Posted by greggles on August 5, 2009 at 3:05pm
There are several modules which allow for user/admin generated css to be injected into the page.
CSS can contain cross site scripting attacks and the use of url() helps make it a means to exploit CSRF. What can we do to filter user generated CSS so that it is safe?
One strategy seems to be something like the way color module/garland work: users are limited to choosing specific colors which are inserted into specific pieces of the CSS. This is also what a lot of other sites do (twitter, bebo, etc.). That's great, but limiting.
See http://www.daniweb.com/forums/thread196994.html for some more discussion. It's hard to find good resources on this because CSS is sometimes used to mean XSS :/