<div dir="ltr">And kses doesn't catch that? Hmm... I'll have to take a look at what JetPack does. :)</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Jan 30, 2014 at 1:45 PM, Konstantin Kovshenin <span dir="ltr"><<a href="mailto:kovshenin@gmail.com" target="_blank">kovshenin@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">It's not just the HTML you have to be worried about, but something<br>
like this <a href="http://www.thespanner.co.uk/2007/11/26/ultimate-xss-css-injection/" target="_blank">http://www.thespanner.co.uk/2007/11/26/ultimate-xss-css-injection/</a><br>
<div class="HOEnZb"><div class="h5"><br>
On Thu, Jan 30, 2014 at 10:39 PM, Chip Bennett <<a href="mailto:chip@chipbennett.net">chip@chipbennett.net</a>> wrote:<br>
> Really dumb question, but if you're just talking about the CSS itself (and<br>
> not the <script> wrappers), why can't you just pass it through<br>
> wp_filter_nohtml_kses()?<br>
><br>
><br>
> On Thu, Jan 30, 2014 at 12:36 PM, Otto <<a href="mailto:otto@ottodestruct.com">otto@ottodestruct.com</a>> wrote:<br>
>><br>
>> On Thu, Jan 30, 2014 at 11:20 AM, Chip Bennett <<a href="mailto:chip@chipbennett.net">chip@chipbennett.net</a>><br>
>> wrote:<br>
>>><br>
>>> It is true that a good custom CSS Plugin will save settings on a<br>
>>> per-Theme basis. But the critical criterion isn't whether a Plugin *can* do<br>
>>> something; rather, it is whether the *something* is functional or<br>
>>> presentational. After all, technically speaking, a Plugin *can* add Theme<br>
>>> support for custom headers and custom backgrounds. Should we force Theme<br>
>>> developers then to use a custom header/background Plugin, simply because one<br>
>>> exists and can accomplish the task?<br>
>>><br>
>>> Custom CSS is presentational, and specific to the Theme. As such, I<br>
>>> believe it falls squarely within the purview of Themes, and if Themes want<br>
>>> to provide a custom CSS Theme option, such an option would be appropriate.<br>
>><br>
>><br>
>><br>
>> Note: Sanitizing CSS is friggin' hard. A mere strip_tags isn't good<br>
>> enough.<br>
>><br>
>> The custom CSS module in Jetpack uses csstidy and a few pre-processors,<br>
>> among other things. But the basic sanitization function would look like<br>
>> this:<br>
>><br>
>> function dumb_css_sanitize( $css ) {<br>
>> $css = str_replace( '<=', '<=', $css );<br>
>> $css = wp_kses_split( $css, array(), array() );<br>
>> $css = str_replace( '>', '>', $css );<br>
>> $css = strip_tags( $css );<br>
>> return $css;<br>
>> }<br>
>><br>
>> I named it dumb_css_sanitize because it's kinda dumb. ;)<br>
>><br>
>> It allows <= patterns through as LT entities, runs kses over the thing to<br>
>> strip tags, converts the > symbols back from what kses did, and then runs<br>
>> strip_tags over it again, just in case. It's fairly safe in that you<br>
>> couldn't close the style tag with content run through it and therefore get<br>
>> your content parsed as html or script code. Probably.<br>
>><br>
>> This is sort of a minimalistic case. Better to use a real parser if you're<br>
>> going to do that sort of thing.<br>
>><br>
>> -Otto<br>
>><br>
>><br>
>><br>
>><br>
>> _______________________________________________<br>
>> theme-reviewers mailing list<br>
>> <a href="mailto:theme-reviewers@lists.wordpress.org">theme-reviewers@lists.wordpress.org</a><br>
>> <a href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers" target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a><br>
>><br>
><br>
><br>
> _______________________________________________<br>
> theme-reviewers mailing list<br>
> <a href="mailto:theme-reviewers@lists.wordpress.org">theme-reviewers@lists.wordpress.org</a><br>
> <a href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers" target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a><br>
><br>
<br>
<br>
<br>
</div></div><span class="HOEnZb"><font color="#888888">--<br>
Konstantin<br>
</font></span><div class="HOEnZb"><div class="h5">_______________________________________________<br>
theme-reviewers mailing list<br>
<a href="mailto:theme-reviewers@lists.wordpress.org">theme-reviewers@lists.wordpress.org</a><br>
<a href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers" target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a><br>
</div></div></blockquote></div><br></div>