Allowing custom CSS in your app
Courtenay : December 31st, 2008
There are a number of good reasons why you don't want your users providing their own CSS (for example, when theming their site). These are: taste (see: myspace) and security.
The former is pretty much your users' problem. The pages don't have to look terrible -- and in fact Myspace charges a LOT of money to do those custom movie or band pages (it's part of the service when you buy their primo ad space).
The latter, well, as it turns out there are a bunch of security vulnerabilities exposed in CSS. While these are mainly in IE, related to expressions (you can run javascript from your CSS). This means that users can steal others' sessions. So, while there are some excellent perl libraries out there for this, there hasn't been one for ruby -- until now! (at least that I could find).
So, here's my first attempt.
css_file_sanitize (github)
I stole most of the tests from LiveJournal's css sanitizing library, and rewrote the implementation in Ruby. I'd love to hear your collective feedback. It's a really lazy plugin; in fact, while it does have tests, you're best to just include the module in your model. This is a case of "it works on my machine" so send your patches!
1 Response to “Allowing custom CSS in your app”
Sorry, comments are closed for this article.
January 1st, 2009 at 09:43 AM
Aloha Courtenay,
Great job. I completely understand the need for this. However, I generally prefer whitelists in security matters instead of blacklists. A creative hacker can frequently get around your blacklists because there are always tons of ways to approach a problem.
This will be a great starting point until we can get a decent CSS parser and a whitelist implementation.
Thanks & Happy New Year!