务器上。简单运行它抛出一个regex解析器,从上面删除可能的恶意代码。
#2
3
As long as you validate it somehow you should be good.
只要你以某种方式验证它,你就应该是好的。
GOLDEN RULE: Do NOT trust the user
黄金法则:不要信任用户
#3
2
If the user is the only person with the ability to see their custom CSS, then there is not really any danger. They could ruin their own experience on your site, but not that of others.
如果用户是唯一能够看到自己的自定义CSS的人,那么就没有任何危险。他们可能会破坏他们在你的网站上的体验,但不会破坏其他人的体验。
However, if their custom CSS is displayed to other users, then they could potentially use it to completely mess up the styles of your site as you intended. For example, they could simply grab the id of some important elements from your source, and override them to hide them.
但是,如果他们的自定义CSS显示给其他用户,那么他们可能会使用它来完全打乱您的站点的样式。例如,它们可以简单地从源获取一些重要元素的id,并覆盖它们以隐藏它们。
Of course, as long as you are careful and properly sanitize all user input, you should not face any major problems.
当然,只要您仔细和适当地对所有用户输入进行消毒,您就不应该面临任何重大问题。
#4
0
CSS expressions only work in IE 6-7, but allow inline JS to be used (generally to calculate a value to set).
CSS表达式只能在IE 6-7中使用,但允许使用内联JS(通常用于计算要设置的值)。
For example:
例如:
/* set bgcolor based on time */
div.title {
background-color: expression( (new Date()).getHours() % 2 ? "#B8D4FF" : "#F08A00" );
}
however, this could potentially be used to do malicious things, i'd say it's at least worth some testing.
然而,这可能被用来做恶意的事情,我得说它至少值得一些测试。
#1
13
In CSS Files.
在CSS文件中。
expressions(code), behavior:url(), url(javascript:code), and -moz-binding:url() all have potential security issues.
表达式(代码)、行为:url()、url(javascript:代码)和- mozilla -binding:url()都存在潜在的安全问题。
Behavior can't be cross domain so that removes some threat, but generally speaking you do need to sanitize it somehow.
行为不能跨域以消除某些威胁,但一般来说,您确实需要以某种方式对其进行清理。
If you allow the user to link to CSS on external servers, there isn't a fullproof way to validate. The server could check the CSS file on the server to ensure there is nothing malicious, but what if the user changes the stylesheet? You would have to continuously check the stylesheet. Also the the server could potential feed different info to the servers ip address in attempt to bypass the validation method.
如果允许用户在外部服务器上链接到CSS,就没有一种完整的验证方法。服务器可以检查服务器上的CSS文件,以确保没有恶意,但是如果用户更改样式表怎么办?您必须不断地检查样式表。此外,服务器可能向服务器ip地址提供不同的信息,试图绕过验证方法。
In all honesty I would advise storing the CSS on your own server. Simple run it throw a regex parser that removes the possible malicious code from above.
说实话,我建议把CSS存储在你自己的服务器上。简单运行它抛出一个regex解析器,从上面删除可能的恶意代码。
#2
3
As long as you validate it somehow you should be good.
只要你以某种方式验证它,你就应该是好的。
GOLDEN RULE: Do NOT trust the user
黄金法则:不要信任用户
#3
2
If the user is the only person with the ability to see their custom CSS, then there is not really any danger. They could ruin their own experience on your site, but not that of others.
如果用户是唯一能够看到自己的自定义CSS的人,那么就没有任何危险。他们可能会破坏他们在你的网站上的体验,但不会破坏其他人的体验。
However, if their custom CSS is displayed to other users, then they could potentially use it to completely mess up the styles of your site as you intended. For example, they could simply grab the id of some important elements from your source, and override them to hide them.
但是,如果他们的自定义CSS显示给其他用户,那么他们可能会使用它来完全打乱您的站点的样式。例如,它们可以简单地从源获取一些重要元素的id,并覆盖它们以隐藏它们。
Of course, as long as you are careful and properly sanitize all user input, you should not face any major problems.
当然,只要您仔细和适当地对所有用户输入进行消毒,您就不应该面临任何重大问题。
#4
0
CSS expressions only work in IE 6-7, but allow inline JS to be used (generally to calculate a value to set).
CSS表达式只能在IE 6-7中使用,但允许使用内联JS(通常用于计算要设置的值)。
For example:
例如:
/* set bgcolor based on time */
div.title {
background-color: expression( (new Date()).getHours() % 2 ? "#B8D4FF" : "#F08A00" );
}
however, this could potentially be used to do malicious things, i'd say it's at least worth some testing.
然而,这可能被用来做恶意的事情,我得说它至少值得一些测试。