[wp-meta] [Making WordPress.org] #4108: Update CSS sanitization safelist to support variables
Making WordPress.org
noreply at wordpress.org
Mon Jan 28 18:30:28 UTC 2019
#4108: Update CSS sanitization safelist to support variables
----------------------------------+----------------------------------------
Reporter: iandunn | Owner: (none)
Type: enhancement | Status: new
Priority: high | Milestone:
Component: WordCamp Site & | Keywords: needs-patch good-first-bug
Plugins |
----------------------------------+----------------------------------------
Most browsers support CSS variables now, but they're stripped out by the
Jetpack validation process, or the Remote CSS sanitization process.
https://wordpress.slack.com/archives/C08M59V3P/p1548543160179600
Either way, it's probably just because the syntax is new, and the safelist
needs to be updated to support it.
1. Determine which code needs to be updated (Jetpack's Custom CSS module,
WordCamp.org's `mu-plugins/jetpack-tweaks/css-sanitization.php`, or both)
1. If Jetpack, open an issue on their GitHub and add a link to this report
1. If Remote CSS, add unit tests, and create patch to make them pass. If
there are any ways to inject JavaScript, expressions, etc through the new
syntax, then tests should be written for that as well. If the problem
turns out to be in `sanitize_urls_in_css_properties()`, let me know before
writing a patch since I have some notes about a potential bug there.
--
Ticket URL: <https://meta.trac.wordpress.org/ticket/4108>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org
More information about the wp-meta
mailing list