On my web site, there are “communities”. I need to give communities the power to have customized styling on their group pages. Like subreddits on reddit.com for individuals who are acquainted. For reference, I take advantage of Laravel as my growth framework, however I do not suppose this is essential in the case of this query.
With a purpose to obtain this, I enable customers to submit a customized stylesheet (in a textarea enter).
First I validate this like some other consumer enter, then I make certain there aren’t any exterior URLs (since this seems to be the way in which CSS injections work):
$textual content = $request->get('kinds');
$hasExternalURL = strpos($textual content, 'http') !== false || strpos($textual content, 'www.') !== false;
if($hasExternalURL){
return response()->json(['error' => 'Error: No external URLs allowed.'], 404);
}
then, I make it possible for the consumer enter is a legitimate stylesheet. So I take advantage of the CSS validator API supplied by w3c (https://jigsaw.w3.org/css-validator/api.html) for this.
$response = Http::get('https://jigsaw.w3.org/css-validator/validator', [
'text' => $text,
'output' => 'soap12',
]);
$headersArray = $response->headers();
$validationErrorCount = $headersArray['x-w3c-validator-errors'][0];
if ($validationErrorCount) {
return response()->json(['error' => 'Errors found in styles. Try using a CSS validator before submitting styles.'], 404);
}
If the consumer enter is certainly legitimate CSS, then I save the enter as a .css
file and I load this within the header of my web site for these communities.
I am questioning if this is sufficient to forestall vulnerabilities. There is not a lot data on the market on permitting customers to add their very own stylesheets.