I am planning to allow users of my JavaFX program to select a custom CSS stylesheet, so that they can fully customize their UI layout and design.

I am wondering whether this is a safe idea as I am aware this can be dangerous for certain programs as it allows for people to inject code, though I can't seem to find any information on the possibility of using CSS for anything other than defining styles in JavaFX.

CodePudding user response：

This is not a topic you need be concerned about.

Only read on if you are still concerned...

Ah, so there is no chance a user could use a stylesheet to somehow manipulate the program maliciously?

Well I would not say no chance. Software is complex and exploits can be unusual and unexpected.

But, the chance that it would happen and cause enough harm to the users of your app that it was worth investments by yourself in potential countermeasures is IMO, infinitesimal.

Your, and other’s, effort is best spent elsewhere. Use secure servers and packaging, use up to date frameworks and libraries, patch or redeploy for known exploits, etc.

A JavaFX app where you supply all the code and the app is installed as a package on a client machine is an inherently different attack surface than a web browser sourcing from many network locations that you do not control.

There is no server side cross site code injection without cross site servers. So trying to apply a website css attack (which is not normal by the way, most site attacks are scripting, phishing, server infected malware, etc) to a JavaFX client isn’t going to work.

If you are still concerned then do your own further research into the subject.