[wp-meta] [Making WordPress.org] #4108: Update CSS sanitization safelist to support variables

Making WordPress.org noreply at wordpress.org
Mon Jan 28 18:30:28 UTC 2019

#4108: Update CSS sanitization safelist to support variables
 Reporter:  iandunn               |      Owner:  (none)
     Type:  enhancement           |     Status:  new
 Priority:  high                  |  Milestone:
Component:  WordCamp Site &       |   Keywords:  needs-patch good-first-bug
  Plugins                         |
 Most browsers support CSS variables now, but they're stripped out by the
 Jetpack validation process, or the Remote CSS sanitization process.


 Either way, it's probably just because the syntax is new, and the safelist
 needs to be updated to support it.

 1. Determine which code needs to be updated (Jetpack's Custom CSS module,
 WordCamp.org's `mu-plugins/jetpack-tweaks/css-sanitization.php`, or both)
 1. If Jetpack, open an issue on their GitHub and add a link to this report
 1. If Remote CSS, add unit tests, and create patch to make them pass. If
 there are any ways to inject JavaScript, expressions, etc through the new
 syntax, then tests should be written for that as well. If the problem
 turns out to be in `sanitize_urls_in_css_properties()`, let me know before
 writing a patch since I have some notes about a potential bug there.

Ticket URL: <https://meta.trac.wordpress.org/ticket/4108>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org

More information about the wp-meta mailing list