[wp-trac] [WordPress Trac] #35395: Provide a better gateway for code-based theme customizations with the Customizer

WordPress Trac noreply at wordpress.org
Thu Jan 21 02:36:47 UTC 2016 

#35395: Provide a better gateway for code-based theme customizations with the
Customizer
--------------------------------------+------------------
 Reporter:  celloexpressions          |       Owner:
     Type:  feature request           |      Status:  new
 Priority:  normal                    |   Milestone:  4.5
Component:  Customize                 |     Version:
 Severity:  normal                    |  Resolution:
 Keywords:  needs-patch dev-feedback  |     Focuses:
--------------------------------------+------------------
Changes (by celloexpressions):

 * keywords:  needs-patch => needs-patch dev-feedback


Comment:

 Digging through the history of the sanitization issue with Twenty Fifteen,
 looks like the primary conversation is here:
 https://wordpress.slack.com/archives/core-themes/p1418320601000063.

 Parsing that out, I think the best option is to add a `sanitize_css`
 function to core. If CSS is in fact as insecure as past discussions make
 it seem, this is a critical need/security hole in the countless themes and
 plugins that store unsanitized CSS in the database. If the people that
 were unaware of the security issues with this type of thing in the above-
 linked conversation were not familiar with it, I highly doubt that the
 majority of theme and plugin developers are. As a theme/plugin developer,
 doing no sanitization seems like the best/easiest option, but if core had
 `sanitize_css`, it would be easy to implement in those situations.

 The rest of that discussion centered around an alternative solution for
 Twenty Fifteen, since it didn't really need to store its information as
 CSS. That's not the case here. Other than CSSTidy, I haven't found any
 specifics on what we would need to do for `sanitize_css`. However,
 breaking CSS into an array and then back out seems to be part of the
 process?

 We need direction on what exactly we need to do in a `sanitize_css`
 function`, or if we should try something else, likely from @nacin and/or
 @ocean90. @mikeschroder also suggested a make/core post for additional
 discussion on this subject; once we can get an idea of what will be needed
 in terms of sanitization, we can bring these decisions and the proposed
 feature as a whole up for broader discussion there.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/35395#comment:6>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list