[wp-trac] [WordPress Trac] #64418: Valid CSS is causing failure in the Additional CSS panel

WordPress Trac noreply at wordpress.org
Tue Dec 23 21:23:23 UTC 2025 

#64418: Valid CSS is causing failure in the Additional CSS panel
--------------------------+-------------------------
 Reporter:  drw158        |       Owner:  jonsurrell
     Type:  defect (bug)  |      Status:  assigned
 Priority:  normal        |   Milestone:  7.0
Component:  Customize     |     Version:  4.7
 Severity:  normal        |  Resolution:
 Keywords:  has-patch     |     Focuses:  css
--------------------------+-------------------------

Comment (by jonsurrell):

 Those KSES filters that target global styles specifically
 [https://github.com/WordPress/wordpress-
 develop/blob/3d9fde3265bd0cbc1b0967c0c0613ebf6ea20ced/src/wp-includes
 /class-wp-theme-json.php#L3542-L3547 run more "santiziation" based on
 edit_css cap.]

 [https://github.com/WordPress/wordpress-
 develop/blob/3d9fde3265bd0cbc1b0967c0c0613ebf6ea20ced/src/wp-
 includes/capabilities.php#L594-L604 There's a mapping from `edit_css` to
 `unfiltered_html`,] I think those are analogous.

 So for users with `unfiltered_html` (aka `edit_css`), CSS is allowed and
 is not sanitized. The `unfiltered_html` capability these users have also
 bypasses the HTML stripping behavior of KSES.

 But for other users without these capabilities,
 [https://github.com/WordPress/wordpress-
 develop/blob/3d9fde3265bd0cbc1b0967c0c0613ebf6ea20ced/src/wp-
 includes/kses.php#L2638 safecss_filter_attr] is running as part of the
 global styles kses filters, then the regular kses post content filters for
 HTML are running like they do for any user without `unfiltered_html`. The
 actual CSS is filtered, then it's embedded in JSON, and the entire JSON
 string is then filtered as if it were HTML.

 I am a bit confused about a multisite test failing with this result, I'm
 having a hard time reproducing it on a single site. It seems to suggest
 that the content is being HTML-filtered by KSES for a user with
 `unfiltered_html` capability:

 {{{#!diff
  '@property --animate {
 -       syntax: "<custom-ident>";
 +       syntax: "";
         inherits: true;
         initial-value: false;
  }'
 }}}

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/64418#comment:19>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list