2

I'm working on a blog site, and I plan to allow bloggers to completely edit the style sheet for their own blogs

I assume this isn't dangerous, since CSS is client side, but I thought it'd be best to check. If there a way someone could use this feature to implant backdoors and such into my site?

Tom
  • 21
  • 1
  • 1
    If you consider everything client-side as safe you're doing it wrong, you *also* need to care about the security of your users. –  Feb 25 '15 at 05:05
  • Of course, I'm not going to make anything unsecure. The idea was to be able to let users add their own styles. Each user gets their own folder where the sheets are stored – Tom Feb 25 '15 at 05:36
  • Hi Tom, welcome to [security.se]! I think you're missing @AndréDaniel's point - the custom CSS isn't just served to the blogger herself, but to any user that visits that blog page. Oh and btw, if you're allowing any user to store the CSS as files on disk (as opposed to dynamically in e.g. a database), then you do open up a whole bunch of other forms of server-side attacks. – AviD Feb 25 '15 at 07:54

0 Answers0