Let's say that I have a CSS code written by a user like this:

.some-classname {
color: red;
padding: 32px;
background-color: hotpink;
font-size: 24px;
border-radius: 4px;
font-family: 'test font family', serif;

@media screen (max-width: 500px) {
font-size: 25px;
}

I want to store this CSS into an SQL table with two columns, id would be the id of some page on my app, and css which will hold the code above.

the application will query this css string and print it into the page in the head tag between style tags.

Are there any drawbacks and security issues for doing this? note that the user can write any css code that will be stored in the database

Its' a general purpose question

CodePudding user response：

CSS by its very nature is accessible to everyone that browses your site. If they wanted to steal it, they just have to copy it. It is public.

Therefore, it does not matter where you store it on your site.

Theoretically, security risk comes from the user writing their own CSS. But if that is all they are doing, they are not writing HTML or JavaScript, then there is a negligible security risk. They could load any resource such as an image from anywhere. You may want to detect this and disallow it.

To be safer, I would suggest that you could implement CSP (Content Security Policies) to control where images, fonts, scripts etc can come from. A useful site is Probely to help you set them up.

I am not associated with that site.