I'd recommend not letting them do that.
The CSS model used here is a good one to follow.
there are CSS themes, but to become generally available
any submissions would have to be audited.
However, the user is free to insert a style
sheet of their own for themselves (which btw,
is just a crutch for old browsers; true CSS
enabled browsers should support user-defined
style sheets). UPDATE; Note of course this is
exploitable as well, but requires the explicit
action of the naive user, and there's not
much you can do about that. If a user were to create
a tainted sheet, make it publically available
and convince others to use it (maybe it
"looks cool")...
Did you come across this FAQ?
It is interesting to note that
the acronym CSS is also used for Cross Site Scripting.
As for IMG, etc. you might find (~OT) WARNING: Live Ammo WAS: Re: Am I javascript or not? helpful, or frightening.
--
perl -pew "s/\b;([mnst])/'$1/g"
-
Are you posting in the right place? Check out Where do I post X? to know for sure.
-
Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
<code> <a> <b> <big>
<blockquote> <br /> <dd>
<dl> <dt> <em> <font>
<h1> <h2> <h3> <h4>
<h5> <h6> <hr /> <i>
<li> <nbsp> <ol> <p>
<small> <strike> <strong>
<sub> <sup> <table>
<td> <th> <tr> <tt>
<u> <ul>
-
Snippets of code should be wrapped in
<code> tags not
<pre> tags. In fact, <pre>
tags should generally be avoided. If they must
be used, extreme care should be
taken to ensure that their contents do not
have long lines (<70 chars), in order to prevent
horizontal scrolling (and possible janitor
intervention).
-
Want more info? How to link
or How to display code and escape characters
are good places to start.
|