Update CSS sanitization safelist to support variables #574
Labels
[Component] Jetpack
Customizations to Jetpack
[Component] Themes & Customization
Custom WC Themes, compatibility with core themes, and theme-adjacent customizations to sites
Migrated from Trac
Comments
|
Comment by slackbot: This ticket was mentioned in Slack in #meta-wordcamp by coreymckrill. View the logs. |
|
Comment by slackbot: This ticket was mentioned in Slack in #meta-wordcamp by ryelle. View the logs. |
ghost
added
Migrated from Trac
[Type] Good First Issue
|
Possible Jetpack fix: Automattic/jetpack#20129 |
ryelle
added
[Component] Jetpack
|
The Jetpack issue says the problem was fixed, so this is worth looking into again. |
|
It doesn't look like that fixed it, so I think we need to track Automattic/jetpack#19669. |
iandunn
added a commit
that referenced
this issue
Dec 2, 2022
When support for custom properties is added (by us or upstream in Jetpack), we need to make sure that the values are still subject to sanitization. At that time we'll probably need to change the expected value to something like `--foo: ;`, but having some kind of test in place now will at least make it obvious if the JS makes it into the sanitized output. See #574
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Imported from https://meta.trac.wordpress.org/ticket/4108
Created by @iandunn:
Most browsers support CSS variables now, but they're stripped out by the Jetpack validation process, or the Remote CSS sanitization process.
https://wordpress.slack.com/archives/C08M59V3P/p1548543160179600
Either way, it's probably just because the syntax is new, and the safelist needs to be updated to support it.
mu-plugins/jetpack-tweaks/css-sanitization.php, or both)sanitize_urls_in_css_properties(), let me know before writing a patch since I have some notes about a potential bug there.The text was updated successfully, but these errors were encountered: