Make WordPress Core


Ignore:
Timestamp:
09/07/2022 02:38:59 PM (23 months ago)
Author:
SergeyBiryukov
Message:

KSES: Allow min(), max(), minmax(), and clamp() values to be used in inline CSS.

Follow-up to [50923].

Props johnregan3, uxl, isabel_brison, andrewserong, ramonopoly, noisysocks, joyously.
See #55966.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/kses.php

    r53034 r54092  
    22292229 * @since 5.7.1 Added support for `object-position`.
    22302230 * @since 5.8.0 Added support for `calc()` and `var()` values.
     2231 * @since 6.1.0 Added support for `min()`, `max()`, `minmax()`, and `clamp()` values.
    22312232 *
    22322233 * @param string $css        A string of CSS rules.
     
    24682469
    24692470        if ( $found ) {
    2470             // Allow CSS calc().
    2471             $css_test_string = preg_replace( '/calc\(((?:\([^()]*\)?|[^()])*)\)/', '', $css_test_string );
     2471            // Allow some CSS functions.
     2472            $css_test_string = preg_replace( '/\b(?:calc|min|max|minmax|clamp)\(((?:\([^()]*\)?|[^()])*)\)/', '', $css_test_string );
     2473
    24722474            // Allow CSS var().
    2473             $css_test_string = preg_replace( '/\(?var\(--[a-zA-Z0-9_-]*\)/', '', $css_test_string );
     2475            $css_test_string = preg_replace( '/\(?var\(--[\w\-\()[\]\,\s]*\)/', '', $css_test_string );
    24742476
    24752477            // Check for any CSS containing \ ( & } = or comments,
Note: See TracChangeset for help on using the changeset viewer.