How dangerous is it to use CSS styles from an untrusted source?

It is not advisable to use CSS styles from a source you don't trust, without some sort of review.

There are some risks, particularly on older browsers. Some older browsers provide a way to embed JavaScript inside of CSS, so that the JavaScript will be automatically executed as soon as the browser loads the CSS. Browsers with this problem include IE6, IE7, as well as later versions of IE in IE7 compatibility mode; also IE Mobile 8. (In those older browsers, this is supported through CSS constructs like url, expression(...), behavior, -moz-binding, -o-link, and probably more.) This weakness of older browsers allows an attacker who supplies malicious CSS to do anything an XSS attack can do. Using CSS styles from an attacker is basically a self-inflicted XSS vulnerability.

Fortunately, modern browsers have closed all of these JavaScript pathways. Unfortunately, some users still use older browsers, so if you use CSS from an untrusted source, you'll be putting those users at risk.

That said, I would recommend taking a risk management perspective. How great is the risk? How great is the benefit? In this case, I suspect the benefits are probably worth taking a slight risk, particularly if you adopt some mitigations to protect yourself. I would recommend:

  • Review all of the proposed CSS before loading it into your site. Make sure you understand it, and it isn't obfuscated. Make sure it looks clean and well-organized and readable. Make sure it doesn't load external CSS or other external resources. See whether it looks reasonable to you. If you spot it doing stuff you don't understand, maybe don't use it.

  • Check the source. Are they a trusted user of your community, who have been spending time on your site for a long time? Or are they a new user who you have little history of? There's probably less risk from a trusted member of the site, and more risk from an unknown.

If it were a site I was running, I'd probably do it. Yes, I'd use the above mitigations to protect myself -- but I wouldn't let security get in the way of having fun things.

Other resources: CSS security, from ha.ckers, Ending expressions, from MSDN


One tiny addition to comprehensive post of D.M.

CSS2+ can also manipulate text on the page. See MDN for content CSS property details and this for examples.

Compare this behaviour to expression() javascriptlets in IE6 CSS: in both cases CSS is performing smth more than just styling... Pity, this is a part of CSS standard.