jarbot jarbot - 2 months ago 17
CSS Question

Is there any danger in loading external, third-party CSS?

My goal is to allow partners to style their landing pages with their own look and feel by passing us a link to their stylesheet in a URL parameter. Are there security or browser compatibility concerns with loading third-party CSS via JavaScript?

Answer

In CSS Files.

expressions(code), behavior:url(), url(javascript:code), and -moz-binding:url() all have potential security issues.

Behavior can't be cross domain so that removes some threat, but generally speaking you do need to sanitize it somehow.

If you allow the user to link to CSS on external servers, there isn't a fullproof way to validate. The server could check the CSS file on the server to ensure there is nothing malicious, but what if the user changes the stylesheet? You would have to continuously check the stylesheet. Also the the server could potential feed different info to the servers ip address in attempt to bypass the validation method.

In all honesty I would advise storing the CSS on your own server. Simple run it throw a regex parser that removes the possible malicious code from above.