Opened 5 years ago

Closed 4 years ago

#4108 closed enhancement (reported-upstream)

Update CSS sanitization safelist to support variables

Reported by: iandunn's profile iandunn Owned by:
Milestone: Priority: high
Component: WordCamp Site & Plugins Keywords: needs-patch good-first-bug


Most browsers support CSS variables now, but they're stripped out by the Jetpack validation process, or the Remote CSS sanitization process.

Either way, it's probably just because the syntax is new, and the safelist needs to be updated to support it.

  1. Determine which code needs to be updated (Jetpack's Custom CSS module,'s mu-plugins/jetpack-tweaks/css-sanitization.php, or both)
  2. If Jetpack, open an issue on their GitHub and add a link to this report
  3. If Remote CSS, add unit tests, and create patch to make them pass. If there are any ways to inject JavaScript, expressions, etc through the new syntax, then tests should be written for that as well. If the problem turns out to be in sanitize_urls_in_css_properties(), let me know before writing a patch since I have some notes about a potential bug there.

Change History (4)

This ticket was mentioned in Slack in #meta-wordcamp by coreymckrill. View the logs.

5 years ago

#2 @iandunn
5 years ago

  • Status changed from new to assigned

This ticket was mentioned in Slack in #meta-wordcamp by ryelle. View the logs.

4 years ago

#4 @dd32
4 years ago

  • Resolution set to reported-upstream
  • Status changed from assigned to closed

This ticket has been moved to GitHub

Note: See TracTickets for help on using tickets.