Sanitize User Entered CSS

3 Views

Does anyone have any idea how to sanitize CSS entered via user input? I am concerned about cross-site scripting via CSS. I am using wp_filter_kses to clean up user entered HTML, but I need a like solution for user entered styles. So far I am using the following ugly and incomplete function but I’d like something more complete. 

function sanitizeCSS ( $css ) {
    $css = str_replace( '/-moz-binding/', '', $css );
    $css = str_replace( '/expression/', '', $css );
    $css = str_replace( '/javascript/', '', $css );
    $css = str_replace( '/vbscript/', '', $css );
    return $css; 
}
Post Views: 3

Related posts

Leave a Reply

6 comments

  2. Jetpack doesn’t really sanitize CSS, it just cleans it up, which has the side-effect of removing some vulnerabilities, but not all.

    An attacker can still use @import to import unsanitized CSS; expression() to introduce XSS to older IE browsers; @charset to trick the browser into interpreting the CSS as HTML, opening up XSS opportunities; set URLs with arbitrary protocols to launch SSRF attacks, etc.

    If you want full sanitization, you’ll need to do something like r2085-meta.

    You should run your sanitization against comprehensive test cases to verify that it’s cleaning everything.

    CSSTidy isn’t really abandoned, though; one of the original authors forked the PHP class, and the Jetpack team and others have made contributions to keep it reasonably up to date. If you don’t feel comfortable with it, though, Caja is another option.

  3. I use the following function that combines the strength of wp_filter_nohtml_kses and then restores the required escape characters, namely quotes and the > selector.

        function escape_css($css) {
    $escaped_css = strtr(wp_filter_nohtml_kses($css),
            [
                '>' => '>',
                "'"   => "'",
                '"'   => '"',
    ]);
    return $escaped_css;
}

  4. The best approach I found was to incorporate CSSTidy into my plugin. I took a page from JetPack which has a Custom CSS feature.

    JetPack’s CSSTidy implementation is contained in the Jetpack_Safe_CSS class as function, filter_attr. I couldn’t entirely figure out why JetPack was nesting the user entered CSS inside a ‘div’ element prior to parsing, but after some trial and error I learned that CSSTidy isn’t really capable of parsing a CSS file. That lesson learned I literally ripped off the code from JetPack.

    I downloaded CSSTidy, created a directory to contain the CSSTidy PHP files. I then require class.csstidy.php as necessary in my code and initialize a new csstidy object. Nest the CSS to be validated in a ‘div’ element, parse it through CSSTidy, then yank the plain CSS back out of the csstidy object. So far so good with thousands of installs (although I’ll never know how many users actually use the CSS feature of my plugin).

    I may not have noted this is my original question, but I was looking for the simplest, easiest approach, not the most technical, sophisticated, or powerful approach. I value modifying the WordPress experience as little as possible. This is why I turned to JetPack as the closest thing to “source”. I consider JetPack nearly canonical as it is developed by Automattic (the developers of WordPress itself). My only… regret?… is that CSSTidy was abandoned in 2007, so I imagine I will need to find another solution at some point.

    require_once( 'csstidy/class.csstidy.php' );
$csstidy = new csstidy();
$csstidy->set_cfg( 'remove_bslash', FALSE );
$csstidy->set_cfg( 'compress_colors', FALSE );
$csstidy->set_cfg( 'compress_font-weight', FALSE );
$csstidy->set_cfg( 'discard_invalid_properties', TRUE );
$csstidy->set_cfg( 'merge_selectors', FALSE );
$csstidy->set_cfg( 'remove_last_;', FALSE );
$csstidy->set_cfg( 'css_level', 'CSS3.0' );
$csstovalidateindiv = 'div {' . $csstovalidate . '}';
$csstovalidateindiv = preg_replace( '/\\([0-9a-fA-F]{4})/', '\\\\$1', $csstovalidateindiv );
$csstovalidateindiv = wp_kses_split( $csstovalidateindiv, array(), array() );
$csstidy->parse( $csstovalidateindiv );
$csstovalidateindiv = $csstidy->print->plain();
$csstovalidateindiv = str_replace( array( "n", "r", "t" ), '', $csstovalidateindiv );
preg_match( "/^divs*{(.*)}s*$/", $csstovalidateindiv, $matches );
if ( !empty( $matches[1] ) ) $cssvalidated = $matches[1];

    (code or it didn’t happen)

  5. wp_filter_nohtml_kses()

    doesn’t appear to work properly because it escapes the ” character, so you can’t write any attribute selectors. It seems like there is no “simple” way to do this.