Customizer: Allow arbitrary custom CSS #10667
Conversation
This reverts commit 6c6a72b.
…er-allow-arbitrary-custom-css
Arbitrary CSS is allowed and escaped when printed.
|
The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the Core Committers: Use this line as a base for the props when committing in SVN: To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook. |
Test using WordPress PlaygroundThe changes in this pull request can previewed and tested using a WordPress Playground instance. WordPress Playground is an experimental project that creates a full WordPress instance entirely within the browser. Some things to be aware of
For more details about these limitations and more, check out the Limitations page in the WordPress Playground documentation. |
westonruter
left a comment
westonruter
left a comment
There was a problem hiding this comment.
Just a couple trivial suggestions, but otherwise this looks great.
Co-authored-by: Weston Ruter <westonruter@gmail.com>
Co-authored-by: Weston Ruter <westonruter@gmail.com>
…er-allow-arbitrary-custom-css
…er-allow-arbitrary-custom-css
|
#10641 includes some protection to ensure bad style tag contents are not saved (including This change should be fine because of the work in #10656. Is it worth including that additional safety here? On one hand, this change should be perfectly safe now. On the other hand, there's not a very good reason to allow possible style tag closers inside of style tags. It will be safely escaped by the HTML API, but I wonder whether it's more helpful to prevent it from ever being stored. |
|
In other words, to restore the if ( preg_match( '#</?\w+#', $css ) ) {To be rather: if ( false !== stripos( $css, '</style' ) ) {Right? That seems fine to me. To be more conservative, and only make it even looser if we find this is actually needed. |
|
The check I've proposed is a bit more complicated. It also covers text that ends in partial style close tags The HTML API should still protect against broken style tag contents, so I'm not sure whether this protection is worth bringing here as well. code sample protected function validate_custom_css( $css ) {
$length = strlen( $css );
for (
$at = strcspn( $css, '<' );
$at < $length;
$at += strcspn( $css, '<', ++$at )
) {
$remaining_strlen = $length - $at;
$possible_style_close_tag = 0 === substr_compare( $css, '</style', $at, min( 7, $remaining_strlen ), true );
if ( $possible_style_close_tag ) {
if ( $remaining_strlen < 8 ) {
return new WP_Error(
'rest_custom_css_illegal_markup',
sprintf(
/* translators: %s is the CSS that was provided. */
__( 'The CSS must not end in "%s".' ),
esc_html( substr( $css, $at ) )
),
array( 'status' => 400 )
);
}
if ( 1 === strspn( $css, " \t\f\r\n/>", $at + 7, 1 ) ) {
return new WP_Error(
'rest_custom_css_illegal_markup',
sprintf(
/* translators: %s is the CSS that was provided. */
__( 'The CSS must not contain "%s".' ),
esc_html( substr( $css, $at, 8 ) )
),
array( 'status' => 400 )
);
}
}
}
return true;
} |
2 participants
Under some circumstances KSES would run post content filters and change the resulting content like this:
@property --animate { - syntax: "<custom-ident>"; + syntax: ""; inherits: true; initial-value: false; }This depends on #10656 to ensure styles output is safely printed in the HTML (merged here).
Trac ticket: https://core.trac.wordpress.org/ticket/64418
This Pull Request is for code review only. Please keep all other discussion in the Trac ticket. Do not merge this Pull Request. See GitHub Pull Requests for Code Review in the Core Handbook for more details.