Make WordPress Core


Ignore:
Timestamp:
09/08/2022 01:24:10 PM (2 years ago)
Author:
SergeyBiryukov
Message:

KSES: Allow min(), max(), minmax(), and clamp() values to be used in inline CSS.

Additionally, this commit updates safecss_filter_attr() to add support for nested var() functions, so that a fallback value can be another CSS variable.

Follow-up to [50923].

Props johnregan3, noisysocks, cbravobernal, uxl, isabel_brison, andrewserong, ramonopoly, joyously, bernhard-reiter, peterwilsoncc.
Fixes #55966.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/kses.php

    r54093 r54100  
    22292229 * @since 5.7.1 Added support for `object-position`.
    22302230 * @since 5.8.0 Added support for `calc()` and `var()` values.
     2231 * @since 6.1.0 Added support for `min()`, `max()`, `minmax()`, `clamp()`,
     2232 *              and nested `var()` values.
    22312233 *
    22322234 * @param string $css        A string of CSS rules.
     
    24682470
    24692471        if ( $found ) {
    2470             // Allow CSS calc().
    2471             $css_test_string = preg_replace( '/calc\(((?:\([^()]*\)?|[^()])*)\)/', '', $css_test_string );
    2472             // Allow CSS var().
    2473             $css_test_string = preg_replace( '/\(?var\(--[a-zA-Z0-9_-]*\)/', '', $css_test_string );
    2474 
    2475             // Check for any CSS containing \ ( & } = or comments,
    2476             // except for url(), calc(), or var() usage checked above.
     2472            /*
     2473             * Allow CSS functions like var(), calc(), etc. by removing them from the test string.
     2474             * Nested functions and parentheses are also removed, so long as the parentheses are balanced.
     2475             */
     2476            $css_test_string = preg_replace(
     2477                '/\b(?:var|calc|min|max|minmax|clamp)(\((?:[^()]|(?1))*\))/',
     2478                '',
     2479                $css_test_string
     2480            );
     2481
     2482            /*
     2483             * Disallow CSS containing \ ( & } = or comments, except for within url(), var(), calc(), etc.
     2484             * which were removed from the test string above.
     2485             */
    24772486            $allow_css = ! preg_match( '%[\\\(&=}]|/\*%', $css_test_string );
    24782487
Note: See TracChangeset for help on using the changeset viewer.