Is there any danger in loading external, third-party CSS?

In CSS Files.

expressions(code), behavior:url(), url(javascript:code), and -moz-binding:url() all have potential security issues.

Behavior can't be cross domain so that removes some threat, but generally speaking you do need to sanitize it somehow.

If you allow the user to link to CSS on external servers, there isn't a fullproof way to validate. The server could check the CSS file on the server to ensure there is nothing malicious, but what if the user changes the stylesheet? You would have to continuously check the stylesheet. Also the server could potential feed different info to the servers ip address in attempt to bypass the validation method.

In all honesty I would advise storing the CSS on your own server. Simple run it throw a regex parser that removes the possible malicious code from above.


As long as you validate it somehow you should be good.

GOLDEN RULE: Do NOT trust the user


If the user is the only person with the ability to see their custom CSS, then there is not really any danger. They could ruin their own experience on your site, but not that of others.

However, if their custom CSS is displayed to other users, then they could potentially use it to completely mess up the styles of your site as you intended. For example, they could simply grab the id of some important elements from your source, and override them to hide them.

Of course, as long as you are careful and properly sanitize all user input, you should not face any major problems.