I'm allowing my websites users to directly edit the css file so that they can redecorate everything. But i want to remove all dangerous codes(that can be dangerous). E.g i like i want to remove like of @import, -moz-binding: url('http://virus.com/htmlBindings.xml'); , background-image: url(javascript:alert('Injected')); etc. So that my website always remain secure. i'm currently using phppurify and csstidy. but issue is, it also remove the wanted css styles too. like
$input_css = "
body {
margin: 0px;
padding: 0px;
/* JS injection */
background-image: url(javascript:alert('Injected'));
}
a {
color: #ccc;
text-decoration: none;
/* dangerous proprietary IE attribute */
behavior:url(hilite.htc);
/* dangerous proprietary FF attribute */
-moz-binding: url('http://virus.com/htmlBindings.xml');
}
.banner {
position: absolute;
top: 0px;
left: 0px;
}
";
it only returns a { color:#ccc; text-decoration:none } .banner { }. I want to skip only dangerous properties. The code i'm using is:
$config = HTMLPurifier_Config::createDefault();
$config->set('Filter.ExtractStyleBlocks', True);
// Create a new purifier instance
$purifier = new HTMLPurifier($config);
// Turn off strict warnings (CSSTidy throws some warnings on PHP 5.2+)
$level = error_reporting(E_ALL & ~E_STRICT);
$html = $purifier->purify('<style>'.$input_css.'</style>');
// Revert error reporting
error_reporting($level);
// The "style" blocks are stored seperately
$output_css = $purifier->context->get('StyleBlocks');
// Get the first style block
var_dump( $output_css[0] );