admin管理员组文章数量:1357716
I want to allow the users of a web app that I'm building to write their own CSS in order to customize their profile page.
However I am aware of this opening up for many security risks, i e background: url('javascript:alert("Got your cookies! " + document.cookies').
Hence I am looking for a solution to sanitize the CSS while still allowing as much CSS functionality as possible for my users.
So my questions if anyone anyone knows of a gem or a plugin to handles this? I've googled my brains out already so any tips would be really appreciated!
I want to allow the users of a web app that I'm building to write their own CSS in order to customize their profile page.
However I am aware of this opening up for many security risks, i e background: url('javascript:alert("Got your cookies! " + document.cookies').
Hence I am looking for a solution to sanitize the CSS while still allowing as much CSS functionality as possible for my users.
So my questions if anyone anyone knows of a gem or a plugin to handles this? I've googled my brains out already so any tips would be really appreciated!
Share Improve this question asked Jun 16, 2010 at 7:09 ErikErik 1411 silver badge3 bronze badges 3- just curious, how are you storing your CSS? in database or as a file for each user? – Shripad Krishna Commented Jun 16, 2010 at 7:38
- Wow.. crazy that you can execute javascript from CSS like that. No idea how to solve it though - sorry! – zaius Commented Jun 16, 2010 at 7:48
- Shripad K: I'll store the CSS in the database. zaius: Yup! Check out this page: guides.rubyonrails/security.html#css-injection – Erik Commented Jun 16, 2010 at 7:55
2 Answers
Reset to default 7Rails has a built-in css sanitizer
See http://apidock./rails/ActionView/Helpers/SanitizeHelper/sanitize_css and its parent http://apidock./rails/ActionView/Helpers/SanitizeHelper/sanitize
> ActionController::Base.helpers.sanitize_css('background:#fff')
=> "background: #fff;"
> ActionController::Base.helpers.sanitize_css('javascript:alert("garr");')
=> ""
There's also some code called css_file_sanitize: https://github./courtenay/css_file_sanitize
Comparing it to the Rails sanitize mand I find that both use regular expressions to strip out undesirable portions of the CSS.
Here's the source for css_file_sanitize: https://github./courtenay/css_file_sanitize/blob/master/lib/css_sanitize.rb
Here's the source for Rails sanitize: https://github./rails/rails/blob/master/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
本文标签: javascriptSanitizing CSS in RailsStack Overflow
版权声明:本文标题:javascript - Sanitizing CSS in Rails - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1743928192a2563354.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论