1

Let's say that I have a CSS code written by a user like this:

.some-classname {
color: red;
padding: 32px;
background-color: hotpink;
font-size: 24px;
border-radius: 4px;
font-family: 'test font family', serif;

@media screen (max-width: 500px) {
font-size: 25px;
}

I want to store this CSS into an SQL table with two columns, id would be the id of some page on my app, and css which will hold the code above.

the application will query this css string and print it into the page in the head tag between style tags.

Are there any drawbacks and security issues for doing this? note that the user can write any css code that will be stored in the database

Its' a general purpose question

Improve this question

1 Answer 1

Reset to default
1

CSS by its very nature is accessible to everyone that browses your site. If they wanted to steal it, they just have to copy it. It is public.

Therefore, it does not matter where you store it on your site.

Theoretically, security risk comes from the user writing their own CSS. But if that is all they are doing, they are not writing HTML or JavaScript, then there is a negligible security risk. They could load any resource such as an image from anywhere. You may want to detect this and disallow it.

To be safer, I would suggest that you could implement CSP (Content Security Policies) to control where images, fonts, scripts etc can come from. A useful site is Probely to help you set them up.

I am not associated with that site.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Thanks for the quick reply Rohit, In that sense, there's no difference between storing the css in the database or writing it to a css file, as it all depends on the developer who is writing this code and only when they are loading resources from abroad
Correct. If there are going to be many hundreds of instances of it then a database will be easier to manage.
If you feel that the answer is correct, you can tick it to indicate it so.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.