I don't need to validate css. I just want to check for suspicious data to prevent xss . Nathan Vack wrote:
On Dec 8, 2005, at 2:09 PM, Fabio Varesano wrote:
I think that input checking on the css field is needed...
This is how I'm using the valid_input_data :
function css_nodeapi(&$node, $op, $teaser, $page) { .... case 'validate': if (variable_get('css_'. $node->type, TRUE) || !user_access('create css for nodes')) { if (!valid_input_data($node->css_css)) { drupal_access_denied(); } }
How do you guys think I have to implement a input check?
You could use an HTTP library and send it through the w3c CSS validator...
http://jigsaw.w3.org/css-validator/
That would ensure the CSS is well-formed. You could even conditionally warn about valid but poor CSS practice (setting background-color without setting color, for example).
Also -- that's probably a different error case than user_access(); I'm guessing you'd want to return a "Hey, your CSS isn't valid" instead of "Access denied"...
Cheers, -Nate