[wp-trac] [WordPress Trac] #55966: safecss_filter_attr() returns empty if containing min()
WordPress Trac
noreply at wordpress.org
Wed Sep 7 23:35:46 UTC 2022
#55966: safecss_filter_attr() returns empty if containing min()
--------------------------------------------+-----------------------------
Reporter: uxl | Owner: SergeyBiryukov
Type: defect (bug) | Status: accepted
Priority: normal | Milestone: 6.1
Component: Formatting | Version: 6.0
Severity: major | Resolution:
Keywords: has-patch early has-unit-tests | Focuses: css
--------------------------------------------+-----------------------------
Comment (by noisysocks):
I opened a PR containing [attachment:"55966.3.diff"] and
[attachment:"55966.4.diff"] so that we can more easily review the code and
have CI run against the changes.
https://github.com/WordPress/wordpress-develop/pull/3212
@peterwilsoncc flagged to me yesterday some additional failing tests that
he'd like to include so I'll work with him on including those and
committing this today.
To be honest I don't really like how `safecss_filter_attr` works. Denying
all CSS that contains `\`, `(`, `&`, `}`, `=`, and `/*` seems too
restrictive and is forcing us to constantly add exceptions for new CSS
functions like `var()` and `min()`. I’d like to change how that function
works but need to consult more with @peterwilsoncc and @azaozz to work out
what the actual security concerns are with inline CSS. (`evaluate()` comes
to mind.) But I'll create a new ticket for this discussion as right now we
just have to get `min`, `max`, etc. working so that the Gutenberg team is
unblocked.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/55966#comment:24>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list