Just a quick post to mention the excellent work by Norman Hippert aka @thewildcat, he successfully converted my Javascript based CSSReg into PHP. I was meaning to do this but never found the time so it’s pretty awesome that not only did thewildcat convert the code but found some nice bugs in my code and fixed them. Great work Norman thanks very much!

PHP CSSReg demo

PHP CSSReg source code *
* Note image proxying is missing, you must either use a image proxy or read the image files using a php script to prevent CSRF via graphics.

In case you don’t know CSSReg converts a user supplied stylesheet and filters it removing any dangerous parts.

2 Responses to “PHP CSSReg”

  1. Marcus writes:

    I’ve given both the PHP version and your online implementation a go and I think I must be missing something. While I fully understand the need to remove ‘dangerous’ parts, I’m finding they both remove a large proportion of completely harmless stuff too, plus the JS version adds in an extra selector that mean that nothing works at all. For example with cssreg.php:
    p {
    padding: 0.2em 0;
    margin: 0;
    is turned into:
    p {
    It certainly renders it harmless, but it’s a bit blunt! What’s the purpose of adding in the #myapplication selector? Is the context for this a page containing multiple ‘apps’? How do you define ‘dangerous’? Isn’t it heavily dependent on context? Are there any docs on CSSReg?

  2. Gareth Heyes writes:

    Hey marcus

    By default CSSReg disables positioning CSS, the logic being if you have untrusted css on the page then you can use padding etc to move your elements or destroy the page layout. If you uncheck “disable positioning css” then your example will work fine.

    Using a custom selector for untrusted css is important as you need to separate untrusted css from the trusted css existing on the page and also separate multiple gadgets.

    Sorry there are no docs at the moment but there is info on this blog and there will be a wiki when I have time to do one on here