Sanitize user defined CSS in PHP

Question

I want to allow users to use their own stylesheets for thei profiles on my forum, but I\'m afraid of possible security vulnerabilities. Does anyone have any tips for sanitiz

Answer 1

I don't see how this could possibly create security vulnerabilities, unless the profiles are shared with other users.

If they're shared, CSRF vulnerabilities could come up (since CSS can generate GET requests to include images, fonts, other stylesheets etc). They could also use content to trick users into clicking some places, hide important functionality, etc. And, of course, you would have to escape <, >, and possibly & to prevent XSS (if the CSS is embedded in the HTML).

As to libraries to do the sanitation, I'm not aware of any (maybe tidy).