Need security advise on allowing users to write to CSS file -
i have wordpress multisite installation , part of feature load css (a one-time copied version parent , kid css file) stored in database (wordpress options table part of theme options). feature available in theme options panel.
once feature enabled, parent , kid css disabled , theme load custom css file(custom.css). content of custom.css taken database (like i've said in first paragraph). in theme options panel, users can edit entire css , saved it. 1 time saved, write custom.css file changes.
i need thoughts if method secure. have sanitized custom css (before saved database) using next php lines:
$sanitized_css = esc_html($original_css); where esc_html wordpress function escaping html blocks: http://codex.wordpress.org/function_reference/esc_html
but not sure if best method. appreciate advise , thoughts.
i thinking output css browser straight (inline) not using css file, method secure? know loading css file best practice big css files.
i need create sure application safe xss, mysql injection , other security risk.
thanks.
a quick google search bring related post forum:
user-defined css: can go wrong?
sanitize user defined css in php
security
No comments:
Post a Comment