I am using CSP on my website to keeps things locked down as much as possible. I have an HTML editor on the website, and I wanted to allow users to choose text colors from a color picker. This involves adding style="color:#XXXXXX"
to the affected elements, where XXXXXX
is a 24-bit value from the color picker. I am temporarily using style-src 'self' 'unsafe-inline'
on my test rig to allow inline styles to be used to define the colors. But this would open me up to CSS injection attacks if I did it on the live system.
Is there any way to reliably sanitise CSS to allow inline styles to be used safely in this situation, or is there another way to safeguard inline styles so that only the editor can define them (maybe using nonces, which I use to add JS event handlers to HTML elements)?
If you're already using JavaScript, don't set the color with the style
HTML attribute. Instead, set the color directly with JavaScript:
document.getElementById('some-element').style.color = "#123456";