[wp-trac] [WordPress Trac] #64418: Valid CSS is causing failure in the Additional CSS panel

WordPress Trac noreply at wordpress.org
Mon Jan 26 21:41:22 UTC 2026 

#64418: Valid CSS is causing failure in the Additional CSS panel
-------------------------------------------------+-------------------------
 Reporter:  drw158                               |       Owner:  jonsurrell
     Type:  defect (bug)                         |      Status:  reopened
 Priority:  normal                               |   Milestone:  7.0
Component:  Customize                            |     Version:  4.7
 Severity:  normal                               |  Resolution:
 Keywords:  has-patch has-unit-tests dev-        |     Focuses:  css
  feedback                                       |
-------------------------------------------------+-------------------------
Changes (by peterwilsoncc):

 * status:  closed => reopened
 * resolution:  fixed =>


Comment:

 As I mentioned on the pull request, this introduces a security flaw in
 which users with the `edit_css` capability but without the
 `unfiltered_html` capability can use forbidden protocols in URLs included
 in the custom CSS.

 This can be demonstrated with the plugin:

 {{{#!php
 <?php
 /**
  * Plugin name: Always filter html
  * Description: A plugin that removes the unfiltered_html capability from
 all users.
  */

 add_filter( 'map_meta_cap', function ( $caps, $cap ) {
         if ( 'unfiltered_html' === $cap ) {
                 $caps[] = 'do_not_allow';
         }
         return $caps;
 }, 10, 2 );
 }}}


 I've uploaded a YouTube video [https://youtu.be/thBuw1B94AQ demonstrating
 the security flaw].

 Steps I took to reproduce the issue

 1. Create an admin account
 2. Install the plugin above
 3. Activate the 2014 theme
 4. Create a post
 5. Switch to code mode
 6. Enter the code `<span style="background-image:
 url(bad://example.com);">Bad protocol</span>`
 7. Save the post
 8. The style attribute will be removed by kses
 9. Open the customizer custom CSS editor
 10. Enter the code `#selector {background-image: url(bad://example.com);}`
 11. Click the publish button
 12. Navigate to the front end of the site
 13. View source
 14. Search for `bad:` in the markup
 15. Observe the code has been saved.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/64418#comment:56>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list