fix sanitization for style-engine declarations #42968
Conversation
| if ( | ||
| 0 === strpos( $property, '--' ) || // Account for CSS variables. | ||
| ( 'display' === $property && 'none' !== $value ) || // Account for "display" when the value is not "none". | ||
| 0 === strpos( $value, 'min(' ) || // Account for min() values. | ||
| 0 === strpos( $value, 'max(' ) || // Account for max() values. | ||
| 0 === strpos( $value, 'clamp(' ) // Account for clamp() values. | ||
| ) { | ||
| $declarations_output .= "{$indent}{$property}:{$spacer}{$value};$suffix"; | ||
| continue; | ||
| } | ||
| $filtered_declaration = safecss_filter_attr( "{$property}:{$spacer}{$value};" ); |
There was a problem hiding this comment.
Maybe we can use safecss_filter_attr_allow_css filter and regex from 55966. Then we can remove the compat function after the core patch is merged.
There was a problem hiding this comment.
Oh, that's a good point. Ideally we'd be deferring as much as possible to safecss_filter_attr rather than adding too much extra handling in the style engine directly.
I've opened up a potential alternative PR in #43004 to play with this idea.
|
Thanks for picking this one up @aristath and digging in! I think @Mamaduka raises a good point about seeing if we can use the proposed update in core filtering to hopefully sidetrack having to include too much logic directly in the style engine for the additional CSS functions. I've had a go at this in #43004 as a potential alternative. |
|
no longer needed after #43004 was merged, closing. |
What?
Fixes #42948
This PR is a partial from #42893, specifically the part of that PR regarding the sanitization of CSS delcarations in the style engine.
Why?
Some things need to bypass the
safecss_filter_attrcall, and the sanitization of values is further improved here.