2

I'm working on an website where I need to allow the user to change multiple CSS values in their CMS. I need to read these values back to the browser in CSS and ran across an "easy" way to do just that - create a PHP file but send the header content type as text/css as seen below:

<?php
    header( "Content-type: text/css; charset: UTF-8" );

    $body_bgcolor = get_option( 'background_color' );
    /* ... Additional Settings ... */
?>

body    {background-color: <?php echo $body_bgcolor; ?>}

This allows me to send the above to the browser using:

<link rel="stylesheet" href="http://domain.com/globals/customizations.php" type="text/css" />

All the above works fine and there may be some performance drawbacks but I'm more concerned about any security holes this may create. When discussing this with colleagues they talked vaguely about how insecure the above method was. I've tried searching on this subject but I haven't found anything specifically discussing the security implications of doing the above.

Would applying the above be insecure in some way?

KSR
  • 111
  • 1
  • 5
Howdy_McGee
  • 240
  • 2
  • 9
  • 1
    You just need to avoid passing there anything else than colour. So you can make regex for that (server-side). – Aria Sep 13 '16 at 20:47

1 Answers1

2

I have been doing exactly this for many years on several websites.

This is no more and no less secure than using PHP to build an HTML page.

Make sure you sanitize/validate any user-provided inputs (as you would do for handling user input on a regular web page), and there's no reason not to do what you are doing.

Moshe Katz
  • 1,331
  • 1
  • 11
  • 17