WordPress.org

Making WordPress.org

Opened 3 months ago

Last modified 4 weeks ago

#4108 assigned enhancement

Update CSS sanitization safelist to support variables

Reported by: iandunn Owned by:
Milestone: Priority: high
Component: WordCamp Site & Plugins Keywords: needs-patch good-first-bug
Cc:

Description

Most browsers support CSS variables now, but they're stripped out by the Jetpack validation process, or the Remote CSS sanitization process.

https://wordpress.slack.com/archives/C08M59V3P/p1548543160179600

Either way, it's probably just because the syntax is new, and the safelist needs to be updated to support it.

  1. Determine which code needs to be updated (Jetpack's Custom CSS module, WordCamp.org's mu-plugins/jetpack-tweaks/css-sanitization.php, or both)
  2. If Jetpack, open an issue on their GitHub and add a link to this report
  3. If Remote CSS, add unit tests, and create patch to make them pass. If there are any ways to inject JavaScript, expressions, etc through the new syntax, then tests should be written for that as well. If the problem turns out to be in sanitize_urls_in_css_properties(), let me know before writing a patch since I have some notes about a potential bug there.

Change History (2)

This ticket was mentioned in Slack in #meta-wordcamp by coreymckrill. View the logs.


4 weeks ago

#2 @iandunn
4 weeks ago

  • Status changed from new to assigned
Note: See TracTickets for help on using tickets.