What safety measures should be implemented when granting users permission to modify HTML and CSS on your site?

I'm really impressed by the customization options on Tumblr. Users can edit the HTML and CSS of their profiles, which is something I'd love to incorporate into my own site. However, I'm concerned about the security implications of allowing this level of customization.

Does anyone have tips or precautions for implementing a feature like Tumblr's? And should I store the editable HTML and CSS in a database? Thank you! 😊

P.S. What are your thoughts on server-side scripting? For example, if I wanted users to be able to script a button that interacts with the database. How would I go about doing this?

htmlcsscustomizationsecurity

Answer â„–1

Ensuring that users can utilize all aspects of HTML/CSS while maintaining security is quite challenging. One approach could be to remove all CSS and HTML attributes, allowing only designated "safe" code on a whitelist.

Illustrations

<p>This snippet is acceptable.</p>

<p><a onload="alert('XSS!')">Undesirable attribute should be removed.</a></p>

<p><a href="http://google.com/" class="blue">Valid hyperlink.</a>
Remember to sanitize the href attribute!</p>

<h1>Improper formatting may lead to issues,
so ensure proper closure

<style>
.blue {
    color: #00f; // retain this (via whitelist)
    strange-css-rule: potentially risky; // Exclude this!
}
</style>

These are just a few examples of common challenges.

While I'm not well-versed in Tumblr's methods, they likely employ a similar strategy.

In terms of storing HTML and CSS in a database, it is indeed feasible and many systems adopt this approach. For simplicity, maintain a singular representation to prevent user confusion ("Why isn't my CSS being applied when it's clearly in the code!")

Answer â„–2

In the case that you are utilizing php, a mini API system can be utilized for handling database issues. For instance, if you wish to enable users to comment on something and store it in your database, an API like the following can be used.

To begin, create an api.php file (URL Location: http://yoursite.com/api.php)

<?php

// ID and Key may vary per user.
// id = 1234
// key = 'secret_key'

// function = name of the function that can be called by the user
// option = parameter passed to the function

// Check if id, key, function, and option are requested before proceeding to call the function.

if(isset($_GET['id'], $_GET['key'], $_GET['function'], $_GET['option'])) {
   $id = $_GET['id'];
   $key = $_GET['key'];

   if($id == '1234' && $key == 'secret_key') {

       // Define all functions here
       function make_comment($option) {
           ...code for saving comment to database...
       }

       if(function_exists($_GET['function'])) {
           $_GET['function']($_GET['option']);
       }
   }
}

?>

Users can then call this function from any button with a simple API call, such as:

<a href='http://yoursite.com/api.php?id=1234&key=secret_key&function=make_comment&option=i_am_comment'></a>

Similar questions

If you have not found the answer to your question or you are interested in this topic, then look at other similar questions below or use the search

Content displayed in the center of a modal

Struggling to center the captcha when clicking the submit button. Check out the provided jsfiddle for more details. https://jsfiddle.net/rzant4kb/ <script src="https://cdn.jsdelivr.net/npm/@popperjs/<a href="/cdn-cgi/l/email-protection" class=" ...

javascripthtmlcssbootstrap-5

Web Essentials is experiencing a problem with minified CSS

Today, while using Web Essentials 2013 for Update 3 with Visual Studio Express 2013 for Web, I encountered an issue with the minified CSS file. The website I am currently working on is built on a Twitter Bootstrap platform and utilizes two separate CSS fil ...

csstwitter-bootstrapweb-essentials

Manipulate DIV elements with jQuery by selecting them based on their class names and then

Is there a way to use jQuery to eliminate all DIVs on a webpage while preserving their content that have the following specific pattern? <div class="ExternalClass85AC900AB26A481DBDC8ADAE7A02F039">....</div> Please note that these DIVs adhere ...

jqueryhtml

Using Vanilla JavaScript to Disable a Specific Key Combination on a Web Page

On a completely random English-Wikipedia editing page, there exists a way to add content (for example, "test") and save it using the existing key combination of Alt+Shift+S. My goal is to specifically prevent this action without removing the save button b ...

javascriptjqueryhtmlreturnkeyboard-shortcuts

In PHP/HTML, if the URL is domain.co.uk/?debug, then the following action will

Apologies for what may seem like a basic question, but I've been searching for a clear answer with no luck! My goal is simple - when someone goes to , I want to show extra details, like the code version or any other notes I include. Once again, sorr ...

phpjavascripthtmldebuggingurl

Utilizing Bootstrap 4 for a responsive layout: positioning a <div> element adjacent to a centered image

I am currently working on a project involving an image gallery. My goal is to showcase the images in a specific layout: https://i.sstatic.net/cXcql.png Essentially, the image should always be centered. If there is sufficient space to the right, I want to ...

htmlcsstwitter-bootstrapbootstrap-4

Create a custom navigation bar using PlayFramework for a unique video streaming website

Attempting to create a dynamic navigation bar in Play using the code below in my main.scala.html file: @(title: String)(content: Html) <!DOCTYPE html> <html lang="en"> <head> <title>@title</title> <li ...

htmlcssscalaplayframework

Is there a way to execute this process twice without duplicating the code and manually adjusting the variables?

I'm looking to modify this code so that it can be used for multiple calendars simultaneously. For example, I want something similar to the following: Here is what I currently have: This is my JavaScript code: var Calendar = { start: function () ...

javascripthtmlcsscalendar

Modify the color scheme of the parent div by selecting the child div (using only CSS and HTML)

I am working with a nested div structure, where one is contained inside the other: <div class="outer"> <div class="inner"> </div> </div> It looks something like this: I am wondering if it's possibl ...

htmlcss

Utilize Material icons in CSS for a list in Angular 9

My task involves altering the HTML provided by a content management system for one of our applications. Specifically, I need to replace all "ul"s with <mat-icon>check_circle_outline</mat-icon> instead of the default "." The challenge lies in t ...

cssangularangular-material

Troubleshooting: jQuery animation for background-color doesn't function in Internet Explorer

I've been working on a website and I'm trying to create a navigation bar similar to the one found at . My goal is to have the navbar transition from transparent to a colored background as the user scrolls down the page. For this project, I am ut ...

javascriptjqueryhtmlcssjquery-animate

Center the span in CSS by setting its position to absolute

I am trying to create a span element positioned as absolute inside a div. The div has top and left values set. When the user inputs text, the span expands with the given text towards the right to contain it. However, I would like it to grow symmetrically o ...

javascripthtmlcss

Adjust the DIV shape to fit perfectly within the browser window without overlapping with any other elements

http://jsbin.com/iGIToRuV/1/edit Currently, I am working on developing a WYSIWYG website designer as part of an experimental project for various purposes. The ultimate goal is to ensure that it is both desktop and mobile-friendly. However, I have encount ...

javascriptjquerycsslayoutcss-position

Obtaining the Value of Input Text

Let's say you have the following HTML code: <form> Enter hash here: <input type="text" name="hash"> <button type="submit" formaction="/tasks/">Retrieve Url</button> </form> Is there a way ...

javascripthtml

Tips for preventing HTML ID clashes while integrating with the Document Object Model of external websites

When incorporating additional HTML elements into a webpage using Javascript or jQuery, along with external CSS declarations, it is important to avoid conflicts with existing IDs and class names already present on the page. This could lead to issues if ther ...

javascriptjqueryhtmlcssdom

Is it considered secure to store data in sessions while using Express.js?

My usual practice involves working exclusively with cookies. Typically, I save a username and hash in cookies and then perform a database query on each page load to verify the user's password. Initially, I planned to follow the same process with sess ...

node.jssecuritysessioncookiesexpress

Encountering difficulties accessing XML file on server via anchor tag

I have an XML file on the server that I am attempting to open in a browser when the user clicks on a link. Below is how I have set up the link, but it is not opening the file: Code: <a title="View XML" href="file://///90.0.0.15/docmgmtandpub/PublishD ...

javascripthtmlfileanchor

Pass the html form data to a PHP variable

I need assistance with updating a PHP variable with the value of an HTML form submission. Here is the code snippet: <form action="callback2.php" method="POST"> Enter Phone Number: <input type="text" size="10" name="nummerb" id="nummerb"> <i ...

phphtmlformsvariables

Is there still excess top padding or margin in Firefox after clearing the default reset for the <ul> element?

My floated horizontal list is looking great on IE and Opera, but for some reason, Firefox is adding extra padding or margin at the top. I'm not sure how to fix it. Everything was fine until I had to add a display:inline to an image link next to it to ...

csshtml-listscss-float

Update a variety of CSS properties simultaneously

Is it possible to change multiple CSS attributes of an element with just one line of code? Currently, if I want to alter various CSS attributes of an element, I have to write separate lines of code for each attribute. For instance: $("div#start").cli ...

javascriptjqueryhtmlcss