Hello all,
My website has a feature in which I can turn on/off a feature which allows members to add their own CSS code for their profile design!
If possible I want to allow this as it would mean a much better platform for my members but I wanted to know what risk I would be causing if I have this feature turned on. Here is the code that processes and checks the code:
// IF NEW
if($task == "dosave") {
$style_profile = addslashes(str_replace("-moz-binding", "", strip_tags(htmlspecialchars_decode($_POST['style_profile'], ENT_QUOTES))));
$style_profile_sample = $_POST['style_profile_sample'];
// SET STYLE TO NOTHING IF NEDED
if($user->level_info[level_profile_style] == 0 && $user->level_info[level_profile_style_sample] == 0) {
$style_profile = "";
$style_profile_sample = 0;
// SET STYLE TO OPTIONAL IF NEEDED
} elseif($user->level_info[level_profile_style] == 0 && $user->level_info[level_profile_style_sample] != 0) {
$style_profile = addslashes(str_replace("-moz-binding", "", strip_tags($sample[$style_profile_sample])));
}
As you can see the code does check with the addslahes and strip tags but is this enough to protect the entire website? This is of course only CSS and design changes so I wasnt sure if users could inject any dodgy code or not.
Any advice would be appreciated
Justin